Symbolic Bisimulation in the Spi Calculus

The spi calculus is an executable model for the description and analysis of cryptographic protocols. Security objectives like secrecy and authenticity can be formulated as equations between spi calculus terms, where equality is interpreted as a contextual equivalence. One problem with verifying contextual equivalences for message-passing process calculi is the infinite branching on process input. In this paper, we propose a general symbolic semantics for the spi calculus, where an input prefix gives rise to only one transition. To avoid infinite quantification over contexts, non-contextual concrete bisimulations approximating barbed equivalence have been defined. We propose a symbolic bisimulation that is sound with respect to barbed equivalence, and brings us closer to automated bisimulation checks. 1 Background, Related Work, and Summary Verification of Cryptographic Protocols in the Spi Calculus. Abadi and Gordon designed the spi calculus as an extension of the pi calculus with encryption primitives in order to describe and formally analyze cryptographic protocols [AG99]. The success of the spi calculus is due to at least three reasons. (1) It is equipped with an operational semantics; thus any protocol described in the calculus may be regarded as executable. (2) Security properties can be formulated as equations on process terms, so no external formalism is needed. (3) Contextual equivalences on process terms avoid the need to explicitly model the attacker; they take into account any attacker that can be expressed in the calculus. For example, we may wish to analyze the trivial cryptographic protocol (νk) (A |B) where A := a〈Ekm〉 and B := a(x).f〈Dkx〉 consisting of participant A sending on channel a the messagem, encrypted under the secret shared symmetric key k, to participant B who tries to decrypt the received message and, in case of successful decryption, outputs the result on channel f . We may compare this protocol with its specification (νk) (A |B) where A := a〈Ekm〉 and B := a(y).[Dky :M ]f〈m〉 where B transmits the correct message m on channel f whenever the dummy message (on reception bound to y) can be decrypted (as expressed by the guard [Dky :M ]). If the equation (νk) (A |B) = (νk) (A |B) holds, then no context is able to influence the authenticity (more precisely: integrity) of the message m. Apart from the equational style, cryptographic protocols in the spi calculus are analyzed by control flow analysis, trace analysis, reachability analysis, and type systems; they are beyond the scope of this paper. ? Supported by the Swiss National Science Foundation, grant No. 21-65180.1. 2 Johannes Borgström, Sébastien Briais, Uwe Nestmann symbolic bisi. [this paper] +3 ? hedged bisi. ks [BN02, BDP02] +3