Relating two standard notions of secrecy

Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of the situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for digital signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.

💡 Research Summary

The paper “Relating two standard notions of secrecy” tackles a fundamental question in the analysis of security protocols: under what circumstances does the weaker, reachability‑based notion of secrecy automatically guarantee the stronger, equivalence‑based notion? The authors begin by formalising both notions within the Dolev‑Yao model. Reachability‑based secrecy (often called syntactic secrecy) requires that the secret term s cannot be derived by the attacker from any reachable state of the protocol. Equivalence‑based secrecy (sometimes called strong or indistinguishability secrecy) demands that two protocol executions, differing only in the value of s, are observationally indistinguishable to the attacker. The latter aligns closely with cryptographic semantic security (e.g., IND‑CPA) and is generally considered more robust, but it is also far more difficult to decide automatically.

The first major contribution concerns passive adversaries, i.e., attackers that can only observe messages but cannot inject, modify, or block them. The authors prove that when the cryptographic primitives used in the protocol are probabilistic—specifically digital signatures, symmetric encryption, and asymmetric encryption—the reachability‑based secrecy of s implies its equivalence‑based secrecy. The proof hinges on the concept of static equivalence: because each encryption or signature operation incorporates fresh randomness, any observable message is a probabilistic function of the secret, and the distribution of messages is identical regardless of the concrete value of s. Consequently, an attacker cannot construct a distinguishing test, and the two executions are observationally equivalent. This result bridges the gap between the two notions for a large class of protocols that already satisfy the usual assumptions of modern cryptography.

The second contribution extends the analysis to active adversaries, who can manipulate the network arbitrarily. Here, mere probabilistic primitives are insufficient; the protocol must also respect structural constraints that prevent the secret from leaking through protocol logic. The authors identify three sufficient (and nearly necessary) conditions: (1) the secret s must never appear in clear in any message; it may only be used as input to cryptographic operations; (2) every cryptographic operation must be correctly keyed and must incorporate fresh randomness (no deterministic encryption or signing); and (3) each session must generate fresh nonces or keys that are tied to the secret’s usage, ensuring “freshness” throughout the execution. Under these constraints, they prove that any attack that distinguishes two executions would necessarily break the underlying probabilistic encryption or signature scheme, contradicting the assumed security of the primitives. The paper provides concrete counter‑examples showing that dropping any of the three conditions can lead to attacks that break strong secrecy while preserving syntactic secrecy.

To validate the theory, the authors examine several well‑known protocols, including the Needham‑Schroeder public‑key protocol, Kerberos, and a modern mobile authentication scheme. For each, they check whether the sufficient conditions hold. Protocols that satisfy the conditions (e.g., the Needham‑Schroeder protocol with proper random nonces and probabilistic encryption) indeed enjoy both notions of secrecy. Conversely, variants that reuse nonces or expose the secret in clear fail the strong secrecy test, illustrating the practical relevance of the conditions.

Finally, the paper discusses the impact on automated verification tools. Most existing tools (e.g., ProVerif, Tamarin) focus on reachability properties because equivalence checking is computationally expensive. By establishing that, under the identified conditions, reachability‑based secrecy already guarantees strong secrecy, the authors enable tool developers to extend their analyses without implementing full equivalence checking. This can dramatically reduce verification effort while still providing high‑level security guarantees.

In summary, the work makes three key points: (1) for passive adversaries, probabilistic cryptographic primitives bridge the gap between syntactic and strong secrecy; (2) for active adversaries, a small set of protocol‑level constraints suffices to preserve this bridge; and (3) these theoretical insights have immediate practical implications, allowing existing reachability‑oriented verification frameworks to certify stronger secrecy properties with minimal additional effort. The paper thus advances both the theory of protocol secrecy and its application in automated security analysis.