Section: Scientific Foundations

Indistinguishability proofs

Most of the research in activities 1.1, 1.2, 1.3 are mainly concerned with rather traditional security properties, namely secrecy or authentication—in general, (un)reachability properties. However, in cryptography many properties are formulated as indisitinguishability properties.

Strong notions of secrecy are not reachability properties, and in fact are not trace properties. Rather, they are characterized using contextual equivalences. A notion of bisimulation complete for contextual equivalence in the spi-calculus was found by Cortier [73] . The cryptographic results of [1] relate cryptographic security to static equivalence , a form of contextual equivalence well-suited to passive adversaries introduced in Abadi and Fournet's applied pi-calculus [55] . Notions of strong security and contextual equivalence have also been studied in the framework of higher-order computation (a lambda-calculus with name creation and cryptographic primitives) by Zhang, using Kripke logical relations [103] , [87] , [95] . Zhang's thesis [104] was awarded the 2006 prize of the AFCRST (French-Chinese Association for Scientific and Technical Research). Other examples of indistinguishability properties that we have studied are privacy-related properties such as those appearing in electronic voting protocols [5] and offline guessing attacks  [59] .

In SECSI, we have been working on decision procedures, combination and composition results for such equivalence properties. In particular, decision procedures for many equational theories [1] , [60] , [91] , [96] , combination  [58] and composition  [80] results have been achieved for static equivalence. In the active case we are also working on symbolic methods for deciding obervational equivalences  [60] , [79] .

The thrust is on more properties and more automation .