Verifying equivalence properties of security protocols

Security protocols are used nowadays for securing transactions through public channels, like the Internet. Typical examples of applications include electronic commerce, electronic voting or mobile ad hoc networking. In order to obtain as much confidence as possible, several formal methods have been proposed for analyzing properties of security protocols. Depending on the goals which a security protocol has, there are several types of properties that need to be verified. First, there are reachability or trace-based properties, which express the fact that a bad state cannot be reached. Two classical reachability properties are secrecy and authentication. Secrecy expresses the fact that a secret key or nonce cannot become public and authentication is used for ensuring an agent of other’s identity. However, there are some security properties, like privacy, that cannot be formulated in terms of reachability. These can be modeled using equivalence-based properties, usually used to express indistinguishably, a security property satisfied when an observer cannot distinguish between two processes. This is crucial in proving anonymity properties, where an attacker should not be able to distinguish a run involving an agent A from a run involving another participant A′. Anonymity is also used in the context of electronic voting, where two different runs of the voting protocol should be indistinguishable for the attacker in order to ensure that no information is leaked about the vote of a participant. Another equivalence-based property is resistance to off line