Section: New Results

Indistinguishability proofs

Participants : Rohit Chadha, Vincent Cheval, Ştefan Ciobâcă, Hubert Comon-Lundh, Stéphanie Delaune, Steve Kremer.

Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require the notion of indistinguishably. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.

In the framework of the applied pi-calculus  [55] , as in similar languages based on equational logics, indistinguishably corresponds to a relation called observational equivalence. Roughly, two processes are observationally equivalent when an observer cannot see any difference between the two processes. Static equivalence applies only to observations on finite sets of messages, and do not take into account the dynamic behavior of a process whereas the notion of observational equivalence is more general and takes into account this aspect. Nevertheless, it has been shown that observational equivalence in the applied pi-calculus coincides with labeled bisimulation, that is, corresponds to checking a number of static equivalences and some standard bisimulation conditions.

Static equivalence.

As explained above, static equivalence is a cornerstone to provide decision procedures for observational equivalence.

In [23] , Stéphanie Delaune, in collaboration with Mathieu Baudet (DCSSI, France) and Véronique Cortier (LORIA, France), provides a generic procedure for static equivalence that takes as input any convergent rewrite system. Their algorithm covers most of the existing decision procedures for convergent theories and has been implemented in the YAPA tool. This allows one for instance to automatically check static equivalence in presence of blind signature, a cryptographic primitive often used in e-voting protocol. However, due to its simple representation of deducible terms, the procedure fails on several interesting equational theories like the theory of trapdoor commitments.

In [30] , Ştefan Ciobâcă, Stéphanie Delaune and Steve Kremer propose another representation of deducible terms to overcome this limitation. The procedure terminates on a wide range of equational theories. In particular, they obtain a new decidability result for the theory of trapdoor bit commitment encountered when studying electronic voting protocols. The algorithm has been implemented in the KiSs tool. This result also appear in the informal proceedings of the workshop Secret [46] . A journal version of this work is currently under submission.

Observational equivalence.

In [31] , Stéphanie Delaune, in collaboration with Véronique Cortier (LORIA, France) shows that for a large class of protocols, observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. Then, they reduce the decidability of trace equivalence to deciding symbolic equivalence, an equivalence relation introduced by M. Baudet  [59] . This yields the first decidability result of observational equivalence for a general class of equational theories.

The procedure proposed by Mathieu Baudet in  [59] for deciding symbolic equivalence is quite complex and cannot be implemented in its current state. In order to provide tool support to decide observational equivalence, Vincent Cheval, Hubert Comon-Lundh and Stéphanie Delaune currently work to design another procedure that will be more amenable to automation. This was the main topic of the internship of Vincent Cheval [54] . This work in progress has been presented at the SecCo workshop [45] .

Equivalence based security properties.

In [28] , Rohit Chadha, Stéphanie Delaune and Steve Kremer propose an epistemic logic for the applied pi calculus. This logic allows one to express reachability properties such as secrecy, but also equivalence based security properties such as anonymity. They also study the relationship between the formalization of privacy in electronic voting in term of epistemic formula and the one proposed in [14] in terms of observational equivalence.