Natarajan Meghanathan et al. (Eds) : ICCSEA, SPPR, VLSI, WiMoA, SCAI, CNSA, WeST - 2014 pp. 229–250, 2014. © CS & IT-CSCP 2014 DOI : 10.5121/csit.2014.4728        Jaouhar Fattahi 1 and Mohamed Mejri 1 and Hanane Houmani 2 1 LSI Group, Laval University, Quebec, Canada 2 University Hassan II, Morocco ABSTRACT In this paper, we present new functions for secrecy in cryptographic protocols:the witness- functions. A witness-function is a protocol-dependent function that is able to prove the correctness of a protocol through its growth. It bases its calculation on the static part of a message only in a role-based specification by using derivation techniques. We show here how to build them. Then, we run an analysis on two real protocols. First, we run an analysis on NSL protocol and we prove that it is correct with respect to the property of secrecy. Then, we run an analysis on a variation of Needham-Schroeder protocol in which we show that a witness- function could even help to discover flaws. KEYWORDS Cryptographic Protocols, Role-based specification, Secrecy 1. INTRODUCTION In this paper, we present a new class of functions to analyze cryptographic protocols statically for the property of secrecy: the witness-functions. Intuitively, an increasing protocol keeps the secret. That means that if the security of all atomic messages exchanged in the protocol does not decay between receiving and sending steps in the protocol, the secret is preserved. For that, we need reliable metrics to estimate the security of atomic messages. This approach has been adopted in some prior works. In [1], Steve Schneider presented the notion of rank-functions as tools to analyze protocols in CSP [2, 3]. They were efficient in analyzing many protocols such Needham- Schroeder protocol. Nevertheless, a such analysis dictates the protocol implementation in CSP algebra. In addition, building rank-functions is not an easy task and their existence is not certain [4]. In [5] Abadi, by utilizing Spi-Calculus [6, 7], asserted that: "If a protocol typechecks, then it keeps the secret". For that, he restricted the exchanged messages to have strictly the following types: {secret, public, any, confounder} in order to easily know the security level of every component in. This approach cannot analyze prior protocols that had been designed with no respect to this condition. Similarly, Houmani et al. [8–11] presented universal functions that they named the interpretation functions to statically analyze a protocol. An interpretation function needs to meet some conditions to be "enough good" for the analysis. Naturally, less we have restrictions on functions,