INRIA, Evaluation of Theme Sym A

INRIA, Evaluation of Theme Sym A Project-team SECSI Nov. 13-14, 2006 Project-team title : SECurity of Information Systems (SECSI) Scientific leader : Jean Goubault-Larrecq Research center : Futurs Common project-team with : Laboratoire Spécification et Vérification (LSV), UMR 8643 ENS Cachan & CNRS. 1 Personnel Personnel (Dec. 2002 (creation)) Misc. INRIA CNRS University Total DR (1) / Professors 1 2 3 CR (2) / Assistant Professors 1 1 1 3 Permanent Engineers (3) 0 Temporary Engineers (4) 1 1 PhD Students 6 6 Post-Doc. 1 1 Total 0 1 3 10 14 External Collaborators 0 Visitors (> 1 month) 0 (1) Senior Research Scientist (Directeur de Recherche) (2) Junior Research Scientist (Chargé de Recherche) (3) Civil servant (CNRS, INRIA,...) (4) Associated with a contract (Ingénieur Expert or Ingénieur Associé) Personnel (Nov. 13-14, 2006) Misc. INRIA CNRS University Total DR / Professors 2 2 CR / Assistant Professor 2 1 1 4 Permanent Engineer 0 Temporary Engineer 0 PhD Students 1 1 1 1 4 Post-Doc. 1 1 2 Total 1 4 2 4 12 External Collaborators Visitors (> 1 month) 1

Changes in staff DR / Professors Misc. INRIA CNRS University total CR / Assistant Professors Arrival 1 1 Leaving 2 Comments : Hubert Comon-Lundh moved from CNRS directeur de recherches to full professor, still at ENS Cachan, thus accounting for a somewhat artificial departure from CNRS and one equally artificial arrival at the university in the table above. Current composition of the project-team (Nov. 13-14, 2006): Goubault-Larrecq, Jean (scientific leader). Full professor, ENS Cachan. Jacquemard, Florent (permanent leader). INRIA CR. Comon-Lundh, Hubert. Full professor, ENS Cachan. Kremer, Steve. INRIA CR. Demri, Stéphane. CNRS CR. Treinen, Ralf. Associate professor, ENS Cachan. Carré, Jean-Loup. PhD student, CIFRE grant, LSV/EADS. Bursuc, Sergiu. PhD student, INRIA grant. Bursztein, Elie. PhD student, DGA/CNRS grant. Mercier, Antoine. PhD student, MENRT grant. Troina, Angelo. Postdoc, ARC ProNoBis, shared with project-team Comète (Futurs, LIX). Mazaré, Laurent. Postdoc. Current position of former project-team members (including PhD students during the (Dec. 2002 (creation) Nov. 13-14, 2006): Bidoit, Michel. CNRS DR. Left SECSI, Sep. 2003. Current position: LSV, UMR CNRS and ENS Cachan; ministère de l éducation nationale, de la recherche et de la technologie. Olivain, Julien. Former temporary engineer (3 years), left Nov. 2005. Current position: travailleur autonome, Montréal, province du Québec, Canada. Boisseau, Alexandre. Former PhD student, defended Sep. 2003. Current position: Professeur de classe préparatoire aux grandes écoles, Reims. Cortier, Véronique. Former PhD student, defended March 2003; SPECIF Award 2003, Le Monde Award 2004. Current position: CNRS CR, LORIA, Nancy. Verma, Kumar Neeraj. Former PhD student, defended Sep. 2003. Current position: post-doc, Technische Universität München, Germany. 2

Roger, Muriel. Former PhD student, defended Oct. 2003. Current position: research engineer, LIST, CEA, Saclay. Ratti, Benjamin. Former PhD student, started Sep. 2004, quit March 2006. Current position: developer, Harmonie Technologie, Paris. Zhang Yu. Former PhD student, started Sep. 2002, defended Oct. 2005. Tang frères award of the AFCRST (French-Chinese Association for Scientific and Technical Research) 2006. Current position: postdoc, EVEREST project-team, INRIA Sophia-Antipolis. Bernat, Vincent. Former PhD student, started Sep. 2002, defended June 2006. Current position: consultant engineer, Wallix, Paris. Baudet, Mathieu. PhD student, started June 2003, grant expired June 2006, defence foreseen, Dec. 2006. Current position: chargé de mission, DCSSI (direction centrale de la sécurité des systèmes d information), Paris. Delaune, Stéphanie. Former PhD student, started Sep. 2003, defended June 2006. Current position: postdoc, Birmingham University, UK. Lafourcade, Pascal. Former PhD student, started Sep. 2003, defended Sep. 2006. Current position: DGA postdoc, ETHZ, Zürich, Switzerland. Parrennes, Fabrice. Former postdoc and 1/2-ATER (temporary teaching assistant), left May 2004. Current position: engineer, RATP, Paris. Chhabra, Shalendra. ITBHU intern (Vanirasi, India), spring 2003. Current position: program manager, Microsoft Corp., Riverside, CA, USA. Gupta, Ankit. IIT Delhi-INRIA intern, spring 2005. Current position: as far as we know, was applying at several US universities (graduate level), spring 2006. Last INRIA enlistments Kremer, Steve. Hired, Sep. 2004, as CR2. At the time of writing, on the list of people subject to CR1 promotion. Other comments : Hubert Comon-Lundh was SECSI s first permanent leader. Florent Jacquemard took on in 2003. Our priority at SECSI is hiring talented researchers, and INRIA offers opportunities that are most welcome. Julien Olivain was on the INRIA payroll for two years as ingénieur associé, Mathieu Baudet was paid as Corps des Télécoms PhD student by INRIA for three years, Ralf Treinen was on délégation INRIA status for two years. The first two have left, the third has returned to an associate professor position. As of 2006, the number of INRIA personnel on SECSI s list is at its lowest. We would have liked to recruit Bogdan Warinschi as CR, and he was happy to come to SECSI, too (ranked first at Futurs in 2006); for personal reasons, he had to move to Bristol instead however. SECSI s manpower is therefore currently, temporarily low. 3

2 Work progress 2.1 Keywords Computer security, cryptographic protocols, automated deduction, model-checking, intrusion detection. 2.2 Context and overall goal of the project Computer security has become more and more pressing as a concern since the mid 1990s. There are several reasons to this: cryptography is no longer a chasse réservée of the military, and has become ubiquitous; and computer networks (e.g., the Internet) have grown considerably and have generated numerous opportunities for attacks and misbehaviors, notably. The aim of the SECSI project is to develop logic-based verification techniques for security properties of computer systems and networks. Let us explain what this means, and what this does not mean. First, the scope of the research at SECSI is a rather broad subset of computer security, although the core of SECSI s activities is on verifying cryptographic protocols. We try to be as comprehensive as possible. Several security properties have been the focus of SECSI s research: weak and strong secrecy, authentication, anonymity, fairness in contract-signing notably. Several models, too: the Dolev-Yao model initially, but also process algebra models (spi-calcul, applied pi-calculus), and, more recently, the more realistic computational model favored by cryptographers. Several input formats, finally: either symbolic descriptions of protocols à la Needham-Schroeder, or programs that actually implement cryptographic protocols. Apart from cryptographic protocols, the vision of the SECSI project is that computer security, being a global concern, should be taken as a whole, as far as possible. This is why one of the initial objectives of SECSI was also concerned with problems in intrusion detection, notably. However, the aims of any project, including SECSI, have to be circumscribed somewhat. One of the key points in the aim of the SECSI project, stated above, is logic-based. SECSI aims at developing rigorous approaches to the verification of security. But the expertise of the members of SECSI are not in, say, numerical analysis or the quantitative evaluation of degrees of security, but in formal methods in logic. It is a founding theme of SECSI that logic matters in security, and opportunities are to be grabbed. This was definitely the case for the verification of cryptographic protocols. This was also the case for intrusion detection, where an original model-checking based approach to misuse detection was developed. Then, another important point is verification techniques. The expertise of SECSI is not so much in designing protocols. Verifying protocols, formally, is a rather more arduous task. It is also particularly needed in cryptographic protocol security, where many protocols were flawed, despite published proofs. 2.3 Objectives for the evaluation period The abstract of the SECSI proposal, dated July 25, 2002, was: Le projet comporte trois volets: 1. La vérification automatique de propriétés sécuritaires de protocoles cryptographiques. Il s agit là d un problème orthogonal aux questions algorithmiques de chiffrement, les problèmes étudiés étant de nature purement 4

logique, les outils utilisés relevant de la démonstration automatique ou de la résolution de contraintes. 2. La détection d intrusion. La spécificité de notre projet en la matière est de s appuyer sur des méthodes formelles, en particulier les logiques temporelles et la vérification de modèles. 3. Les relations entre les deux sujets précédents: comment, à partir de faiblesses détectées dans les protocoles cryptographiques, et dans leurs réalisations, construire des scénarii d attaques qui peuvent ensuite être utilisés pour la détection d intrusion. Translation: The project comprises three parts: 1. The automatic verification of security properties of cryptographic protocols. This is a problem that is orthogonal to questions on encryption algorithms, the nature of the problems being purely logical, and the tools used coming from automated deduction or constraint resolution. 2. Intrusion detection. The specific theme of our project in this domain is to rely on formal methods, in particular temporal logics and model-checking. 3. Relating the previous two subjects: given vulnerabilities detected in specific cryptographic protocols, and in their implementations, how can we build attack scenarios that can be used in intrusion detection. Among these three themes, the first one is certainly the one that grew most, generating several new directions of research. As of Nov. 13-14, 2006, most members of SECSI work in one or the other sub-topic of this first theme. Only one permanent member and one PhD student work at this date on the second theme, and none on the third. We discuss this more below. 2.4 Objective 1 : Executive summary Automated cryptographic protocol verification is certainly the main theme of SECSI. While it was already the theme that kept most SECSI members busy at the time SECSI was created (2002), one might say that, as of 2006, all SECSI members work on it. Accordingly, this theme was naturally subdivided into new objectives. It would then have been natural to divide the present section into as many of the corresponding new objectives. This would have been fairer to the actual proportion of work done for each objective. However, I ll conform to the instructions. This will have the advantage that objective 1 will be described concisely. However, it is also meaningful to enumerate these new objectives: 1.1 Tree-automata based methods, automated deduction, and approximate/exact cryptographic protocol verification in the Dolev-Yao model. 1.2 Enriching the Dolev-Yao model with algebraic theories, and associated decision problems. 1.3 Computational soundness of formal models (Dolev-Yao, applied pi-calculus). 1.4 Security of group protocols, fair exchange, voting and other protocols. Other security properties, other security models. 5

We shall use this classification in the subsections below. Themes 1.1 and 1.2 are not entirely disjoint, as research around automated deduction for the Dolev-Yao model quickly turned into automated deduction for the Dolev-Yao model enriched by equational theories. The stress in 1.1 is more on automated deduction, while the stress in 1.2 is more on specific decidability issues of Dolev-Yao intruder theories in the presence of equational theories. The fact that these sub-objectives are not totally disconnected should be apparent from the Personnel table below. 2.4.1 Personnel Objective: 1.1 1.2 1.3 1.4 Mathieu Baudet x x Vincent Bernat x Alexandre Boisseau x Sergiu Bursuc x Hubert Comon-Lundh x x Véronique Cortier x x Stéphanie Delaune x x Jean Goubault-Larrecq x x x Ankit Gupta x x Florent Jacquemard x x Steve Kremer x x Pascal Lafourcade x Benjamin Ratti x Muriel Roger x x Ralf Treinen x Kumar Neeraj Verma x x Yu Zhang x 2.4.2 Project-team positioning There are now many groups working on cryptographic protocol verification around the world. It would be pointless to cite them all. Let us cite some of the most prominent. Some of the US groups are SRI (Jon Millen; Palo Alto, CA), U. Texas at Austin (Vitaly Shmatikov; formerly at SRI), Martín Abadi (Santa Cruz then Microsoft, Mountain View, CA), Stanford University (John Mitchell; Palo Alto, CA), Mitre Corp. (Joshua Guttman), NRL (Catherine Meadows), Clarkson U. (Chistopher Lynch). In Japan, AIST (Hitoshi Ohsaki; Amagasaki). In Italy, U. Firenze (Michele Boreale), U. Verona (Luca Viganó), U. Bologna (Roberto Gorrieri). In Germany, U. Kiel (Ralf Küsters), TUM (Helmut Seidl, München). In Switzerland, ETHZ (David Basin; Zürich). In the UK, Microsoft Cambridge has a strong group (Cédric Fournet, Andrew Gordon); also Cambridge University (Larry Paulson), Oxford University (Gavin Lowe). In France, one must cite Verimag (Yassine Lakhnech; Grenoble), France Télécom R&D (Francis Klay; Rennes), U. of Provence (Denis Lugiez; Marseille), and the INRIA teams Lande (Thomas Genet; Rennes), Cassis (Michael Rusinowitch; Nancy). This (incomplete) list is mostly for 1.1 or 1.2. For 1.3, one must cite Verimag (Yassine Lakhnech), ENS Paris (Bruno Blanchet, David Pointcheval), CELAR (David Lubicz, Rennes). In Germany, Saarland University (Michael Backes; Saarbrücken). In Belgium, U. Louvain-la-neuve (Olivier Pereira). In the US, John Mitchell, Martín Abadi. For 1.4, in the UK, U. Birmingham (Mark Ryan; group protocols, opacity). In Belgium, free U. Brussels (Olivier Markowitch; voting). In France, France Télécom R&D (Francis 6

Klay; voting). We are regularly in touch with each of them, either through project meetings, for common papers, or simply during conferences. 2.4.3 Scientific achievements Obj. 1.1 It was relatively clear in 2002 that what is now called the Dolev-Yao model of security was essentially a matter of encoding cryptographic protocols as formulae in subclasses of first-order logic, some of them decidable. Security could be attacked from the automatatheoretic point of view, or using set constraints, or automated theorem proving. The realization that all these points of view could be unified has now pervaded the project, if not the community at large. That tree automata and set constraints are special cases of the (decidable) monadic class is due to Bachmair and Ganzinger [BGW93]. That they could in fact be decided efficiently by automated deduction methods is now a running theme in SECSI, see [92, 58, 67, 42, 160] for example. This is the scientific basis of the h1 tool suite (see the Software section). When the natural class of first-order formulas to encode cryptographic protocols and their properties in is not decidable, or not clearly so, abstraction techniques are required. (The relationship between decidable classes of first-order logic and decidable cases of cryptographic protocol verification was the theme of the ACI cryptologie VERNAM.) It turns out that fairly simple, and automated, techniques apply [42, 39], inspired from Vardi et al. [FSVY91]. Obj 1.2 It was slightly less clear in 2002 that the Dolev-Yao model required some definite extensions, in particular allowing for terms to be interpreted modulo some equational theory the so-called algebraic case. (But also to propertly handle specific code chaining techniques [96].) Typical examples of theories of interest are modular exponentiation over a fixed generator g (application: Diffie-Hellman-like protocols) [39] or that of bitwise exclusive-or [58]. The PhD theses of Roger [8], Verma [10], and Cortier [132] display early (and influential!) research in this area. Cortier s thesis which contains much more material than we can describe was awarded the SPECIF best PhD thesis award in 2003, and the Le Monde academic research prize in 2004. Handling the algebraic case is now standard in the security protocol verification community, and is still actively being explored in the framework of the RNTL project Prouvé and the ACI SI Rossignol. The related decision problems are much more difficult than in the non-algebraic case. Automated deduction techniques had to be complemented with specific algorithmic techniques [62], loosely inspired by McAllester s notion of local theories [McA93], to decide the so-called intruder deduction problem in the case of several equational theories. The intruder deduction problem is equivalent to deciding unreachability (e.g., secrecy, authentication) in protocols using a bounded number of sessions. These equational theories include those containing explicit destructors (e.g., ciphers) [66], AC-like theories, e.g. exclusive-or [61, 60], theories containing a homomorphic operator, say a hashing or encryption primitive that distributes over concatenation, or over exclusive-or [98]. See the PhD theses of Cortier again, of Delaune [6], and of Lafourcade [7]. The quest for finding [BGW93] L. Bachmair, H. Ganzinger, U. Waldmann, Set Constraints are the Monadic Class, in : Proceedings, Eighth Annual IEEE Symposium on Logic in Computer Science, IEEE Computer Society Press, p. 75 83, 1993. [FSVY91] T. Frühwirth, E. Shapiro, M. Y. Vardi, E. Yardeni, Logic Programs as Types for Logic Programs, in : LICS 91, 1991. [McA93] D. A. McAllester, Automatic Recognition of Tractability in Inference Relations, Journal of the ACM 40, 2, April 1993, p. 284 303. 7

generic algorithms for this problem, given an equational theory in argument, is the subject of Bernat s thesis [3]. Obj. 1.3 One desirable goal that seemed totally out of reach in 2002 is to relate the Dolev-Yao notion of security, possibly in the algebraic case, to more realistic notions of security as used in the cryptographic community (e.g., IND-CPA and IND-CCA security). The latter define security as resistance to probabilistic polynomial-time attackers, while the Dolev- Yao models overlook any computational constraints. Abadi and Rogaway initiated work in this domain [AR02], dealing with a constrained case of security against passive attackers. The domain has flourished in recent years, and SECSI has started taking an active part in it, as part of the ARA SSIA FormaCrypt project, whose members include Martín Abadi and Bruno Blanchet. One recent paper on this topic is [47]. Laurent Mazaré, a PhD student of Yassine Lakhnech on these themes, will spend one year as postdoc at SECSI. See also the forthcoming PhD thesis of Baudet (Dec. 2006). Obj. 1.4 The above lines of research are mainly concerned with rather traditional security properties, namely secrecy or authentication in general, (un)reachability properties and with protocols with a fixed number of participants in each session. There is much more to security. Strong notions of secrecy are not reachability properties, and in fact are not trace properties. Rather, they are characterized using contextual equivalences. A notion of bisimulation complete for contextual equivalence in the spi-calculus was found by Cortier [132]. The cryptographic results of [47] (cited above) relate cryptographic security to static equivalence, a form of contextual equivalence well-suited to passive adversaries introduced in Abadi and Fournet s applied pi-calculus [AF01]. Notions of strong security and contextual equivalence have also been studied in the framework of higher-order computation (a lambda-calculus with name creation and cryptographic primitives) by Zhang, using Kripke logical relations [111, 88, 101]. Zhang s thesis [11] was awarded the 2006 prize of the AFCRST (French-Chinese Association for Scientific and Technical Research). Other properties and other protocols were studied: Boisseau studied deciding anonymity properties, contract-signing and voting protocols (see his PhD thesis [4]); Kremer studied optimistic multi-party contract signing protocols [56], and fair exchange protocols [105], where one of the crucial properties is fairness (none of the signers can prove the contract signed to a third-party while the other has not yet signed), not secrecy. Electronic voting schemes require the voter to be unable to prove his vote to a bully, a property named receipt-freeness [70]. Guessing attacks are attacks where a weak secret can be guessed, e.g. by brute force enumeration (passwords). Some protocols use passwords but are still immune to guessing attacks [74, 68], and a general decision procedure was proposed by Baudet [49] in the (realistic) offline case, using a definition of security based on static equivalence. (See Baudet s forthcoming PhD thesis.) Finally, secrecy and authentication properties were examined in the challenging case of group protocols. See Roger s PhD thesis [8], and the paper [39]. Antoine Mercier is starting a PhD thesis on security properties of group protocols with Ralf Treinen and Steve Kremer, fall 2006. Overall, objective 1.4 differs from the other objectives in providing a source of sundry exciting perspectives (other properties, other protocols, other models). [AR02] M. Abadi, P. Rogaway, Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption), Journal of Cryptology 15, 2, 2002, p. 103 127. [AF01] M. Abadi, C. Fournet, Mobile Values, New Names, and Secure Communication, in : Proc. 28th ACM Symposium on Principles of Programming Languages (POPL 01), ACM Press, p. 104 15, 2001. 8

2.4.4 Collaborations Martín Abadi, Santa Cruz university, then Microsoft, Mountain View. Visits by Véronique Cortier, Mathieu Baudet. One paper in common [ABW06]. Visits weave links, creating opportunities for future papers: witness the two papers [AC04,AC05] by Cortier, a few years after she left SECSI as a PhD student for a position in CASSIS. Common participation in ARA SSIA Formacrypt. Mark D. Ryan, U. Birmingham. Several papers with Steve Kremer [96, 97], and Stéphanie Delaune [70]. Visits in both directions. Francis Klay, France Télécom R&D, Lannion, France. (Through RNTL project Prouvé.) Funds CIFRE PhD grant of Stéphanie Delaune, providing natural opportunities for common research [120, 69, 121, 136]. Denis Lugiez, U. de Provence, Marseille, France. Natural collaborations on AC-tree automata and cryptographic protocol verification. Materialized in the ACI SI Rossignol, through common supervision of PhD student Pascal Lafourcade [98, 165]. Hitoshi Ohsaki, AIST, Osaka, Japan. Cooperation on the verification of protocols using tree automata and rewriting. Several visits in both directions. Memorandum of Understanding on cooperation signed in 2006 between AIST and LSV. Applied to JST/CNRS for a 3-year cooperation project, starting January 2007 (decision pending). More informal collaborations with several other people; see Section 2.4.2. In France, we feel close to Yassine Lakhnech, Verimag, Grenoble, and to Michael Rusinowitch, CASSIS, LORIA, Nancy, notably. 2.4.5 External support 1.1: RNTL EVA, 2000-2003. ACI cryptologie VERNAM, 2000-2002. ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault-Larrecq), 2001-2004. INRIA-Tunisia project 06/I09 Conception et réalisation d un système de démonstration automatique par récurrence. Application à la validation de protocoles et de systèmes distribués, 2006-2007. (Initiated, 2005.) 1.2: RNTL Prouvé, 2004-2007. ACI SI Rossignol, 2003-2006. 1.3: ARA SSIA FormaCrypt, 2006-2008. (Started informally, 2005.) 1.4: ACI cryptologie Psi-Robuste, 2002-2004. Short-term industrial contracts: Aud System, security evaluation, 2004 (Julien Olivain, Jean Goubault-Larrecq); Lex Persona, security evaluation, 2005 (Steve Kremer, http: //www.lex-persona.com/). 2.4.6 Self assessment The cryptographic protocol part of SECSI is very lively, and has in fact engulfed most of SECSI. Objectives 1.1 and 1.2 are now strongholds of SECSI, which objectives 1.3 and 1.4 [ABW06] [AC04] [AC05] M. Abadi, M. Baudet, B. Warinschi, Guessing Attacks and the Computational Soundness of Static Equivalence, in : Proceedings of the 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 06), L. Aceto, A. Ingólfsdóttir (editors), Lecture Notes in Computer Science, 3921, Springer, p. 398 412, Vienna, Austria, March 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/abw Fossacs06.pdf. M. Abadi, V. Cortier, Deciding Knowledge in Security Protocols under Equational Theories, in : Proc. 31st Int. Coll. Automata, Languages, and Programming (ICALP 2004), Springer-Verlag LNCS 3142, p. 46 58, Turku, Finland, July 2004. M. Abadi, V. Cortier, Deciding Knowledge in Security Protocols under (Many More) Equational Theories, in : Proc. 18th IEEE Computer Security Foundations Workshop (CSFW 05), IEEE Comp. Soc. Press, p. 62 76, Aix-en-Provence, France, June 2005. 9

provide exciting new opportunities for the future. SECSI is originally a group created by people from automated deduction and logics. There was a risk that SECSI could be seen as merely a group of logicians who took an opportunity to apply their techniques in the security field. A strong point of SECSI is that SECSI is now taken seriously in security circles. One could still do better and penetrate the crypto world i.e., submit to conferences such as Crypto or Eurocrypt. Objective 1.3 notably is a very relevant research direction. Another strong point is the large number of funded projects that SECSI has engaged in, in this objective. SECSI has also many links with various important groups worldwide. SECSI does not really have any weak point related to this objective, as far as we know. Objective 1.1 is solid, and now serves as a basis for most others. Objectives 1.2, 1.3 and 1.4 should be strongly supported. A new objective on handling the probabilistic aspects of some protocols in formal methods is born in 2006, and led to the creation of the INRIA ARC ProNoBis (http://www.lsv.ens-cachan.fr/ goubault/pronobis/ pronobis1index.html), together with Catuscia Palamidessi s Comète project-team, Futurs. This is yet another promising research direction, dealing with semantics, bisimulations, and evaluating evidence in environments where both demonically non-deterministic and probabilistic choices enter the scene. 2.5 Objective 2 : Executive summary The activities of SECSI in intrusion detection were concentrated into developing the Orchids misuse detection tool (http://www.lsv.ens-cachan.fr/orchids/). The starting ideas were exposed in [RGL01], and Julien Olivain (temporary engineer on RNTL DICO, 2003; INRIA ingénieur associé, 2004 2005), who is the main developer, still works occasionally on Orchids in Montréal. Technically, Orchids is probably one the most efficient and most expressive intrusion detection systems existing today. Its purpose is to detect attacks based on attack signatures, which are essentially temporal logic formulae, allowing for temporal and field-based correlation between events. 2.5.1 Personnel Jean Goubault-Larrecq, Julien Olivain (engineer), Stéphane Demri (researcher), Elie Bursztein (PhD student). 2.5.2 Project-team positioning The system closest to Orchids is probably GnG, developed at Supélec Rennes (Eric Totel, Ludovic Mé). Due to the fact that Julien Olivain comes from an engineering school, Orchids has less the flavor of an academic prototype than of a full-featured product. As far as we know, there is no competing product today. In general, there are many groups working in intrusion detection around the world. The main international groups in misuse intrusion detection are the STAT team (UC Santa Barbara, USA; P. Porras, G. Vigna, R. Kemmerer, K. Ilgun), the IDIOT team (Purdue U., Indiana, USA; S. Kumar, E. Spafford), the BRO team (Lawrence Berkeley National Lab.; V. Paxson), and the UC Davis group. The most well-known system of this kind is [RGL01] M. Roger, J. Goubault-Larrecq, Log Auditing through Model Checking, in : Proc. 14th IEEE Computer Security Foundations Workshop (CSFW 01), Cape Breton, Nova Scotia, Canada, June 2001, IEEE Comp. Soc. Press, p. 220 236, 2001, http://www.lsv.ens-cachan. fr/publis/papers/roggou-csfw01.ps. 10

Snort (www.snort.org; M. Roesch). This is mostly a single-event system. Orchids uses it as one of its numerous input sources. The main groups in France are Supélec (Rennes; Ludovic Mé), France Télécom R&D (Caen; Hervé Debar), Eurécom (Sophia-Antipolis; Marc Dacier), ENST (Rennes; Frédéric Cuppens), U. Artois (Lens; Salem Benferhat). Two other INRIA teams are occasionally interested in intrusion detection: Lande (Rennes; Mireille Ducassé), and Cassis (Nancy; Michael Rusinowitch). 2.5.3 Scientific achievements The main effort in this objective was to develop and improve Orchids. During this effort, new ideas have naturally come up. None has been published yet. One is on the detecting subverted cryptographic flows through on-line entropy estimation [OGL06], and has been implemented in the Net-entropy sensor to Orchids. Another one is on using interval-based temporal logics to deal with time, and in particular with clock drift and clock resolutions [DGLO06], based on a 2003 idea of Julien Olivain s. The Orchids system was presented at the CAV 2005 conference [106]. Software: Orchids (http://www.lsv.ens-cachan.fr/orchids/), Net-entropy (http: //www.lsv.ens-cachan.fr/ olivain/net-entropy/), Evtgen (http://www.lsv.ens-cachan. fr/ olivain/evtgen/). 2.5.4 Collaborations Collaboration in the RNTL DICO project (below) consisted in exchanging ideas, comparing algorithms, learning about problems to be solved. Outcome consisted in deliverables [147, 140]. 2.5.5 External support RNTL project DICO (Détection d Intrusions COopérative), 2002-2004. ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault- Larrecq), 2001-2004. 2.5.6 Self assessment Strong points: high technical quality of the Orchids tool; very good ideas, mostly by Julien Olivain. Weak points: few publications (slow writing rate; e.g., paper [DGLO06] is the third major revision of a paper started in 2002, not yet published); no technology transfer, despite intense efforts (all attempts failed; eventually Orchids acquired Cecill 2 [GPL] status); could not recruit high-quality researchers on the intrusion detection theme (except Julien Olivain [2003-2005], and Elie Bursztein [PhD, 2005-]). The intrusion detection activity at SECSI should be stopped. This was very timeconsuming, and brought little return. Papers in the queue should nonetheless be completed, and Elie Bursztein s PhD thesis will proceed (2005 2008). I still hope that the [OGL06] J. Olivain, J. Goubault-Larrecq, Detecting Subverted Cryptographic Protocols by Entropy Checking, Research Report number LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, 19 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/PDF/rr-lsv-2006-13.pdf. [DGLO06] S. Demri, J. Goubault-Larrecq, J. Olivain, Handling Time in Misuse Detection Systems, In preparation, 2005 2006. 11

Orchids system could become more well-known; unfortunately, merely maintaining it requires some personnel. Julien Olivain is still occasionally working on it in Montréal. Informal collaborations between him and Ecole Polytechnique de Montréal (Samuel Pierre, José Fernandez, John Mullins), and U. du Québec à Montréal (Romdhane Ben Younès) have started. 2.6 Objective 3 : Executive summary Let us first recall that objective 3 was more prospective than the other two, and was meant mostly as a guideline for the investigation of emerging security problems requiring logical treatment. And indeed, while trying to profit from failed proofs of security to feed an intrusion detection system [123] turned out not to be so interesting or feasible. On the other hand, monitoring actual programs implementing cryptographic protocols is interesting. One of our guidelines in objective 3 was to find useful techniques that could increase the confidence we may have in large code implementing cryptographic protocols, typically OpenSSL. This led to an effort on inventing static analysis techniques to detect secrecy leaks in actual programs as opposed to idealized protocols. 2.6.1 Personnel Jean Goubault-Larrecq, Shalendra Chhabra (ITBHU intern), Fabrice Parrennes (postdoc, then 1/2-ATER). 2.6.2 Project-team positioning One might reasonably say that this objective eventually turned into one on static analysis techniques for security. While there are many groups working on static analysis around the world, in Europe and in France, almost none works on applications to security. Notable exceptions are the works by Volpano and Smith (resp. Naval Postgraduate School, Monterey, CA and Florida Intl. University, Miami, FL, USA), by Castellani and Boudol (INRIA Sophia), by Zdancewic and Myers (Cornell U., Ithaca, NY, USA), or by Giacobazzi et al. (Pisa, Italy) on typing systems for non-interference. Traditional dataflow analysis or abstract interpretation groups have been more interested in safety than in security. In particular, recent successes have been obtained in static analyzers that detect very simple run-time errors (e.g., array bounds overflow) on large programs: see PolySpace Technologies, or Patrick Cousot s endeavor around the Astrée analyzer. On the other hand, security properties, even just weak secrecy, is a complex property. Interest has recently arisen on this topic at Microsoft Research, Cambridge, UK. 2.6.3 Scientific achievements The initial goal of this objective was explored by Sh. Chhabra [123]. Work on detecting leakage of confidential data in programs written in C (with an eye on the OpenSSL implementation) was conducted by Jean Goubault-Larrecq and Fabrice Parrennes (2002-2004). This led to a prototype tool, named Csur [180], and a paper the next year [90]. (An extended, and corrected version was submitted to TCS in June 2005, but we have had no news of this submission since then.) This paper was abundantly referred to by Andrew Gordon (Microsoft Research, Cambridge, UK) in his invited talk at CAV 06. The main point is that our techniques show the promise of scaling up techniques used on protocols 12

of a few lines to analyzing actual programs of several thousand lines, in real programming languages including pointers notably. Software: CSur (http://www.lsv.ens-cachan.fr/software/csur). 2.6.4 Collaborations None formal. Informal visits at U. Laval, Québec (Nadia Tawbi, Josée Desharnais, François Laviolette) and conversely. 2.6.5 External support ACI cryptologie Psi-Robuste, 2002-2004. ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault-Larrecq), 2001-2004. 2.6.6 Self assessment Strong point: opened a new field, that of abstract interpretation for security properties (à la Dolev-Yao) on real programs, not just idealized protocol specifications. Weak point: nobody works on this theme any longer at SECSI. Of the people participating in this objective, only Jean Goubault-Larrecq remains, but no longer works on it. As a matter of fact, static analysis for security is now a dormant theme at SECSI. This objective is therefore de facto stopped. However, static analysis techniques are an important toolbox for verification, in particular if we are to find techniques that scale up to large programs. I propose to consider static analysis no longer as an objective, but as a bag of tools we can use on specific occasions. Some preliminary work has started with U. Laval (Québec, Canada; Nadia Tawbi), and Jean-Loup Carré has started (2006) a PhD thesis on a CIFRE grant with EADS (Suresnes, France; Charles Hymans, co-advisor) and LSV/SECSI (Jean Goubault-Larrecq, co-advisor) on static analysis techniques for multi-threaded programs. 3 Knowledge dissemination 3.0.7 Publications For simplicity, year 1=2002,..., year 4=2005, although SECSI was formally created as project team in Dec. 2002. I also include editions of special issues of journals and conference proceedings under the Book (edited) category. year1 year2 year3 year 4 PhD Thesis 4 1 H.D.R (*) 1 Journal 4 5 1 8 Conference proceedings (**) 7 11 14 14 Book chapter Book (written) 1 Book (edited) 2 Patent Technical report 8 9 16 9 Deliverable 2 1 3 4 (*) HDR Habilitation à diriger des Recherches 13

(**) Conference with a program committee Indicate the major journals in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period. 1. Information and Computation: 2. 2. Journal of Logic and Computation: 2. 3. Theoretical Computer Science: 3. 4. ACM Transactions on Computational Logic: 2. 5. Mathematical Structures in Computer Science: 1. 6. Journal of Logic and Algebraic Programming: 1. Indicate the major conferences in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period. 1. Computer Security Foundations Workshop (CSFW): 2. 2. Int. Conf. Computer and Communications Security (CCS): 2. 3. IEEE/ACM Symp. Logics in Computer Science (LICS): 1. 4. Int. Coll. on Automata, Languages, and Programming (ICALP): 1. 5. Int. Conf. Concurrency Theory (CONCUR): 1. 6. Int. Conf. Computer Aided Verification (CAV): 1. 7. Int. Conf. Theoretical Aspects of Computer Science (STACS): 1. 8. Symp. Principles of Programming Languages (POPL): 1 9. Foundations of Software Science and Computation Structures (FOSSACS): 2. 10. Int. Conf. Computer Science Logic (CSL): 4. 11. Int. Conf. Rewriting Techniques and Applications (RTA): 4. 12. European Symposium on Programming (ESOP): 2. 13. Int. Conf. Foundations of Software Technology and Theoretical Computer Science (FST&TCS): 1. 14. Int. Conf. Logic for Programming, Artificial Intelligence, and Reasoning (LPAR): 1. 14

3.1 Software CSur (Objective 3.) A static analyzer for C programs, goal is to detect leaks of secret information in a suitable Dolev-Yao model [90], while dealing with pointer arithmetic. Outputs clauses that are fed to h1 (see below). http://www.lsv.ens-cachan.fr/csur/ Licence: specific (http://www.lsv.ens-cachan.fr/csur/copyright). Impact: good feedback from Microsoft Research, Cambridge (C. Fournet, A. Gordon); 46 references from Google csur goubault parrennes, of which 13 different. Competitors: none. Implemented in C. Authors: Fabrice Parrennes, Jean Goubault-Larrecq. EVAtrans (Objective 1.1.) The EVA translator. Translates cryptographic protocols written in standard notation to input formats of several cryptographic protocol verifiers (Hermès, Securify [see below], h1 [see below]). In passing, does type inference and message well-formedness checking. Developed in the framework of RNTL project EVA. http://www.lsv.ens-cachan.fr/evatrans2/ Licence: specific (similar to that of CSur). Impact: 1 contact; 43 references from Google evatrans EVA translator, of which 16 different. Competitors: CASRUL (CASSIS, LORIA), CAPSL (SRI). Implemented in OCaml. Current version: 2. Author: Florent Jacquemard. First version by Jean Goubault-Larrecq. EvtGen (Objective 2.) A generic discrete event simulator based on Markov chains. Used to build artificial, realistic event sources to test intrusion detection systems, in particular Orchids [see below]. Developed as part of the RNTL project DICO. http://www.lsv.ens-cachan.fr/ olivain/evtgen/. Licence: specific (similar to CSur). Impact: at the time of DICO, several users, mostly at Supélec Rennes; 26 references from Google evtgen olivain, of which 6 different. Competitors: none known. Implemented in C. Author: Julien Olivain. h1 (Objective 1.1.) The h1 tool suite. A library of tools around the decidable class H 1 [42]. Can be seen as a library of finite tree automata handling tools, or as dealing with set constraints. http://www.lsv.ens-cachan.fr/ goubault/h1.dist/dh1index.html Licence: GPL. Impact: negligible; 102 references from Google h1 tool suite Goubault, of which 21 different. Competitors: for the h1 prover (the main tool of the suite), any first-order automated prover, see SPASS or Vampire; concerning the other tools (the h1mc model-checker, which in particular allows for building a Coq proof of the non-existence of a proof, the h1trace trace extractor, or the pldet determinizer notably), none. Experimental evaluation at http://www.lsv.ens-cachan.fr/ goubault/h1.dist/ dh1003.html. Implemented in HimML and C. Current version: 1.1. Author: Jean Goubault-Larrecq. 15

HimML HimML is a map-oriented ML: an implementation of the Standard ML language (bytecode compiler, toplevel loop, HimML to C compiler, debugger, profiler) with native and efficient finite set and map operations. http://www.lsv.ens-cachan.fr/ goubault/himml-dwnld.html Licence: GPL. Impact: negligible. Mostly used by Jean Goubault-Larrecq as a secret weapon as far as programming languages matter; 270 references from Google HimML Goubault, of which 40 different. Competitors: SML/NJ, Ocaml. Implemented in C. Current version: 1.0α18. Author: Jean Goubault-Larrecq. ISpi (Objective 1.1, 1.2.) ISpi is a cryptographic protocol verifier, taking as input protocols written in a variant of the spi-calculus, with a syntax as compatible as possible with B. Blanchet s ProVerif. Compiles to clauses fed to h1. Developed as part of the RNTL project Prouvé. http://www.lsv.ens-cachan.fr/ goubault/ispi/ Licence: GPL. Impact: none (not yet finished); 109 references from Google ISpi Goubault, of which 9 different. Competitors: ProVerif. Implemented in HimML. Current version: 1.0. Author: Jean Goubault-Larrecq. Net-Entropy (Objective 2.) An entropy checker for ciphered network connections, described in [OGL06]. One of the original sensors to Orchids. http://www.lsv.ens-cachan.fr/ olivain/net-entropy/ Licence: GPL. Impact: negligible; 14 references from Google Net-entropy Olivain, of which 7 different. Competitors: PAYL (Columbia University) does something seemingly close, but really different. Implemented in C. Author: Julien Olivain. Orchids (Objective 2.) An efficient, on-line, real-time, multi-event intrusion detection system originally based on model-checking ideas [106]. http://www.lsv.ens-cachan.fr/orchids/ Licence: Cecill 2 (GPL). Impact: negligible (yet?); 59 references from Google Orchids intrusion detection Olivain, of which 22 different. Competitors: GnG (Supélec Rennes). Implemented in C. Authors: Julien Olivain, Jean Goubault-Larrecq (for initial ideas and algorithms, and a previous prototype). PROUVÉ parser library (Objective 1.2) A library providing functions for transforming specifications of cryptographic protocols written in the PROUVÉ language into [OGL06] J. Olivain, J. Goubault-Larrecq, Detecting Subverted Cryptographic Protocols by Entropy Checking, Research Report number LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, 19 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/PDF/rr-lsv-2006-13.pdf. 16

abstract syntax, and to perform a static analysis on the specification. http://www.lsv.ens-cachan.fr/prouve/libparser/index.html Licence: LGPL. Impact: Used as frontend of the protocol verification tools CASRUL and HERMES inside the PROUVÉ project. A cooperation with AIST (Japan) about integration into the ACTAS verification tool is ongoing; 110 references from Google prouvé cryptographic protocol treinen, of which 28 different. Competitors: none. Implemented in Objective Caml. Author: Ralf Treinen. Securify (Objective 1.1.) A cryptographic protocol verification tool. Developed as part of the RNTL project EVA. http://www.lsv.ens-cachan.fr/ cortier/eva/eva-comp.php Licence: specific (similar to CSur). Impact: 94 references from Google Securify Cortier, of which 25 different. Competitors: ProVerif. Implemented in C, OCaml, HimML. Current version: 2. Authors: Stéphanie Delaune (v.2), Véronique Cortier (v.1). SPORE (Objective 1.) The Security Protocol Open Repository. The purpose of this page is to continue online the seminal work of Clark and Jacob [CJ97], updating their base of security protocols. Initially developed as part of the RNTL project EVA. http://www.lsv.ens-cachan.fr/spore/ Licence: none. Impact: 323 references from Google SPORE security protocols open repository, of which 47 different. Competitors: none. Authors: Florent Jacquemard, Ralf Treinen, Hubert Comon-Lundh. 3.1.1 Valorization and technology transfer Orchids has until now resisted all technology transfer attempts. We have had contacts with several industrial partners, some of which claimed they were definitely interested (NetSecureOne, SAP, Mandriva). None led to anything concrete. Our experience in the security of cryptographic protocols led to two consultancy contracts: Aud System, 2004 (Julien Olivain, Jean Goubault-Larrecq); Lex Persona, 2005 (Steve Kremer, http://www.lex-persona.com/). French firms traditionally prefer contracts with academics that are funded through public grants: Trusted Logic, Versailles (through RNTL EVA), France Télécom R&D (Lannion, through RNTL Prouvé; Caen, through RNTL DICO), CRIL Technologie, Melun (through RNTL Prouvé), NetSecure- One (through RNTL DICO). 3.2 Teaching Each full-time teaching personnel teaches roughly 192 TD-equivalent hours per year. Each exercise session (TD) hour counts for one hour. Each programming session (TP) hour counts for 2/3 hour. Each lecture hour counts for 1.5 hours. This is valid for Jean [CJ97] J. Clark, J. Jacob, A Survey of Authentication Protocol Literature: Version 1.0, Posted at the University of York on the Secure Network page under the link Security Protocols Review, November 1997, http://www.cs.mdx.ac.uk/staffpages/m cheng/link/clarkjacob.pdf. 17

Goubault-Larrecq, Hubert Comon-Lundh, and Ralf Treinen (except for his two-year delegation period). Their main teaching duties are in the magistère STIC of the ENS Cachan (level L3 Licence), and the Master Parisien de Recherche en Informatique (MPRI; mostly level M2 DEA). Several PhD students are moniteurs, which includes a 64h. yearly duty. Courses: Algorithms, maximal flow problems, NP-completeness, and approximation. 15h. lecture in 2002-2003 (Stéphane Demri). Magistère STIC, first year ( level L3), ENS Cachan. Analyse statique (static analysis of code), 2 20h. lecture in 2002, 2003 (Jean Goubault- Larrecq). DESS Développement de Logiciels Sûrs, Paris. Analyse statique (static analysis of code), 20h. lecture in 2004 (Jean Goubault-Larrecq), 12h. TD in 2004 (Vincent Bernat). Magistère STIC, second year ( level M1), ENS Cachan. Calculabilité et complexité (computability and complexity), 2 40h. lecture in 2004, 2005 (Hubert Comon-Lundh, Jean Goubault-Larrecq). 56h. TD-equivalent in 2004 (Ralf Treinen). 10h. TD in 2005 (Steve Kremer). Magistère STIC, first year ( level L3), ENS Cachan. Calculabilité 2 (computability 2) 80h. TD-equivalent (lecture+td) in 2003 (Hubert Comon-Lundh, Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Complexité 2 (complexity 2) 22h. lecture in 2005 (Jean Goubault-Larrecq). Magistère STIC, first year (level L3), ENS Cachan. Complexité du model-checking (model-checking complexity) 20h. lecture in 2002 (Stéphane Demri), 15h. lecture in 2004 (Stéphane Demri). DEA Algorithmique, Paris. Computer Networks 4h. lecture + 4h. TD in 2004 (Julien Olivain). Magistère STIC, first year ( level L3), ENS Cachan. Computer Security 2 1h. lecture in 2004, 2005 (Steve Kremer; as part of Mark D. Ryan s course). University of Birmingham, UK. Concurrency and Operating Systems 20h. lecture in 2005 (Hubert Comon-Lundh). Magistère STIC, first year ( level L3), ENS Cachan. Cryptography and cryptographic protocols. 2 3h. lecture in 2004, 2005 (Jean Goubault-Larrecq). Préparation à l aggrégation (no international equivalent), department of economics, third year, ENS Cachan. Cryptography and cryptographic protocols. 3h. lecture in 2005 (Jean Goubault-Larrecq). Regards croisés programme (series of lectures common to Math and Physics students), level M1, ENS Cachan. Démonstration automatique (automated deduction), 16h. lecture in 2002 (Jean Goubault- Larrecq). DEA Programmation, Paris. Then 2 15h. lecture in 2004, 2005 (Jean Goubault-Larrecq). Magistère MPRI, level M2, Paris. Démonstration automatique (automated deduction), 15h. lecture in 2004 (Jean Goubault- Larrecq). Magistère STIC, second year ( level M1), ENS Cachan. 18

Formal verification of security protocols 6 h. lecture (Steve Kremer). Master Sécurité des Systèmes Informatiques (security of computer systems), level M2, Paris 12. Langages formels (formal language theory), 15h. lecture in 2004 (Hubert Comon- Lundh). Magistère STIC, second year ( level M1), ENS Cachan. Logique (logic) 2 80h. TD-equivalent (lecture+td) in 2002-2003 and 2003-2004 (Hubert Comon-Lundh, Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Logique (logic) 2 20h. lecture in 2004, 2005 (Hubert Comon-Lundh). 23 h. TDequivalent in 2004 (lecture+td; Ralf Treinen). 12h. TD in 2005 (TD; Mathieu Baudet). Magistère STIC, first year ( level L3), ENS Cachan. Logique et automates (logic and automata) 20h. Lundh). DEA Programmation, Paris. lecture in 2002 (Hubert Comon- Logique et automates (logic and automata) 60h. TD-equivalent in 2003 2004 (Hubert Comon-Lundh, Ralf Treinen). 14h. TD-equivalent in 2004 (Ralf Treinen). Magistère STIC, second year ( level M1), ENS Cachan. Logique et informatique (lambda-calculus), 3 24h. lecture in 2002, 2003, 2004, 2005 (Jean Goubault-Larrecq; TD by Maribel Fernández in 2002), 3 24h. TD (Florent Jacquemard in 2003, 2004, and 2005). Common to Magistère STIC (ENS Cachan) and Magistère MMFAI (ENS Paris). Programmation 1 40h. TD-equivalent (lecture+td) in 2002 (Jean Goubault-Larrecq). 3 30h. TD-equivalent in 2003, 2004, 2005 (Jean Goubault-Larrecq). Magistère STIC (level L3), ENS Cachan. Programmation 2 40h. TD-equivalent in 2003 (Ralf Treinen). 44h. TD-equivalent in 2004 (Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Résolution de contraintes (constraint resolution) 12 h. Treinen). DEA Programmation, Paris. lecture in 2002-2003 (Ralf Tableau methods and temporal logics 3h. lecture (Stéphane Demri). Magistère MPRI, level M2, Paris. Temporal logics 12 h. lecture (Stéphane Demri). Magistère MPRI, level M2, Paris. Tree automata, techniques and applications. 24h. lecture in 2005 (Hubert Comon- Lundh, Florent Jacquemard). Magistère MPRI, level M2, Paris. Vérification de systèmes concurrents (verification of concurrent systems) 15h. TDequivalent (Ralf Treinen, 2003). DEA Programmation, Paris. Verification of Cryptographic Protocols and automated deduction. 2 20h. lecture in 2002, 2003 (Jean Goubault-Larrecq, Hubert Comon-Lundh). DEA Programmation, Paris. Other exercise and programming sessions: Algorithmics Alexandre Boisseau, as moniteur. 32h., second term 2002; 32h., second term 2003. ISTY (école d ingénieurs), U. Versailles Saint-Quentin en Yvelines. 19

C++ programming sessions Véronique Cortier, as moniteur, first term 2002, 2003. 2 21h. Vincent Bernat, 2004, 34h. Magistère of electrical engineering, first year ( level L3), ENS Cachan. Computability Véronique Cortier, as moniteur, second term 2002, 2003. 2 32h. Magistère MathInfo (mathematics and computer science), first year ( level L3), ENS Cachan. Database Pascal Lafourcade, 2004. 32h. TD. IUT Fontainebleau, first year. Finite automata Stéphanie Delaune, as moniteur, 2005. 52h. Licence 2, U. Paris 7. Introduction to programming Pascal Lafourcade, 2004. TD+TP. 64 h. DEUG MIAS, first year, U. Paris 12, Créteil. Java programming Stéphanie Delaune, as moniteur, 2004. 31 h. DEUG MIAS, U. Paris 7. Java programming Stéphanie Delaune, as moniteur, 2005. 24h. Licence 1, U. Paris 7. Network programming Vincent Bernat, 2004. 32h. Magistère STIC, first year ( level L3), ENS Cachan. Systems programming and networks Pascal Lafourcade, 2004. TP. 32h. IUT Fontainebleau, second year. Programmation avancée Fabrice Parrennes, as 1/2 ATER, 2003 2004, 96h. Magistère STIC, second year ( level M1). Miscellaneous: Computer security Introductory talk at the conférence de rentrée (freshman conference), Jean Goubault-Larrecq. 1h. ENS Cachan, first year ( level L2). All PhD students at SECSI, and more generally at LSV, are registered at the Ecole Doctorale Sciences Pratiques (EDSP), ENS Cachan. 3.3 Visibility Special issues Jean Goubault-Larrecq edited a special issue of the Journal of Telecommunications and Information Technology on models and methods for cryptographic protocol verification [41], 2002. Organizing committees Ralf Treinen, UNIF 02 (International Workshop on Unification, satellite of FloC 2002); UNIF 04 (International Workshop on Unification, satellite of IJCAR 2004), Cork, Ireland, 2004; RDP 2007 (Federated Conference on Rewriting, Deduction and Programming 1 ). Stéphane Demri, Perspectives in Verification meeting, ENS Cachan, 2005. Steve Kremer, 1st Workshop on the Link between Formal and Computational Models, ENS Paris, 2005 1 The organization effort started in 2005. LSV/SECSI is organizing, together with the Cédric lab of CNAM and the PPS lab of University Paris 7 the International Conference of Rewriting, Deduction, and Programming (RDP 07), to be held June 25 29, 2007 in Paris. This federated conference comprises the two major conferences Rewriting Techniques and Applications (RTA) and Typed Lambda Calculi and Applications (TLCA), as well as 8 one-day workshops. URL: http://www.lsv.ens-cachan.fr/rdp07/. 20

(http://www.loria.fr/ cortier/workshop.html, first edition of the future FCC workshop). Zhang Yu, IWFMS 2004 (Intl. Workshop on Formal Methods and Security, Nanjing, PR China). Hubert Comon-Lundh organized the meeting in honor of Zohar Manna, on the occasion of his doctorate honoris causa, ENS Cachan, 2002. Hubert Comon-Lundh and Ralf Treinen organized the first meeting of the Action Spécifique Sécurité logicielle: modèles et vérification, Cachan, 2003. Program committees Hubert Comon-Lundh: CP 2002 (Constraint Programming), Infinity 2002 (ICALP satellite workshop); SPV 2003 (Security Protocol Verification workshop, satellite of Concur 2003), CSL 2004, LICS 2005, CSFW 2005. Jean Goubault-Larrecq: 1st Intl. Workshop on Security of Communications on the Internet [2], Tunis, Tunisia, 2002 (SECI 02; chair); Tableaux 2002, CADE 2002, LPAR 2002, IMLA 2002 (Workshop on Intuitionistic Modal Logics and Applications), Tableaux 2003, WST 2003 (Workshop on Termination), Tableaux 2005. Véronique Cortier: FCS 2002 (Foundations of Computer Security). Ralf Treinen: RTA 2002, IJCAR 2004, RTA 2004, LPAR 2004, Spring School on Security (Marseilles, France, 2005). Florent Jacquemard: RTA 2005, ASTI colloquium 2005. Stéphane Demri: M4M 2005 (Methods for Modalities). Steve Kremer: IWAP 2005 (Intl. Workshop for Applied PKI). Steering committees Ralf Treinen: RTA, 2003-2006 (publicity chair). Jean Goubault- Larrecq: Tableaux, 2003-2006 (vice-president). Seminars Jean Goubault-Larrecq: LORIA, Nancy, 2002; Cachan-Bordeaux days, Cachan, 2002; CATIA, Montpellier, 2002; DCSSI-INRIA Logical meeting, Rocquencourt, 2002; IIE, Évry, 2002; journées du GDR ALP, CNAM, Paris, 2003; CATIA, Montpellier, 2003; journées Squier and all that, U. Paris 7, Paris; IRMAR-CELAR seminar of cryptography, Rennes, 2004; Technische Universität München, 2004; LIAFA, U. Paris 7, 2004; ACI NIM GeoCal meeting, U. Paris 7, 2005. Hubert Comon-Lundh: LIX, Ecole Polytechnique, 2002; PPS, U. Paris 7, 2002. Stéphane Demri: RWTH, Aachen, Germany, 2002; McGill U., Montréal, Canada, 2002; Dept. of Philosophy, U. Melbourne, 2003; Research School of Information Sciences and Engineering, Canberra, 2003; Institute of Computer Science, Namur, 2003; Bordeaux-Cachan days, Bordeaux, 2003; seminar of the Polish Association for Logic and Philosophy in Science, Warsaw, Poland, 2004; AS automates, modèles distribués et temporisés of CNRS RTP 23, ENS Cachan, 2004; LIAFA, U. Paris 7, 2005. Véronique Cortier: 2 LORIA, Nancy, 2002; SLOVO days in honor of Moshe Vardi, on the occasion of his doctorate honoris causa, U. Orléans, 2002; IRISA, Rennes, 2002. Kumar Neeraj Verma: ACI crypto Vernam meeting, Grenoble, 2003. Vincent Bernat: electrical engineering dept., ENS Cachan, 2003; U. Bordeaux, 2003. Stéphanie Delaune: France Télécom R&D, Lannion, 2003; France Télécom R&D, Lannion, 2004; GREYC- LMNO seminar, U. Caen, 2004; Spring School Secu 05, Luminy, France, 2005; Clarkson U., Potsdam, USA, 2005. Mathieu Baudet: LSV, ENS Cachan, 2003; IRMAR-CELAR seminar of cryptography, Rennes, 2004; LORIA seminar, Nancy, 2004. Pascal Lafourcade: RNTL Prouvé meeting, Nancy, 2004. Steve Kremer: LACL seminar, U. Paris 12, 2005; seminar of the CS Dept., ULB, Bruxelles, 2005; Sécurité@INRIA workshop, Grenoble, 2005. Ralf Treinen: IRISA, Rennes, 2005. Invited talks Hubert Comon-Lundh: CiAD 2002 (complexity in automated deduction, 21

satellite workshop of FloC), Intl. Symp. Verification (theory and practice), celebrating Zohar Manna s 64th birthday, Taormina, Italy, 2003; GAMES workshop, Paris, 2005; CIMPA school, Bangalore, India, 2005; Dagstuhl seminar on automated deduction, 2005. Stéphane Demri: Dagstuhl seminar fixed-parameter algorithms, 2003; M4M workshop (Methods for Modalities), 2003;. Workshop on Logical and Algebraic Foundations of Rough Sets, Regina, CA, 2005. Jean Goubault-Larrecq: JFLA 2004 (Journées Francophones des Langages Applicatifs), SASYFT 2004 (Security of Systems: Formalisms and Analysis Tools), WLP 2004 (Workshop on Logic for Pragmatics), CQISW 2005 (Workshop on Classical and Quantum Information Theory, CalTech, Pasadena, 2005). Steve Kremer: VISSAS 2005 (NATO Advanced Research Workshop on Verification of Infinite-State Systems with Applications to Security, Timisoara, Romania; round table speaker). Visits Alexandre Boisseau: ULB, Bruxelles (visiting Steve Kremer, Jean-François Raskin), 4 times in 2002. Ralf Treinen: U. des Saarlandes (1 week, 2002, visiting Joachim Niehren, Tim Priesnitz). Zhang Yu: Nanjing, PR China, 100th anniversary U. Nanjing, 2002. Véronique Cortier: U. Santa Cruz, CA (6 weeks, 2003, visiting Martín Abadi). Stéphane Demri: Dept. Electrical and Electronic Engineering, Melbourne, Australia (5 weeks, 2003, visiting Jennifer Davoren). Jean Goubault- Larrecq: LSFM, U. Laval, Québec City, Québec, CA (3 weeks, 2004, visiting Nadia Tawbi, Josée Desharnais, François Laviolette). Ralf Treinen: Research Center for Verification and Semantics, National Institute of Advanced Industrial Science and Technology (AIST), Amagasaki, Japan (3 weeks, 2004, visiting Hitoshi Ohsaki). Steve Kremer: U. Birmingham, UK (6 months, visiting Mark D. Ryan, Aybek Mukhamedov, Eike Ritter, 2004; 1 month, 2005). Stéphanie Delaune: France Télécom R&D (regularly, as part of CIFRE grant; visiting Francis Klay, Marc Girault), 2004; Clarkson U., Potsdam, USA (1 week, visiting Christopher Lynch); U. Birmingham, UK (1 week, 2005, visiting Mark D. Ryan). Mathieu Baudet: U. Santa Cruz, CA (2 months, 2005, visiting Martín Abadi). External Visitors Nadia Tawbi, U. Laval, Québec, 2005. Helmut Seidl, Tech. Universität München, 2005. Mark D. Ryan, U. Birmingham, 2005. PhD Juries As rapporteur: Joachim Niehren, Saarbrücken, 2002 (Hubert Comon- Lundh); Benjamin Monate, U. Paris 11, 2002 (Hubert Comon-Lundh); Fabrice Parrennes, U. Paris 6, 2002 (Jean Goubault-Larrecq); Mathieu Turuani, Nancy, 2003 (Hubert Comon-Lundh); Valérie Viêt-Triêm-Tông, IRISA, Rennes, 2003 (Jean Goubault-Larrecq); Daniel Méry, LORIA, Nancy, 2004 (Jean Goubault- Larrecq); Emmanuel Coquery, U. Paris 6, 2004 (Jean Goubault-Larrecq); Miquel Bofill, Barcelona, Spain, 2004 (Hubert Comon-Lundh); Irène Durand, Bordeaux, 2005 (Hubert Comon-Lundh); Jean-Marc Talbot, Lille, 2005 (Hubert Comon- Lundh); Benjamin Leperchey, U. Paris 7, 2005 (Jean Goubault-Larrecq). As examiner: Sébastien Praud, U. Paris 11, 2002 (Jean Goubault-Larrecq); Olivier Brunet, UJF, Grenoble, 2002 (Jean Goubault-Larrecq); Diane Bahrami, Évry, 2003 (Hubert Comon-Lundh); Steve Kremer, ULB, Bruxelles, Belgium, 2003 (Hubert Comon-Lundh); Sylvain Peyronnet, LRI, U. Paris 11 Orsay, 2003 (Hubert Comon-Lundh); Alexandre Boisseau, ENS Cachan, 2003 (Jean Goubault-Larrecq); Vincent Simonet, U. Paris 7, 2004 (Jean Goubault-Larrecq); David Janin, Bordeaux, 2005 (Hubert Comon-Lundh); Denis Debarbieux, Lille, 2005 (Stéphane Demri); Jérôme Féret, Ecole Polytechnique, 2005 (Jean Goubault-Larrecq); Olivier Hermant, Ecole Polytechnique, 2005 (Jean Goubault-Larrecq). 22

Habilitation Juries Lundh). As examiner: Ralf Treinen, U. Paris 11, 2005 (Hubert Comon- ACI, ANR Hubert Comon-Lundh is member of the scientific board of the ACI Sécurité Informatique, 2003, 2004, and member of the bureau. Jean Goubault-Larrecq is member of the scientific board of the ACI Sécurité Informatique, 2004, and member of the bureau; he is member of the scientific committee of the ARA SSIA (Security, Embedded Systems, Ambient Intelligence) of the GIP ANR, 2005-; he is member of the scientific committee of the programme blanc of the GIP ANR, 2005-. ASTI Florent Jacquemard is member of the board and vice secretary (2004), then general secretary and treasurer (2005) of the French Association for Theoretical Computer Science (ASTI), French chapter of the European Association for Theoretical Computer Science (EATCS). DptInfo Hubert Comon-Lundh is in charge of the computer science department, ENS Cachan, 2003-. CS Hubert Comon-Lundh is member of the commission de spécialistes of U. Paris 7, section 27 (computer science), 2003; of the scientific committee of LIAFA, U. Paris 7, 2003. Ralf Treinen is supplementary member (2003) then member (2004, 2005) of the commission de spécialistes of U. Lille 1, section 27, and member of the commission de spécialistes of ENS Cachan, section 27, 2004, 2005. Stéphane Demri is supplementary member of the commission de spécialistes of ENS Cachan, section 27, 2004, 2005. Florent Jacquemard is supplementary member of the commission de spécialistes of ENS Cachan, section 27, 2005. Jean Goubault-Larrecq is member of the evaluation committee of PPS, U. Paris 7, 2003. Web Ralf Treinen maintains, together with Nachum Dershowitz (Tel Aviv University, Israel), the list of open problems of the conference series Rewriting Techniques and Applications (RTA). The list contains currently 100 problems (both open and closed). The list is online at the address http://www.lsv.ens-cachan.fr/rtaloop/. Ralf Treinen moderates the mailing list Constraints in Computational Logics, which was created in the Esprit working group of the same name, and which continues to operate after the end of the working group. As of 2003, the mailing list has 126 subscribers in the field of computational logics and mainly carries announcements of interest to the community. Further information about the mailing list, including an archive of past messages, is available at http://www.lsv.ens-cachan.fr/ccl/. Ralf Treinen maintains the home page of the International Workshop on Unification (UNIF), which provides detailed information about the past events in UNIF s 17- year history. The UNIF home page is available at http://www.lsv.ens-cachan. fr/unif/. Prizes Véronique Cortier: SPECIF award for best PhD thesis, 2003; Le Monde award, 2004. Jean Goubault-Larrecq: TCS best referee award, 2003. Zhang Yu: AFCRST award for best thesis, 2006. 4 External Funding Formally, the INRIA Futurs SECSI project has no budget. This is a choice that Jean Goubault-Larrecq (head of the project) negotiates each year: all funds that SECSI use are 23

managed at LSV. (There have been a few sparse exceptions, though.) In particular, this has the value of making clear that the main support that SECSI requires from INRIA is personnel, not money. I do not want the reader to be fooled: while SECSI is not funded formally, it is funded in practice through LSV. In particular, SECSI benefits from the basic support that ENS Cachan and CNRS allot the LSV. I do not count this here as external. Again, year1=2002,..., year4=2005. (k euros) year1 year2 year3 year4 National initiatives ACI crypto VERNAM 7.5 - - - ACI JC 69.0 13.5 - - ACI SI Rossignol - 6.5 6.5 6.5 ACI crypto Psi-Robuste 16.7 16.7 16.7 - ACI NIM GeoCal - 3.75 3.75 3.75 RNTL EVA 27.7 27.7 - - RNTL DICO 28.9 57.3 - - RNTL Prouvé - 30.0 30.0 30.0 Industrial contracts Aud System 3.0 Lex Persona 4.3 Scholarships PhD * 81 94 106 120 Post Doc* 6 19 - - AI+ - - 29.5 29.5 ODL# Total 236.8 268.45 199.75 189.75 INRIA Cooperative Research Initiatives Large-scale Initiative Actions other than those supported by one of the above projects + junior engineer supported by INRIA # engineer supported by INRIA ARCs Although this is not strictly in the evaluation period, let me mention: ProNoBis Probability and Nondeterminism, Bisimulations and Security. Started 2006. The goal of the ProNobis project is to explore mixing probability and non-determinism in the semantics of transition systems, and also of programming languages, with applications to security protocols. Members: SECSI (leader); Comète project, INRIA Futurs; LSV, ENS Cachan; PPS, U. Paris 7; Equipe de Logique, U. Paris 7; U. Birmingham, UK; U. Verona, Italy; Queen Mary University, London, UK; LRDE, Epita, Paris. National initiatives VERNAM ACI cryptologie VERNAM, 2000-2002. Automated verification of cryptographic protocols, decidable cases and relation to decidable classes of first-order logic. (Objective 1.1.) 24

Members: LIF, U. de Provence, Marseille, LSV/ENS Cachan, LORIA. Total funding: 150 kf TTC, i.e. 22.5 ke TTC. EVA RNTL exploratory project EVA, Explication et Vérification de protocoles cryptographiques, http://www-eva.imag.fr/index eva.html, 2000-2003. Proving security protocols, and extracting proofs/explanations. (Objective 1.1.) Members: Trusted Logic S.A., LSV/ENS Cachan, Verimag. Total funding: 83.1 ke TTC. JC ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault-Larrecq), 2001-2004. (Objectives 1.1, 2, 3.) Based on the SECSI themes, served as partial financial bootstrap for SECSI. Total funding: 600 kf TTC, i.e., 90 ke. Psi-Robuste ACI cryptologie Psi-Robuste (Protection of Information Systems), 2002-2004. Cristallisation action, meant to gather all objectives of SECSI together, focusing on intrusion detection and static analysis for security. Members: LSV/ENS Cachan. Total funding: 50 ke TTC. DICO RNTL exploratory project DICO, Détection d Intrusions COopérative, 2002-2004, http://dico.netsecuresoftware.com/, http://www.lsv.ens-cachan.fr/ goubault/dico.html. Members: NetSecureOne (formerly Calyx/NetSecure, Maisons-Alfort, and before that NetSecure Software, Neuilly; leader of the project), France Télécom R&D Caen, LSV/ENS Cachan, IRISA, ONERA/DTIM, FERIA/IRIT, Supélec Rennes. Total funding: 86.2 ke TTC. Prouvé RNTL exploratory project Prouvé, Protocoles cryptographiques: Outils de Vérification automatique, http://www.lsv.ens-cachan.fr/prouve/, 2003 2006. Designing a language for describing protocols (independently of security properties to be checked) and security properties (independently of the protocols checked), with a stress on weakening the perfect cryptographic assumption, e.g., algebraic properties. (Objective 1.2.) Members: CRIL Technology Systèmes Avancés, France Télécom R&D, Cassis (IN- RIA Lorraine), LSV/ENS de Cachan, Verimag. Total funding: 119.6 ke TTC. Rossignol ACI Sécurité Informatique Rossignol, http://www.cmi.univ-mrs.fr/ lugiez/ aci-rossignol.html, 2003 2006. Initially, more or less the same goals as Prouvé. Evolved into exploring new directions in formal verification of cryptographic protocols: equational theories, soundness in computational models, probabilistic protocols in particular. (Objective 1.2.) Members: LIF (Marseille), Comète, LSV, Verimag. Total funding: 26 ke TTC. GeoCal ACI Nouvelles Interfaces des Mathématiques GeoCal, Géométrie du Calcul, http://iml.univ-mrs.fr/ ehrhard/geocal/geocal.html, 2003 2006. Sundry approaches that link geometry with computation: proof nets, geometric interpretations of modal proofs, and so on. 25

Members: IML (Marseille), PPS, LIF (Marseille), LIPN (Villetaneuse), LSV, LIP (Lyon), Parsifal (INRIA Futurs), I3M (Montpellier), Calligramme (INRIA Lorraine), Mimosa (INRIA Sophia). Total funding: 15 ke TTC. Although it is not formally in the evaluation period, let me also mention the following. Work on it in fact started in 2005. FormaCrypt ARA SSIA FormaCrypt. Relation between security in formal models and security in computational models; automation of security proofs in computational models, http://www.di.ens.fr/ blanchet/formacrypt/index.html, 2006 2008. (Objective 1.3.) Members: LIENS (Paris), LSV, Cassis (INRIA Lorraine). Total funding: 51.5 ke TTC. STIC Tunisia INRIA-Tunisia project 06/I09 Conception et réalisation d un système de démonstration automatique par récurrence. Application à la validation de protocoles et de systèmes distribués (Design and implementation of an automated proof system by induction. Application to the validation of protocols and distributed systems), 2006-2007 (duration: one year, renewable). Members: SECSI, LABRI Bordeaux (Mohamed Mosbah), Tunis (Adel Bouhoula). Total funding: no explicit budget. INRIA funds two return tickets France-Tunisia for French researchers, 1 one-week stay in France for a Tunisian researcher, 4 2 week stays for Tunisian students. European projects ARTIST 2 Network of Excellence. Kim Gulstrand Larsen, Aarhus U., Denmark, leader. http://www.artist-embedded.org/artist/ Associated teams and other international projects None. Industrial contracts Aud System Security evaluation of the Aud System secure document format and tools, 2004 (Julien Olivain, Jean Goubault-Larrecq). Lex Persona Security evalution of the Lex Persona signed document format, 2005 (Steve Kremer). Other funding, System@tic Member of the PFC (plateforme de confiance: trusted platform) work package of the System@tic pôle de compétitivité, région Ile-de-France, 2005-. Not funded yet. Initial demand, SECSI: 190 keuros. 26

5 Objectives for the next four years SECSI will concentrate on the verification of cryptographic protocols. The most important new objective is 1.3: computational soundness of formal models. This is the hot topic of the moment. We have attempted to recruit Bogdan Warinschi precisely because he is an expert on, and a pioneer in this domain. The general available research directions for SECSI are: More automation, more realism, more properties. (All this still under the general goal of SECSI to develop logic-based verification techniques for security properties of computer systems and networks.) Objective 1.3 falls into the more realism category. We wish to show that security proofs in formal models have realistic implications. It will also be necessary to consider some protocols for which no formal model exists that is solely based on logic. This is the case for protocols whose security depends on probabilities, for example. The paradigmatic example is Chaum s dining cryptographers. Correspondingly, an objective 1.5 has to be added which started in 2006, to be fair: 1.5 Security in the presence of probabilistic and demonic non-deterministic choices. Here probabilistic choices are mostly made by honest agents to defend themselves against a demonically non-deterministic adversary, who tries to place the honest agents in the worst possible situation. This is the starting point of the ARC ProNoBis, 2006-2007, with INRIA Futurs project Comète. The more automation category is a more traditional theme at SECSI, and covers objectives 1.2 notably. Studying more equational theories of interest in cryptography from the angle of the decidability of the intruder deduction problem is one possibility. Remember that deciding this is equivalent to deciding unreachability in protocols with bounded numbers of sessions. More interesting is the case of combinations of theories, e.g., the case of three binary symbols +, and all obeying the axioms of the theory AG of Abelian groups (i.e., three Abelian group theories), together with a fourth theory of two symbols exp and h obeying the axioms h(x + y) = h(x) h(y), exp(h(x), y) = h(x y), is relevant to protocols such as Burmester and De Smedt s. It is hoped that one could take decision procedures for the intrusion deduction problem for each of the theories separately, and combine them to get new decision procedures for the combination. Combinations of theories have been well-studied in automated deduction (Nelson-Oppen, Shostak, and successors), in unification problems (Kapur, Narendran, and Wang [KNW] is in particular particularly relevant for the combination above, but is not a combination paper). Combinations of theories in the setting of the intruder deduction problem have only rarely, and only recently been studied. This is important, not just to get more automation, but also to make our intruder models more realistic. The paper [73] works by an argument typical of combinations of theories, but we would like to have a more general theory of combinations at our disposal: this is necessary to make verification scale up as theories grow more complex. To avoid the risk of exploring more and more general and less and less applicable theories, our goal in this objective is to be able to apply it to an [KNW] D. Kapur, P. Narendran, L. Wang, An E-Unification Algorithm for Analyzing Protocols that Use Modular Exponentiation, p. 165 179. 27

electronic voting scheme submitted by France Télécom R&D in the RNTL project Prouvé [136]. The current first papers on this subject [CR06] do not yet allow us to reach this goal. Finding new automated deduction, or automata-theoretic techniques to verify cryptographic protocols is another direction. We are notably considering extending the visibly pushdown languages of Alur and Madhusudan [AM04] to this end. Efficient abstraction techniques are also to be considered. Finally, the more properties category covers important properties that are rarely studied in the community. In particular, receipt-freeness, coercion-resistance (for voting schemes), anonymity, privacy, unlinkability and in general all opacity properties are the topic of objective 1.4, but also of objective 1.5 and the ARC ProNoBis. Each category has its own open problems. It is easier to list a few current ones. In the more realism category, some questions are: Can we insure some level of security in a computational model allowing for selective decommitment? (Formal models can express this, by having some agent send some message encrypted with K, then send K later. Current proof techniques in the computational world don t apply.) In the more properties category: Can theories of evidence help in deciding anonymity properties in the presence of partially unknown probability distributions on inputs, where Bayesian reasoning does not apply directly? In the more automation category, notwithstanding the example and the France Télécom voting scheme mentioned above: which equational theories of interest do yield decidable, resp. feasible, intruder deduction problems? Which theories of tree automata (possibly visibly pushdown, possibly modulo equational theories) can be decided through automated deduction techniques (typically using paramodulationbased techniques in the case of equational theories)? Which algorithmic techniques, which abstractions will help in deciding anonymity, receipt-freeness, secrecy in group protocols with N agents, where N is a universally quantified integer parameter? We do not mean we will solve each one of these problems, naturally, and we list them merely for illustration. SECSI has probably roughly enough personnel to handle the more automation category, at least as of 2006. Permanent staff has to be maintained on this subject, if not increased. New PhD students have to be hired on this theme. The more properties category, on the other hand, is severely underpowered: this was a specialty of Steve Kremer, Stéphanie Delaune, and Mathieu Baudet, and Jean Goubault-Larrecq is participating slightly through objective 1.5. However, the middle two have left after their PhDs. One could, first, use more PhD students here: Antoine Mercier is starting a PhD thesis, as of end 2006, on verifying group protocols; recruiting him is a step in the right direction, but is not enough. The more realism category is the current hot topic, and is also severely underpowered. Again, this used to be the domain of expertise of Steve Kremer, Mathieu Baudet, and Stéphanie Delaune. The last two have left, and Laurent Mazaré will join SECSI for just the year 2007 as postdoc on objective 1.4, and will leave afterwards. The arrival of Bogdan Warinschi would have given a boost to objectives 1.2, 1.3, and 1.4. But, although we will certainly continue working with him, this is no substitute for hiring talented young researchers on each theme. It has always been the declared objective of SECSI as an INRIA project-team to get support from INRIA in terms of personnel, not money. On the other hand, the young researchers who apply for CR to SECSI and who have received support from SECSI [CR06] [AM04] Y. Chevalier, M. Rusinowitch, Hierarchical Combination of Intruder Theories, in : 17th International Conference, RTA 06, F. Pfenning (editor), Springer-Verlag LNCS 4098, p. 108 122, Seattle, WA, USA, August 2006. R. Alur, P. Madhusudan, Visibly pushdown languages, in : STOC 04: Proceedings of the thirty-sixth annual ACM symposium on Theory of computing, ACM Press, p. 202 211, New York, NY, USA, 2004. 28

have always been outstanding people: Véronique Cortier in 2003 (ranked first at LORIA, second at CNRS), Steve Kremer in 2004 (ranked first at Futurs), Bogdan Warinschi in 2006 (ranked first at Futurs, first at CNRS, left to Bristol for personal reasons). We feel confident that we will continue to entice outstanding young researchers to apply to SECSI in the future. 6 Bibliography of the project-team Books and Monographs [1] S. Demri, E. Or lowska, Incomplete Information: Structure, Inference, Complexity, EATCS Monographs, Springer, 2002, http://www.springer.de/cgi/svcat/search book. pl?isbn=3-540-41904-7. [2] J. Goubault-Larrecq (editor), Actes du 1er workshop international sur la sécurité des communications sur Internet (SECI 02), Tunis, Tunisie, Sep. 2002, INRIA, 2002, http: //www.lsv.ens-cachan.fr/ goubault/seci-02/final/actes-seci02/index.html. Doctoral dissertations and Habilitation theses [3] V. Bernat, Théories de l intrus pour la vérification des protocoles cryptographiques, Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/these-bernat.pdf. [4] A. Boisseau, Abstractions pour la vérification de propriétés de sécurité de protocoles cryptographiques, PhD Thesis, ENS de Cachan, September 2003, http://www.lsv.ens-cachan. fr/publis/papers/boisseau-these.ps. [5] V. Cortier, Vérification automatique des protocoles cryptographiques, PhD Thesis, ENS de Cachan, March 2003, Prix SPÉCIF 2003, http://www.lsv.ens-cachan.fr/publis/ PAPERS/Cortier-these.ps. [6] S. Delaune, Vérification des protocoles cryptographiques et propriétés algébriques, Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/these-delaune.pdf. [7] P. Lafourcade, Vérification des protocoles cryptographiques en présence de théories équationnelles, Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, September 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ these-lafourcade.pdf. [8] M. Roger, Raffinements de la résolution et vérification de protocoles cryptographiques, PhD Thesis, ENS de Cachan, October 2003, http://www.lsv.ens-cachan.fr/publis/ PAPERS/Roger-these.ps. [9] R. Treinen, Résolution symbolique de contraintes, Mémoire d habilitation, Université Paris-Sud 11, Orsay, France, November 2005, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PDF/RT-habil.pdf. [10] K. N. Verma, Automates d arbres bidirectionnels modulo théories équationnelles, PhD Thesis, ENS de Cachan, September 2003, http://www.lsv.ens-cachan.fr/publis/papers/ Verma-these.ps. [11] Y. Zhang, Cryptographic Logical Relations What is the Contextual Equivalence for Cryptographic Protocols and How to Prove it?, Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, October 2005, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PDF/zy-thesis.pdf. 29

Articles in referred journals and book chapters [12] N. Alechina, S. Demri, M. de Rijke, A Modal Perspective on Path Constraints, Journal of Logic and Computation 13, 6, 2003, p. 939 956, http://www.lsv.ens-cachan. fr/publis/papers/pdf/final-jlc-adr.pdf. [13] M. Baudet, Random Polynomial-Time Attacks and Dolev-Yao Models, Journal of Automata, Languages and Combinatorics, 2006, to appear, http://www.lsv.ens-cachan. fr/publis/papers/pdf/bau05-jalc.pdf. [14] M. Bidoit, R. Hennicker, Constructor-Based Observational Logic, Journal of Logic and Algebraic Programming 67, 1-2, April-May 2006, p. 3 51, http://www.lsv. ens-cachan.fr/publis/papers/pdf/bid-hen-jlap.pdf. [15] E. Bursztein, TCP Timestamp to Count Hosts Behind NAT, Phrack Magazine 63, 3, August 2005, p. linenoise 0x03 2, http://www.phrack.org/phrack/63/p63-0x03 Linenoise.txt. [16] R. Chadha, S. Kremer, A. Scedrov, Formal Analysis of Multi-Party Contract Signing, Journal of Automated Reasoning, 2006, to appear, http://www.lsv.ens-cachan. fr/publis/papers/pdf/mpcs-cks.pdf. [17] H. Comon, V. Cortier, Tree Automata with One Memory, Set Constraints and Cryptographic Protocols, Theoretical Computer Science 331, 1, February 2005, p. 143 214, http://www.lsv.ens-cachan.fr/publis/papers/ps/comoncortiertcs1.ps. [18] H. Comon, F. Jacquemard, Ground Reducibility is EXPTIME-Complete, Information and Computation 187, 1, 2003, p. 123 153. [19] H. Comon, Y. Jurski, Counter Automata, Fixed Points and Additive Theories, Theoretical Computer Science, 2004, To appear. [20] H. Comon, P. Narendran, R. Nieuwenhuis, M. Rusinowitch, Deciding the Confluence of Ordered Term Rewrite Systems, ACM Trans. Computational Logic 4, 1, 2003, p. 33 55. [21] H. Comon, V. Shmatikov, Is it Possible to Decide whether a Cryptographic Protocol is Secure or not?, in : Journal of Telecommunications and Information Technology [41]. [22] H. Comon-Lundh, V. Cortier, Security Properties: Two Agents Are Sufficient, Science of Computer Programming 50, 1 3, March 2004, p. 51 71, http://www.lsv.ens-cachan. fr/publis/papers/comoncortier-step2.ps. [23] V. Cortier, S. Delaune, P. Lafourcade, A Survey of Algebraic Properties Used in Cryptographic Protocols, Journal of Computer Security 14, 1, 2006, p. 1 43, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/surveycdl.pdf. [24] V. Cortier, About the Decision of Reachability for Register Machines, Theoretical Informatics and Applications 36, 4, 2002, p. 341 358. [25] S. Delaune, F. Jacquemard, Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks, Journal of Automated Reasoning, 2006, to appear, http://www.lsv.ens-cachan.fr/publis/papers/ps/dj-jar05.ps. [26] S. Delaune, Easy Intruder Deduction Problems with Homomorphisms, Information Processing Letters 97, 6, March 2006, p. 213 218, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PDF/SD-ipl05.pdf. [27] S. Delaune, An Undecidability Result for AGh, Theoretical Computer Science, 2006, to appear, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2006-02. pdf. 30

[28] S. Demri, H. de Nivelle, Deciding Regular Grammar Logics with Converse through First-Order Logic, Journal of Logic, Language and Information 14, 3, June 2005, p. 289 319, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ddn-gf-issue.pdf. [29] S. Demri, R. P. Goré, Display Calculi for Nominal Tense Logics, Journal of Logic and Computation 12, 6, December 2002, p. 993 1016, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PS/DemGor-jlc02-1.ps. [30] S. Demri, R. Goré, Theoremhood Preserving Maps Characterising Cut Elimination for Modal Provability Logics, Journal of Logic and Computation 12, 5, 2002, p. 861 884, http://www.lsv.ens-cachan.fr/publis/papers/demgor-jlc02-2.ps. [31] S. Demri, F. Laroussinie, Ph. Schnoebelen, A Parametric Analysis of the State Explosion Problem in Model Checking, Journal of Computer and System Sciences 72, 4, June 2006, p. 547 575, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ DLS-jcss-param.pdf. [32] S. Demri, R. Lazić, D. Nowak, On the freeze quantifier in constraint LTL: Decidability and complexity, Information and Computation, 2006, to appear, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/dln-icomp06.pdf. [33] S. Demri, P. Schnoebelen, The Complexity of Propositional Linear Temporal Logics in Simple Cases, Information and Computation 174, 1, 2002, p. 84 103, http://www.lsv. ens-cachan.fr/publis/papers/ds-icomp2001.ps. [34] S. Demri, A Polynomial Space Construction of Tree-Like Models for Logics with Local Chains of Modal Connectives, Theoretical Computer Science 300, 1 3, 2003, p. 235 258, http://www.lsv.ens-cachan.fr/publis/papers/demri-tcs02.ps. [35] S. Demri, A reduction from DLP to PDL, Journal of Logic and Computation 15, 5, October 2005, p. 767 785, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ demri-jlc05.pdf. [36] S. Demri, Linear-Time Temporal logics with Presburger Constraints: An Overview, Journal of Applied Non-Classical Logics, 2006, to appear, http://www.lsv.ens-cachan. fr/publis/papers/pdf/demri-jancl06.pdf. [37] S. Demri, LTL over integer periodicity constraints, Theoretical Computer Science 360, 1-3, August 2006, p. 96 123, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ demri-tcs06.pdf. [38] J. Goubault-Larrecq, É. Goubault, On the Geometry of Intuitionistic S4 Proofs, Homology, Homotopy and Applications 5, 2, 2003, p. 137 209, http://www.lsv. ens-cachan.fr/publis/papers/s4g.ps. [39] J. Goubault-Larrecq, M. Roger, K. N. Verma, Abstraction and Resolution Modulo AC: How to Verify Diffie-Hellman-like Protocols Automatically, Journal of Logic and Algebraic Programming 64, 2, August 2005, p. 219 251, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PS/GLRV-acm.ps. [40] J. Goubault-Larrecq, Sécurité, modélisation et analyse de protocoles cryptographiques, Phœbus, la revue de la sûreté de fonctionnement 20, 2002, Numéro spécial sur la sécurité des systèmes d information, http://www.lsv.ens-cachan.fr/publis/papers/ GL-Phoebus2002.doc. [41] J. Goubault-Larrecq, Special Issue on Models and Methods for Cryptographic Protocol Verification, Journal of Telecommunications and Information Technology 4, December 2002. 31

[42] J. Goubault-Larrecq, Deciding H 1 by Resolution, Information Processing Letters 95, 3, August 2005, p. 401 408, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ Goubault-h1.pdf. [43] J. Goubault-Larrecq, Extensions of Valuations, Mathematical Structures in Computer Science 15, 2, April 2005, p. 271 297, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PS/rr-lsv-2002-17.rr.ps. [44] F. Jacquemard, Reachability and Confluence are Undecidable for Flat Term Rewriting Systems, Information Processing Letters 87, 5, 2003, p. 265 270, http://www.lsv. ens-cachan.fr/publis/rapports LSV/rr-lsv-2003-6.rr.ps. [45] K. N. Verma, J. Goubault-Larrecq, Karp-Miller Trees for a Branching Extension of VASS, Discrete Mathematics & Theoretical Computer Science 7, 1, November 2005, p. 217 230, http://www.lsv.ens-cachan.fr/publis/papers/pdf/vgl-dmtcs05.pdf. Publications in Conferences and Workshops [46] M. Abadi, M. Baudet, B. Warinschi, Guessing Attacks and the Computational Soundness of Static Equivalence, in : Proceedings of the 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 06), L. Aceto, A. Ingólfsdóttir (editors), Lecture Notes in Computer Science, 3921, Springer, p. 398 412, Vienna, Austria, March 2006, http://www.lsv.ens-cachan.fr/publis/papers/ PDF/ABW Fossacs06.pdf. [47] M. Baudet, V. Cortier, S. Kremer, Computationally Sound Implementations of Equational Theories against Passive Adversaries, in : Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP 05), L. Caires, G. F. Italiano, L. Monteiro, C. Palamidessi, M. Yung (editors), Lecture Notes in Computer Science, 3580, Springer, p. 652 663, Lisboa, Portugal, July 2005, http://www.lsv.ens-cachan. fr/publis/papers/pdf/bck-icalp05.pdf. [48] M. Baudet, Random Polynomial-Time Attacks and Dolev-Yao Models, in : Proc. Workshop on Security Analysis of Systems: Formalism and Tools (SASYFT-2004), Orléans, France, June 2004, S. Anantharaman (editor), 2004. Proceedings published as LIFO Technical Report 2004-11, Laboratoire d Informatique Fondamentale d Orléans, http: //www.lsv.ens-cachan.fr/publis/papers/b04sasyft.ps. [49] M. Baudet, Deciding Security of Protocols against Off-line Guessing Attacks, in : Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 05), ACM Press, p. 16 25, Alexandria, Virginia, USA, November 2005, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/baudet CCS05revised.pdf. [50] V. Bernat, Towards a Logic for Verification of Security Protocols, in : Proc. Workshop on Security Protocols Verification (SPV 2003), Marseille, France, September 2003, http: //www.lsv.ens-cachan.fr/publis/papers/bernat-spv2003.ps. [51] M. Bidoit, R. Hennicker, Proving Behavioral Refinements of COL-Specifications, in : Algebra, Meaning and Computation Essays dedicated to Joseph A. Goguen on the Occasion of His 65th Birthday, K. Futatsugi, J.-P. Jouannaud, J. Meseguer (editors), Lecture Notes in Computer Science, 4060, Springer, p. 333 354, San Diego, California, USA, June 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/bh-goguen06.pdf. [52] J. Boender, R. Di Cosmo, B. Durak, X. Leroy, F. Mancinelli, M. Morgado, D. Pinheiro, R. Treinen, P. Trezentos, J. Vouillon, News from the EDOS project: improving the maintenance of free software distributions, in : Proceedings of the International Workshop on Free Software (IWFS 06), O. Berger (editor), p. 199 207, Porto Allegre, Brazil, April 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/wsl06.pdf. 32

[53] A. Bouhoula, F. Jacquemard, Constrained Tree Grammars to Pilot Automated Proof by Induction, in : Proc. 5th Workshop on Strategies in Automated Deduction (STRATEGIES 2004), Cork, Ireland, July 2004, T. Boy de la Tour (editor), 2004, http://www.lsv.ens-cachan.fr/publis/papers/bj-strategies04.pdf. [54] A. Bouhoula, F. Jacquemard, Security Protocols Verification with Implicit Induction and Explicit Destructors, in : Proceedings of the 1st International Workshop on Security and Rewriting Techniques (SecReT 06), Venice, Italy, July 2006. to appear. [55] J. Cardinal, S. Kremer, S. Langerman, Juggling with Pattern Matching, in : Proceedings of the 3rd International Conference on Fun with Algorithms (FUN 04), P. Ferragina, R. Grossi (editors), Edizioni Plus, Università di Pisa, p. 147 158, Isola d Elba, Italy, May 2004, http://www.lsv.ens-cachan.fr/publis/papers/ps/kremer-fun04.ps.gz. [56] R. Chadha, S. Kremer, A. Scedrov, Formal Analysis of Multi-Party Contract Signing, in : Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 04), IEEE Computer Society Press, p. 266 279, Asilomar, Pacific Grove, California, USA, June 2004, http://www.lsv.ens-cachan.fr/publis/papers/ps/kremer-csfw04. ps.gz. [57] R. Chadha, S. Kremer, A. Scedrov, Formal Analysis of Multi-Party Contract Signing, in : Proceedings of the 4th IFIP WG1.7 Workshop on Issues in the Theory of Security (WITS 04), Barcelona, Spain, April 2004, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PS/Kremer-wits04.ps.gz. [58] H. Comon-Lundh, V. Cortier, New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols, in : Proc. 14th Int. Conf. Rewriting Techniques and Applications (RTA 2003), Valencia, Spain, June 2003, Lecture Notes in Computer Science, 2706, Springer, p. 148 164, 2003, http://www.lsv.ens-cachan.fr/ Publis/RAPPORTS LSV/rr-lsv-2003-2.rr.ps. [59] H. Comon-Lundh, V. Cortier, Security Properties: Two Agents Are Sufficient, in : Proc. 12th European Symposium on Programming (ESOP 2003), Warsaw, Poland, Apr. 2003, Lecture Notes in Computer Science, 2618, Springer, p. 99 113, 2003, http://www. lsv.ens-cachan.fr/publis/papers/comoncortieresop03.ps. [60] H. Comon-Lundh, S. Delaune, The Finite Variant Property: How to Get Rid of Some Algebraic Properties, in : Proceedings of the 16th International Conference on Rewriting Techniques and Applications (RTA 05), J. Giesl (editor), Lecture Notes in Computer Science, 3467, Springer, p. 294 307, Nara, Japan, April 2005, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PDF/rta05-CD.pdf. [61] H. Comon-Lundh, V. Shmatikov, Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive Or, in : Proc. 18th IEEE Symp. Logic in Computer Science (LICS 2003), Ottawa, Canada, June 2003, IEEE Comp. Soc. Press, p. 271 280, June 2003. [62] H. Comon-Lundh, R. Treinen, Easy Intruder Deductions, in : Verification: Theory and Practice, Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, N. Dershowitz (editor), Lecture Notes in Computer Science, 2772, Springer, p. 225 242, February 2003. Invited paper, http://www.lsv.ens-cachan.fr/publis/papers/ps/ CT-manna.ps. [63] H. Comon-Lundh, Intruder Theories (Ongoing Work), in : Proc. 7th Int. Conf. Foundations of Software Science and Computation Structures (FOSSACS 2004), Barcelona, Spain, Apr. 2004, Lecture Notes in Computer Science, 2987, Springer, p. 1 4, 2004. [64] V. Cortier, S. Kremer, R. Küsters, B. Warinschi, Computationally Sound Symbolic Secrecy in the Presence of Hash Functions, in : Proceedings of the 26th Conference on Fundations of Software Technology and Theoretical Computer Science (FSTTCS 06), 33

N. Garg, S. Arun-Kumar (editors), Lecture Notes in Computer Science, Springer, Kolkata, India, December 2006. to appear, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ CKKW-fsttcs06.pdf. [65] V. Cortier, Vérifier les protocoles cryptographiques, in : Technique et Science Informatique (TSI), 24, 1, Hermès Science, p. 115 140, 2005. [66] S. Delaune, F. Jacquemard, A Decision Procedure for the Verification of Security Protocols with Explicit Destructors, in : Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 04), V. Atluri, B. Pfitzmann, P. McDaniel (editors), ACM Press, p. 278 287, Washington, D.C., USA, October 2004, http://www. lsv.ens-cachan.fr/publis/papers/ps/dj-ccs-2004.ps. [67] S. Delaune, F. Jacquemard, Narrowing-Based Constraint Solving for the Verification of Security Protocols, in : Proc. 18th Int. Workshop on Unification (UNIF 2004), Cork, Ireland, July 2004, M. Kohlhase (editor), 2004, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2004-8.rr.ps. [68] S. Delaune, F. Jacquemard, A Theory of Dictionary Attacks and its Complexity, in : Proc. 17th IEEE Computer Security Foundations Workshop (CSFW 2004), Asilomar, CA, USA, June 2004, IEEE Comp. Soc. Press, p. 2 15, 2004, http://www.lsv.ens-cachan. fr/publis/papers/dj-csfw2004.ps. [69] S. Delaune, F. Klay, Vérification automatique appliquée à un protocole de commerce électronique, in : Actes des 6èmes Journées Doctorales Informatique et Réseau (JDIR 04), p. 260 269, Lannion, France, November 2004, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PDF/DK-jdir-2004.pdf. [70] S. Delaune, S. Kremer, M. D. Ryan, Receipt-Freeness: Formal Definition and Fault Attacks (Extended Abstract), in : Proceedings of the Workshop Frontiers in Electronic Elections (FEE 2005), Milan, Italy, September 2005, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PDF/DKR-fee05.pdf. [71] S. Delaune, S. Kremer, M. D. Ryan, Coercion-Resistance and Receipt-Freeness in Electronic Voting, in : Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW 06), IEEE Computer Society Press, p. 28 39, Venice, Italy, July 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/dkr-csfw06.pdf. [72] S. Delaune, S. Kremer, M. D. Ryan, Verifying Properties of Electronic Voting Protocols, in : Proceedings of the IAVoSS Workshop On Trustworthy Elections (WOTE 06), p. 45 52, Cambridge, UK, June 2006, http://www.lsv.ens-cachan.fr/publis/papers/ PDF/DKR-wote06.pdf. [73] S. Delaune, P. Lafourcade, D. Lugiez, R. Treinen, Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive Or, in : Proceedings of the 33rd International Colloquium on Automata, Languages and Programming (ICALP 06) Part II, M. Buglesi, B. Preneel, V. Sassone, I. Wegener (editors), Lecture Notes in Computer Science, 4052, Springer, p. 132 141, Venice, Italy, July 2006, http://www.lsv.ens-cachan. fr/publis/papers/pdf/dllt-icalp06.pdf. [74] S. Delaune, Intruder Deduction Problem in Presence of Guessing Attacks, in : Proc. Workshop on Security Protocols Verification (SPV 2003), p. 26 30, Marseille, France, September 2003, http://www.lsv.ens-cachan.fr/publis/papers/del-spv2003.ps. [75] S. Demri, H. de Nivelle, Relational Translations into GF2, in : Proc. Third Workshop on Methods for Modalities, p. 93 108, Nancy, France, September 2003. (Informal proceedings). 34

[76] S. Demri, D. D Souza, An Automata-Theoretic Approach to Constraint LTL, in : Proceedings of the 22nd Conference on Fundations of Software Technology and Theoretical Computer Science (FSTTCS 02), M. Agrawal, A. Seth (editors), Lecture Notes in Computer Science, 2556, Springer, p. 121 132, Kanpur, India, December 2002, http://www.lsv. ens-cachan.fr/publis/papers/ps/demdsou-fsttcs02.ps. [77] S. Demri, A. Finkel, V. Goranko, G. van Drimmelen, Towards a model-checker for counter systems, in : Proceedings of the 4th International Symposium on Automated Technology for Verification and Analysis (ATVA 06), S. Graf, W. Zhang (editors), Lecture Notes in Computer Science, 4218, Springer, p. 493 507, Beijing, ROC, October 2006. to appear, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ddfg-atva06.pdf. [78] S. Demri, R. Gascon, Verification of Qualitative Z-Constraints, in : Proceedings of the 16th International Conference on Concurrency Theory (CONCUR 05), M. Abadi, L. de Alfaro (editors), Lecture Notes in Computer Science, 3653, Springer, p. 518 532, San Francisco, CA, USA, August 2005, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ DG-Concur05.pdf. [79] S. Demri, F. Laroussinie, P. Schnoebelen, A Parametric Analysis of the State Explosion Problem in Model Checking (Extended Abstract), in : Proc. 19th Ann. Symp. Theoretical Aspects of Computer Science (STACS 2002), Antibes Juan-les-Pins, France, Mar. 2002, Lecture Notes in Computer Science, 2285, Springer, p. 620 631, 2002, http: //www.lsv.ens-cachan.fr/publis/papers/dls-stacs2002.ps. [80] S. Demri, R. Lazić, D. Nowak, On the Freeze Quantifier in Constraint LTL: Decidability and Complexity, in : Proceedings of the 12th International Symposium on Temporal Representation and Reasoning (TIME 05), IEEE Computer Society Press, p. 113 121, Burlington, Vermont, USA, June 2005, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ PDF/rr-lsv-2005-03.pdf. [81] S. Demri, R. Lazić, LTL with the freeze quantifier and register automata, in : Proceedings of the 21st Annual IEEE Symposium on Logic in Computer Science (LICS 06), IEEE Computer Society Press, p. 17 26, Seattle, Washington, USA, August 2006, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/dl-lics2006.pdf. [82] S. Demri, D. Lugiez, Presburger Modal Logic is Only PSPACE-complete, in : Proceedings of the 3rd International Joint Conference on Automated Reasoning (IJCAR 06), U. Furbach, N. Shankar (editors), Lecture Notes in Artificial Intelligence, 4130, Springer- Verlag, p. 541 556, Seattle, Washington, USA, August 2006. [83] S. Demri, D. Nowak, Reasoning about transfinite sequences (extended abstract), in : Proceedings of the 3rd International Symposium on Automated Technology for Verification and Analysis (ATVA 05), D. A. Peled, Y.-K. Tsay (editors), Lecture Notes in Computer Science, 3707, Springer, p. 248 262, Taipei, Taiwan, ROC, October 2005, http://www. lsv.ens-cachan.fr/publis/papers/pdf/dn-atva2005.pdf. [84] S. Demri, Modal Logics with Weak Forms of Recursion: PSPACE specimens, in : Advances in Modal Logics, selected papers from 3rd Workshop on Advances in Modal Logics (AIML 2000), Leipzig, Germany, Oct. 2000, M. de Rijke, H. Wansing, F. Wolter, M. Zakharyaschev (editors), World Scientific, p. 113 138, 2002, http://www.lsv.ens-cachan. fr/publis/papers/sd-aiml00.ps. [85] S. Demri, LTL over Integer Periodicity Constraints, in : Proceedings of the 7th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 04), I. Walukiewicz (editor), Lecture Notes in Computer Science, 2987, Springer, p. 121 135, Barcelona, Spain, March 2004, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2004-6.rr.ps. 35

[86] A. Galland, M. Baudet, Controlling and Optimizing the Usage of One Resource, in : Proc. 1st Asian Symp. on Programming Languages and Systems (APLAS 03), Beijing, China, Nov. 2003, Lecture Notes in Computer Science, 2895, Springer, p. 195 211, 2003, http://www.lsv.ens-cachan.fr/publis/papers/gb03aplas.ps. [87] A. Galland, M. Baudet, Économiser l or du banquier, in : Actes 3ème Conférence Française sur les Systèmes d Exploitation (CFSE 3), M. Auguin, F. Baude, D. Lavenier, M. Riveill (editors), INRIA, p. 638 649, La Colle sur Loup, France, October 2003, http: //www.lsv.ens-cachan.fr/publis/papers/gb03cfse.ps. [88] J. Goubault-Larrecq, S. Lasota, D. Nowak, Y. Zhang, Complete Lax Logical Relations for Cryptographic Lambda-Calculi, in : Proc. 18th Int. Workshop Computer Science Logic (CSL 2004), Karpacz, Poland, Sep. 2004, Lecture Notes in Computer Science, 3210, Springer, p. 400 414, 2004, http://www.lsv.ens-cachan.fr/publis/papers/ GLLNZ-csl04.ps. [89] J. Goubault-Larrecq, S. Lasota, D. Nowak, Logical Relations for Monadic Types, in : Proceedings of the 16th International Workshop on Computer Science Logic (CSL 02), J. C. Bradfield (editor), Lecture Notes in Computer Science, 2471, Springer, p. 553 568, Edinburgh, Scotland, UK, September 2002, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PS/GLLN-csl2002.ps. [90] J. Goubault-Larrecq, F. Parrennes, Cryptographic Protocol Analysis on Real C Code, in : Proc. 6th Intl. Conf. Verification, Model Checking and Abstract Interpretation (VMCAI 05), R. Cousot (editor), Springer-Verlag LNCS 3385, p. 363 379, Paris, France, January 2005. http://www.lsv.ens-cachan.fr/publis/papers/pdf/ GouPar-VMCAI2005.pdf. [91] J. Goubault-Larrecq, F. Parrennes, Cryptographic Protocol Analysis on Real C Code, in : Proceedings of the 6th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI 05), R. Cousot (editor), Lecture Notes in Computer Science, 3385, Springer, p. 363 379, Paris, France, January 2005, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/goupar-vmcai2005.pdf. [92] J. Goubault-Larrecq, Higher-Order Positive Set Constraints, in : Proceedings of the 16th International Workshop on Computer Science Logic (CSL 02), J. C. Bradfield (editor), Lecture Notes in Computer Science, 2471, Springer, p. 473 489, Edinburgh, Scotland, UK, September 2002, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ PS/rr-lsv-2002-6.rr.ps. [93] J. Goubault-Larrecq, Vérification de protocoles cryptographiques : la logique à la rescousse!, in : Actes du 1er workshop international sur la sécurité des communications sur Internet (SECI 02), Tunis, Tunisia, Sep. 2002, J. Goubault-Larrecq (editor), INRIA, p. 119 152, 2002, http://www.lsv.ens-cachan.fr/publis/papers/jgl-seci.ps. [94] J. Goubault-Larrecq, Une fois qu on n a pas trouvé de preuve, comment le faire comprendre à un assistant de preuve?, in : Actes 15èmes journées francophones sur les langages applicatifs (JFLA 2004), Sainte-Marie-de-Ré, France, Jan. 2004, INRIA, collection didactique, p. 1 40, 2004, http://www.lsv.ens-cachan.fr/publis/papers/jgl-jfla2004.ps. [95] F. Jacquemard, M. Rusinowitch, L. Vigneron, Tree automata with equality constraints modulo equational theories, in : Proceedings of the 3rd International Joint Conference on Automated Reasoning (IJCAR 06), U. Furbach, N. Shankar (editors), Lecture Notes in Artificial Intelligence, 4130, Springer-Verlag, p. 557 571, Seattle, Washington, USA, August 2006, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ PDF/rr-lsv-2006-07.pdf. [96] S. Kremer, M. D. Ryan, Analysing the Vulnerability of Protocols to Produce Knownpair and Chosen-text Attacks, in : Proceedings of the 2nd International Workshop on 36

Security Issues in Coordination Models, Languages and Systems (SecCo 04), R. Focardi, G. Zavattaro (editors), Electronic Notes in Theoretical Computer Science, 128, 5, Elsevier Science Publishers, p. 84 107, London, UK, May 2005, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PDF/Kremer-secco04.pdf. [97] S. Kremer, M. D. Ryan, Analysis of an Electronic Voting Protocol in the Applied Pi-Calculus, in : Programming Languages and Systems Proceedings of the 14th European Symposium on Programming (ESOP 05), M. Sagiv (editor), Lecture Notes in Computer Science, 3444, Springer, p. 186 200, Edinburgh, U.K., April 2005, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/kremer-esop05.pdf. [98] P. Lafourcade, D. Lugiez, R. Treinen, Intruder Deduction for AC-like Equational Theories with Homomorphisms, in : Proceedings of the 16th International Conference on Rewriting Techniques and Applications (RTA 05), J. Giesl (editor), Lecture Notes in Computer Science, 3467, Springer, p. 308 322, Nara, Japan, April 2005, http://www.lsv. ens-cachan.fr/publis/papers/pdf/rta05-llt.pdf. [99] P. Lafourcade, D. Lugiez, R. Treinen, ACUNh: Unification and Disunification Using Automata Theory, in : Proceedings of the 20th International Workshop on Unification (UNIF 06), J. Levy (editor), Seattle, Washington, USA, August 2006, http://www.lsv. ens-cachan.fr/publis/papers/pdf/llt-unif06.pdf. [100] P. Lafourcade, Intruder Deduction for the Equational Theory of Exclusive-or with Commutative and Distributive Encryption, in : Proceedings of the 1st International Workshop on Security and Rewriting Techniques (SecReT 06), Venice, Italy, July 2006. to appear, http://www.lsv.ens-cachan.fr/publis/papers/pdf/laf-secret06.pdf. [101] S. Lasota, D. Nowak, Y. Zhang, On completeness of logical relations for monadic types, in : Proceedings of the 3rd APPSEM II Workshop (APPSEM 05), M. Hofmann, H.-W. Loidl (editors), Frauenchiemsee, Germany, September 2005, http://www.lsv. ens-cachan.fr/publis/papers/pdf/lnz-monad-complete.pdf. [102] F. Mancinelli, J. Boender, R. Di Cosmo, J. Vouillon, B. Durak, X. Leroy, R. Treinen, Managing the Complexity of Large Free and Open Source Package-Based Software Distributions, in : Proceedings of the 21st IEEE/ACM International Conference on Automated Software Ingineering (ASE 06), IEEE Computer Society Press, p. 199 208, Tokyo, Japan, September 2006, http://www.lsv.ens-cachan.fr/publis/papers/pdf/ edos-ase06.pdf. [103] O. Michel, F. Jacquemard, An Analysis of the Needham-Schroeder Public-Key Protocol with MGS, in : Proc. 5th Workshop on Membrane Computing (WMC 2004), Milano, Italy, June 2004, G. Păun (editor), 2004, http://psystems.disco.unimib.it/procwmc5. html. [104] O. Michel, F. Jacquemard, An Analysis of the Needham-Schroeder Public-Key Protocol with MGS, in : Proceedings of the 5th Workshop on Membrane Computing (WMC 2004), Milano, Italy, June 2004. [105] A. Mukhamedov, S. Kremer, E. Ritter, Analysis of a Multi-Party Fair Exchange Protocol and Formal Proof of Correctness in the Strand Space Model, in : Revised Papers from the 9th International Conference on Financial Cryptography and Data Security (FC 05), A. S. Patrick, M. Yung (editors), Lecture Notes in Computer Science, 3570, Springer, p. 255 269, Roseau, The Commonwealth Of Dominica, August 2005, http://www.lsv.ens-cachan.fr/publis/papers/pdf/mkr-fcrypto05.pdf. [106] J. Olivain, J. Goubault-Larrecq, The Orchids Intrusion Detection Tool, in : Proceedings of the 17th International Conference on Computer Aided Verification (CAV 05), K. Etessami, S. Rajamani (editors), Lecture Notes in Computer Science, 3576, Springer, p. 286 290, Edinburgh, Scotland, UK, July 2005, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/PDF/OG-cav05.pdf. 37

[107] S. Saeednia, S. Kremer, O. Markowitch, An Efficient Strong Designated Verifier Signature Scheme, in : Revised Papers of the 6th International Conference on Information Security and Cryptology (ICISC 03), J. In Lim, D. Hoon Lee (editors), Lecture Notes in Computer Science, 2971, Springer, p. 40 54, Seoul, Korea, 2004, http: //www.lsv.ens-cachan.fr/publis/papers/ps/kremer-icisc03.ps.gz. [108] Z. Su, A. Aiken, J. Niehren, T. Priesnitz, R. Treinen, The First-Order Theory of Subtyping Constraints, in : Conference Record of the 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 02), ACM Press, p. 203 216, Portland, Oregon, USA, January 2002. ACM SIGPLAN Notices 37(1). [109] K. N. Verma, On Closure under Complementation of Equational Tree Automata for Theories Extending AC, in : Proc. 10th Int. Conf. Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2003), Almaty, Kazakhstan, Sep. 2003, Lecture Notes in Artificial Intelligence, 2850, Springer, p. 183 195, 2003, http://www.lsv.ens-cachan.fr/ Publis/PAPERS/Verma-lpar03.ps. [110] K. N. Verma, Two-Way Equational Tree Automata for AC-like Theories: Decidability and Closure Properties, in : Proc. 14th Int. Conf. Rewriting Techniques and Applications (RTA 2003), Valencia, Spain, June 2003, Lecture Notes in Computer Science, 2706, Springer, p. 180 196, 2003, http://www.lsv.ens-cachan.fr/publis/papers/ver-rta03. ps. [111] Y. Zhang, D. Nowak, Logical Relations for Dynamic Name Creation, in : Proc. 17th Int. Workshop Computer Science Logic (CSL 2003) and 8th Kurt Gödel Coll. (KGL 2003), Vienna, Austria, Aug. 2003, Lecture Notes in Computer Science, 2803, Springer, p. 575 588, 2003, http://www.lsv.ens-cachan.fr/publis/papers/zn-csl2003.ps. Internal Reports [112] M. Baudet, V. Cortier, S. Kremer, Computationally Sound Implementations of Equational Theories Against Passive Adversaries, Research Report number 2005/074, Cryptology eprint Archive, March 2005, 28 pages, http://www.lsv.ens-cachan.fr/publis/ PAPERS/PDF/BCK05-eprint.pdf. [113] M. Baudet, Random Polynomial-Time Attacks and Dolev-Yao Models, Research Report number LSV-03-16, Lab. Specification and Verification, ENS de Cachan, Cachan, France, December 2003, 15 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2003-16.rr.ps. [114] M. Baudet, Deciding Security of Protocols Against Guessing Attacks (Ext. Version), research report, LSV Research Report, 2004, http://www.lsv.ens-cachan.fr/ baudet/. [115] V. Bernat, First-Order Cyberlogic Hereditary Harrop Logic, research report, Stanford Research Institute, 2004, To appear, http://www.lsv.ens-cachan.fr/publis/papers/ Bernat-cyberlogic1.ps. [116] A. Boisseau, Signatures électroniques de contrats, Research Report number LSV-02-4, Lab. Specification and Verification, ENS de Cachan, Cachan, France, April 2002, 22 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2002-4.rr.ps. [117] A. Bouhoula, F. Jacquemard, Constrained tree grammars to pilot automated proof by induction, Research Report number LSV-04-14, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2004, 20 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2004-14.rr.ps. [118] A. Bouhoula, F. Jacquemard, Automated Induction for Complex Data Structures, Research Report number LSV-05-11, Laboratoire Spécification et Vérification, ENS Cachan, France, July 2005, 24 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ PDF/rr-lsv-2005-11.pdf. 38

[119] A. Bouhoula, F. Jacquemard, Automatic Verification of Sufficient Completeness for Specifications of Complex Data Structures, Research Report number LSV-05-17, Laboratoire Spécification et Vérification, ENS Cachan, France, August 2005, 14 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2005-17.pdf. [120] L. Bozga, S. Delaune, F. Klay, R. Treinen, Spécification du protocole de portemonnaie électronique, research report, projet RNTL PROUVÉ, June 2004, 12 pages, http://www.lsv.ens-cachan.fr/prouve/prouve-rap1.ps.gz. [121] L. Bozga, S. Delaune, F. Klay, L. Vigneron, Retour d expérience sur la validation du porte-monnaie électronique, Technical Report number 5, projet RNTL PROUVÉ, March 2005, 29 pages, http://www.lsv.ens-cachan.fr/publis/papers/ps/prouve-rap5.ps. [122] R. Chadha, S. Kremer, A. Scedrov, Analysis of Multi-Party Contract Signing, research report number 516, Université Libre de Bruxelles, Belgique, 2004, http://www. lsv.ens-cachan.fr/publis/papers/ps/kremer-rt516.ps.gz. [123] S. Chhabra, Extraction of Intrusion Detection Signatures from Failed Proofs Of Cryptographic Protocols, research report, LSV/CNRS UMR 8643 & ENS Cachan, 2002, Work in progress. [124] H. Comon-Lundh, V. Cortier, Security Properties: Two Agents Are Sufficient, Research Report number LSV-02-10, Lab. Specification and Verification, ENS de Cachan, Cachan, France, August 2002, 26 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2002-10.rr.ps. [125] H. Comon-Lundh, S. Delaune, The Finite Variant Property: How to Get Rid of Some Algebraic Properties, Research Report number LSV-04-17, Laboratoire Spécification et Vérification, ENS Cachan, France, December 2004, 21 pages, http://www.lsv. ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-17.rr.ps. [126] H. Comon-Lundh, V. Shmatikov, Constraint Solving, Exclusive Or and the Decision of Confidentiality for Security Protocols Assuming a Bounded Number of Sessions, Research Report number LSV-03-1, Lab. Specification and Verification, ENS de Cachan, Cachan, France, January 2003, 17 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2003-1.rr.ps. [127] H. Comon-Lundh, R. Treinen, Easy Intruder Deductions, Research Report number LSV-03-8, Lab. Specification and Verification, ENS de Cachan, Cachan, France, April 2003, 17 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2003-8. rr.ps. [128] H. Comon-Lundh, R. Treinen, Preliminary lecture notes, logic course, Magistère STIC, first term, first year, ENS Cachan, 2003. [129] V. Cortier, S. Delaune, P. Lafourcade, A Survey of Algebraic Properties Used in Cryptographic Protocols, research report, projet RNTL PROUVÉ, June 2004, 19 pages, http://www.lsv.ens-cachan.fr/prouve/prouve-rap2.ps.gz. [130] V. Cortier, S. Delaune, P. Lafourcade, A Survey of Algebraic Properties Used in Cryptographic Protocols, Research Report number LSV-04-15, Laboratoire Spécification et Vérification, ENS Cachan, France, October 2004, 35 pages, http://www.lsv.ens-cachan. fr/publis/rapports LSV/rr-lsv-2004-15.rr.ps. [131] V. Cortier, F. Klay, Y. Lakhnech, B. Tavernier, R. Treinen, Projet RNTL Prouvé Fiche d étape 2004, research report, Projet RNTL Prouvé, March 2005, 6 pages. [132] V. Cortier, Observational equivalence and trace equivalence in an extension of Spicalculus. Application to cryptographic protocols analysis. Extended version, Research Report number LSV-02-3, Lab. Specification and Verification, ENS de Cachan, Cachan, 39

France, March 2002, 33 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2002-3.rr.ps. [133] V. Cortier, Outil de vérification SECURIFY, research report number 7, projet RNTL EVA, May 2002, 6 pages, http://www.lsv.ens-cachan.fr/ cortier/eva-tr7.pdf. [134] S. Delaune, F. Jacquemard, Narrowing-Based Constraint Solving for the Verification of Security Protocols, Research Report number LSV-04-8, Laboratoire Spécification et Vérification, ENS Cachan, France, April 2004, 24 pages, http://www.lsv.ens-cachan. fr/publis/rapports LSV/rr-lsv-2004-8.rr.ps. [135] S. Delaune, F. Jacquemard, A Theory of Guessing Attacks and Its Complexity, Research Report number LSV-04-1, Laboratoire Spécification et Vérification, ENS Cachan, France, January 2004, 25 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2004-1.rr.ps. [136] S. Delaune, F. Klay, S. Kremer, Spécification du protocole de vote électronique, Technical Report number 6, projet RNTL PROUVÉ, November 2005, 19 pages, http: //www.lsv.ens-cachan.fr/publis/papers/pdf/prouve-rap6.pdf. [137] S. Delaune, P. Lafourcade, D. Lugiez, R. Treinen, Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive Or, Research Report number LSV- 05-20, Laboratoire Spécification et Vérification, ENS Cachan, France, November 2005, 44 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2005-20. pdf. [138] S. Demri, H. de Nivelle, Deciding Regular Grammar Logics with Converse through First-Order Logic, Research Report number LSV-03-4, Lab. Specification and Verification, ENS de Cachan, Cachan, France, February 2003, 29 pages, http://www.lsv.ens-cachan. fr/publis/rapports LSV/rr-lsv-2003-4.rr.ps. [139] S. Demri, D. D Souza, An Automata-Theoretic Approach to Constraint LTL, Research Report number LSV-03-11, Lab. Specification and Verification, ENS de Cachan, Cachan, France, August 2003, 40 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2003-11.rr.ps. [140] S. Demri, M. Ducassé, J. Goubault-Larrecq, L. Mé, J. Olivain, C. Picaronny, J.-P. Pouzol, E. Totel, B. Vivinis, Algorithmes de détection et langages de signatures, research report, projet RNTL DICO, October 2003, Subtask 3, deliverable 3. 72 pages. [141] S. Demri, R. Gascon, The Effects of Bounding Syntactic Resources on Presburger LTL, Research Report number LSV-06-05, Laboratoire Spécification et Vérification, ENS Cachan, France, February 2006, 36 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2006-05.pdf. [142] S. Demri, LTL over Integer Periodicity Constraints, Research Report number LSV-03-13, Lab. Specification and Verification, ENS de Cachan, Cachan, France, October 2003, 34 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2003-13.rr.ps. [143] S. Demri, LTL over Integer Periodicity Constraints, Research Report number LSV-04-6, Laboratoire Spécification et Vérification, ENS Cachan, France, February 2004, 35 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-6.rr.ps. [144] J. Goubault-Larrecq, S. Lasota, D. Nowak, Y. Zhang, Complete Lax Logical Relations for Cryptographic Lambda-Calculi, Research Report number LSV-04-4, Laboratoire Spécification et Vérification, ENS Cachan, France, February 2004, 16 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-4.rr.ps. 40

[145] J. Goubault-Larrecq, S. Lasota, D. Nowak, Logical Relations for Monadic Types, Research Report number LSV-04-13, Lab. Specification and Verification, ENS de Cachan, Cachan, France, June 2004, 80 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-13.rr.ps. [146] J. Goubault-Larrecq, S. Lasota, D. Nowak, Logical Relations for Monadic Types, Research Report number cs.lo/0511006, Computing Research Repository, November 2005, 81 pages, http://arxiv.org/abs/cs.lo/0511006. [147] J. Goubault-Larrecq, J.-P. Pouzol, S. Demri, L. Mé, P. Carle, Langages de détection d attaques par signatures, research report, projet RNTL DICO, June 2002, Subtask 3, deliverable 1. 30 pages. [148] J. Goubault-Larrecq, M. Roger, K. N. Verma, Abstraction and Resolution Modulo AC: How to Verify Diffie-Hellman-like Protocols Automatically, Research Report number LSV-04-7, Laboratoire Spécification et Vérification, ENS Cachan, France, March 2004, 40 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-7.rr.ps. [149] J. Goubault-Larrecq, K. N. Verma, Alternating Two-Way AC-Tree Automata, Research Report number LSV-02-1, Lab. Spécification and Vérification, ENS de Cachan, Cachan, France, January 2002, 15 pages. Version étendue et corrigée, septembre 2002; disponible auprès des auteurs, goubault@lsv.ens-cachan.fr, verma@lsv.ens-cachan.fr. [150] J. Goubault-Larrecq, K. N. Verma, Alternating Two-Way AC-Tree Automata, Research Report number LSV-02-11, Lab. Specification and Verification, ENS de Cachan, Cachan, France, September 2002, 21 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2002-11.rr.ps. [151] J. Goubault-Larrecq, A Note on the Completeness of Certain Refinements of Resolution, Research Report number LSV-02-8, Lab. Specification and Verification, ENS de Cachan, Cachan, France, July 2002, 16 pages, http://www.lsv.ens-cachan.fr/publis/ RAPPORTS LSV/rr-lsv-2002-8.rr.ps. [152] J. Goubault-Larrecq, Outils CPV et CPV2, research report, projet RNTL EVA, May 2002, 7 pages. [153] J. Goubault-Larrecq, Reading Notes: Why is Cpo Cocomplete?, Research Report number LSV-02-15, Lab. Specification and Verification, ENS de Cachan, Cachan, France, October 2002, 8 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2002-15.rr.ps. [154] J. Goubault-Larrecq, SKInT Labels, Research Report number LSV-02-7, Lab. Specification and Verification, ENS de Cachan, Cachan, France, July 2002, 15 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2002-7.rr.ps. [155] J. Goubault-Larrecq, Un Algorithme pour l Analyse de Logs, Research Report number LSV-02-18, Lab. Specification and Verification, ENS de Cachan, Cachan, France, November 2002, 33 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/ rr-lsv-2002-18.rr.ps. [156] J. Goubault-Larrecq, The h1 Tool Suite, LSV, CNRS UMR 8643 & INRIA projet SECSI & ENS Cachan, 2003, Software, version 1.1. [157] J. Goubault-Larrecq, Programmation, Magistère STIC, first term, first year, ENS Cachan, 2003, 78 pages, http://www.lsv.ens-cachan.fr/ goubault/ cours.html#programmation, http://www.lsv.ens-cachan.fr/ goubault/cours.html# programmation. 41

[158] J. Goubault-Larrecq, Résolution ordonnée avec sélection et classes décidables de la logique du premier ordre, DEA Programmation, DEA, 2003, 70 pages, http://www.lsv. ens-cachan.fr/ goubault/soresol.ps, http://www.lsv.ens-cachan.fr/ goubault/ SOresol.ps. [159] J. Goubault-Larrecq, Cours de complexité 2, Magistère STIC, second term, first year, ENS Cachan, 2006, http://www.lsv.ens-cachan.fr/ goubault/complexite/pcp.pdf. [160] F. Jacquemard, M. Rusinowitch, L. Vigneron, Tree Automata with Equality Constraints Modulo Equational Theories, Research Report number RR-5754, INRIA, August 2005, 34 pages. [161] F. Jacquemard, M. Rusinowitch, L. Vigneron, Tree Automata with Equality Constraints Modulo Equational Theories, Research Report number LSV-05-16, Laboratoire Spécification et Vérification, ENS Cachan, France, August 2005, 34 pages. An improved version of this report is now available under the number LSV-06-07. [162] F. Jacquemard, The EVA translator, version 6, research report number 9, projet RNTL EVA, July 2003, 38 pages. [163] S. Kremer, Y. Lakhnech, R. Treinen, The Prouvé Manual: Specifications, Semantics, and Logics, Technical Report number 7, projet RNTL PROUVÉ, December 2005, 49 pages, http://www.lsv.ens-cachan.fr/publis/papers/pdf/prouve-rap7.pdf. [164] P. Lafourcade, D. Lugiez, R. Treinen, Intruder Deduction for AC-like Equational Theories with Homomorphisms, Research Report number LSV-04-16, Laboratoire Spécification et Vérification, ENS Cachan, France, November 2004, 69 pages, http: //www.lsv.ens-cachan.fr/publis/rapports LSV/rr-lsv-2004-16.rr.ps. [165] P. Lafourcade, D. Lugiez, R. Treinen, Intruder Deduction for the Equational Theory of Exclusive-or with Distributive Encryption, Research Report number LSV-05-19, Laboratoire Spécification et Vérification, ENS Cachan, France, October 2005, 39 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2005-19.pdf. [166] P. Lafourcade, Intruder Deduction for the Equational Theory of Exclusive-or with Commutative and Distributive Encryption, Research Report number LSV-05-21, Laboratoire Spécification et Vérification, ENS Cachan, France, November 2005, 20 pages, http://www.lsv.ens-cachan.fr/publis/rapports LSV/PDF/rr-lsv-2005-21.pdf. [167] O. Michel, F. Jacquemard, J.-L. Giavitto, Three Variations on the Analysis of the Needham-Schroeder Public-Key Protocol with MGS, research report number LaMI-98-2004, LaMI Université d Evry - CNRS, May 2004, 25 pages. [168] R. Treinen, Constraint Solving and Decision Problems of First-Order Theories of Concrete Domains, DEA Informatique, DEA, 2003, http://www.lsv.ens-cachan.fr/ treinen/ publi/concrete.ps.gz. [169] R. Treinen, Notes de cours préliminaires: Cours de complexité, Magistère STIC, second term, first year, ENS Cachan, 2004. [170] R. Treinen, The PROUVÉ specification language, research report, projet RNTL PROUVÉ, August 2004, 10 pages, http://www.lsv.ens-cachan.fr/prouve/ prouve-rap3.ps.gz. [171] K. N. Verma, J. Goubault-Larrecq, Karp-Miller Trees for a Branching Extension of VASS, Research Report number LSV-04-3, Lab. Specification and Verification, ENS de Cachan, Cachan, France, January 2004, 21 pages, http://www.lsv.ens-cachan.fr/ Publis/RAPPORTS LSV/rr-lsv-2004-3.rr.ps. 42

Miscellaneous [172] H. Comon, How Difficult is it to Retrieve a Secret?, Invited talk. Workshop on Complexity in Automated Deduction, FloC, Copenhaguen, July 2002. [173] S. Delaune, Vérification de protocoles de sécurité dans un modèle de l intrus étendu, mémoire de DEA, DEA Programmation, September 2003, 62 pages, http://www.lsv. ens-cachan.fr/publis/papers/delaune-dea2003.ps. [174] S. Demri, (Modal) Logics for Semistructured Data (Bis), Invited Talk. Third Workshop on Methods for Modalities, Nancy, France, September 2003. [175] J. Goubault-Larrecq, The EVA Parser and Translator, 2002, Démarré en 2001. Écrit en C (1327 lignes), OCaml (361 lignes), HimML (3454 lignes)., http://www.lsv. ens-cachan.fr/ goubault/eva.html. [176] J. Goubault-Larrecq, L outil Csur, 2002, Outil distribuable gratuitement, sous conditions: certains modules ne peuvent être distribués qu en version compilée, l outil servant de projet du cours Analyse statique de code du DESS Développement de Logiciels Sûrs. En OCaml, 12648 lignes., http://www.lsv.ens-cachan.fr/ goubault/csur/csur.html. [177] J. Goubault-Larrecq, On Cryptographic Protocols, Regular Tree Languages, and Automated Deduction, Invited talk, Workshop on Security Analysis of Systems: Formalism and Tools (SASYFT-2004), Orléans, France, June 2004, http://www.lsv.ens-cachan.fr/ goubault/talk sasyft.pdf. [178] D. Nowak, Logical Relations for Monadic Types, Invited talk. Int. Workshop on Formal Methods and Security (IWFMS 2004), Nanjing, P. R. China, May 2004. [179] J. Olivain, EVTGEN v1.0: A Programmable Generic Generator of Event Sequences, July 2004, Written in C (about 5000 lines). [180] F. Parrennes, L outil CSur, http://www.lsv.ens-cachan.fr/software/csur, 2004. [181] B. Ratti, Automates d arbre d ordre deux, mémoire de DEA, DEA Programmation, Paris, France, September 2004, 45 pages, http://www.lsv.ens-cachan.fr/publis/papers/ PS/BRatti-dea2004.ps.gz. [182] R. Treinen, RTALOOP: The RTA List of Open Problems, Web site at www.lsv. ens-cachan.fr/rtaloop, started 1997, 2004, Size as of July 2004: 100 problems, 90 pages, 432 references. [183] Y. Zhang, Logical Relations For Names, mémoire de DEA, DEA Programmation, September 2002, 30 pages, http://www.lsv.ens-cachan.fr/publis/papers/zy-dea02.ps. 43