Keywords

1 Introduction

The applied \(\pi \)-calculus [2, 5] is a generalisation and extension of the \(\pi \)-calculus [37] useful for verifying security and privacy properties of cryptographic protocols. Some security and privacy properties may be expressed as an equivalence problem, for instance by comparing the actual protocol to an idealised specification that trivially satisfies the desired property [8, 23, 24, 28, 33]. This paper employs good-practice principles for designing process equivalences for cryptographic calculi. We define two equivalences: one based on testing and another based on labelled transitions. The two equivalences are proven to coincide; thereby establishing that observables represented by the labels on transitions capture all relevant information about all testing contexts. This paradigm is suited to cryptographic calculi, where the testing environment contains attackers that can be inserted into a network without direct access to key material and other secrets, yet may violate security and privacy requirements of a protocol. By using an equivalence based on labelled transitions for cryptographic calculi we learn that we do not need to know all details of such malicious agents, and that to characterise such attackers it is sufficient to look only at the input and output actions of honest agents modelled in the specification of the protocol. Considering only the inputs and outputs of honest agents makes the formulation of process equivalence problems in terms of labelled transitions easier to check, compared to checking all malicious agents in full.

Amongst the most powerful testing equivalences proposed over the years is open barbed bisimilarity [41], and its equivalent mild simplification saturated bisimilarity [13], which were inspired by dynamic bisimilarity [38]. These testing equivalences consider all contexts at every execution step, hence, by definition, we obtain a congruence – an equivalence relation preserved in all contexts. Considering all contexts at every execution step reflects that new knowledge about the environment may be discovered during execution. Such testing equivalences have been used to inform the design of labelled transition systems and their corresponding notions of labelled equivalence for a range of process calculi including the \(\pi \)-calculus, which led to the emergence of quasi-open bisimilarity [29, 41] – the notion of labelled bisimilarity that coincides with open barbed bisimilarity for the \(\pi \)-calculus.

In this work, we make use of the testing regime offered by open barbed bisimilarity to design a labelled transition system and notion of quasi-open bisimilarity for the applied \(\pi \)-calculus. We argue here that employing a bisimilarity that coincides with the testing regime offered by open barbed bisimilarity, is a win-win choice for the applied \(\pi \)-calculus: not only is such an equivalence well-designed according to good-practice process-design principles; but also it is useful for verifying security and privacy properties. We should always be inclined to select an equivalence that is a congruence over one that is not a congruence without a compelling reason not to; and, in the setting of the applied \(\pi \)-calculus, having a congruence relation opens up new proof techniques, such as the ability to reason about equivalence problems compositionally.

It is possible to design other congruence relations for the applied \(\pi \)-calculus, such as the more famous open bisimilarity [28, 40]. What we found to be fascinating about quasi-open bisimilarity is that, although, in order to be both a congruence relation and a bisimilarity relation, it is necessary that we obtain a finer equivalence compared to the more common early bisimilarity [5] that is not a congruence, the notion of equivalence is not too fine for security and privacy problems. Moving from early bisimilarity to quasi-open bisimilarity for security and privacy problems that can be formulated as equivalence problems, such as unlinkability, strong secrecy (non-interference), voter privacy, anonymity, does not appear to invalidate established properties. While it is impossible to check and anticipate all possible security and privacy problems that can be formulated as an equivalence problem in the applied \(\pi \)-calculus, there is the following compelling reason why we are confident in making this claim. Despite being finer than early bisimilarity, quasi-open bisimilarity still treats classically the important content of security and privacy problems, which is the treatment of private information such as nonces and keys. In contrast, this is not the case for the finer open bisimilarity, since we, in this paper, will demonstrate a representative example of a scenario in which open bisimilarity discovers a spurious attack, whereas quasi-open bisimilarity discovers the expected proof. Indeed, we are yet to encounter a disadvantage of using open barbed bisimilarity rather than observational equivalence for privacy problems.

Outline of Paper. Section 2 provides motivation and explains minimal examples illustrating why quasi-open bisimilarity is an objective choice of bisimilarity congruence. The rest of the paper develops a theory of quasi-open bisimilarity for the applied \(\pi \)-calculus. Section 3 introduces open barbed bisimilarity, which is, by definition, the greatest bisimilarity congruence (we focus on the strong variant). Section 4 introduces an open variant of labelled bisimilarity called quasi-open bisimilarity and proves that it coincides with open barbed bisimilarity. A technical report provides further details [27].

2 Motivating Quasi-open Bisimilarity for the Applied \(\pi \)-Calculus

In the paper, we target properties expressed as a process equivalence. Whether a system satisfies such properties depends not only on the system but also on the choice of equivalence relation, and this choice in fact contributes to the attacker model [28]. In this motivating section, we present the advantages of employing the coarsest bisimilarity congruence and present motivating examples to justify our proposal.

2.1 A Finer Equivalence Discovers Spurious Attacks

Below we provide an example of a property expressed as an equivalence and show that a finer relation can fail to reflect a real attack on the system. Our running example is a cut-down variant of a classic private server example [3, 22]. We express the privacy property as an equivalence between the “real” and the “ideal” behaviours.

Consider a server \(\textit{Server A}\) that responds with an encrypted message only when it receives a particular public key. Otherwise, it responds with a nonce, indistinguishable from a ciphertext. We assume an attacker knows public key \(\texttt {pk}\left( k\right) \) but does not know private key k or nonce r.

\(\textit{Server A}\) can be modelled formally in the applied \(\pi \)-calculus as follows.

$$ {\textit{Server A}:}\quad \begin{array}[t]{rl} \nu k. {\overline{s}}\langle \texttt {pk}\left( k\right) \rangle .\mathopen {!}\!\!&{} \mathopen \nu a. {\overline{c}}\langle a \rangle .a(x). \nu r. \\ {} &{} \texttt {if}\,x = \texttt {pk}\left( k\right) \,\texttt {then}\,{\overline{a}}\langle \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) \rangle \, \texttt {else}\,{\overline{a}}\langle r \rangle \end{array} $$

In \(\textit{Server A}\), the prefix \(\nu k. {\overline{s}}\langle \texttt {pk}\left( k\right) \rangle \) stands for announcing a public key. The prefix \(\mathopen {!}\mathopen \nu a. {\overline{c}}\langle a \rangle .a(x).\nu r\) represents the start of an unbounded number of sessions on a fresh channel a where, in each session, an input is received and a nonce r is freshly generated. In each session, one of the following decisions is made, based on the input received. If an input is a public key output previously, \(\textit{Server A}\) responds with a message-nonce pair encrypted with the public key \({\overline{a}}\langle \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) \rangle \). Otherwise, \(\textit{Server A}\) sends a dummy random message r indistinguishable from a random cyphertext.

Note that in this minimal formulation of the problem, we refrain from modelling the clients (possibly knowing key k). Of course, the fact that clients transmit their public keys in plaintext may introduce further privacy concerns, which we do not model in this minimal illustration.

We approach the problem of proving that the privacy of the owner of secret key k is preserved by providing a reference specification. The reference specification models how the private server should ideally behave from the perspective of an attacker. The specification, defined as \(\textit{Server B}\) below, differs from \(\textit{Server A}\) in that it transmits a nonce regardless of the message received.

$$ {\textit{Server B}:}\quad \begin{array}{l}\nu k. {\overline{s}}\langle \texttt {pk}\left( k\right) \rangle . \mathopen {!}\mathopen \nu a.{\overline{c}}\langle a \rangle .a(x).\nu r.{\overline{a}}\langle r \rangle \end{array} $$

\(\textit{Server A}\) and \(\textit{Server B}\) are indistinguishable to an external observer – the attacker. An attacker cannot learn that \(\textit{Server A}\) responds in a special way to input \(\texttt {pk}\left( k\right) \). The idea is that an attacker without private key k cannot learn that \(\textit{Server A}\) serves some data m to the owner of k. Thus the privacy of the intended recipient of the data is preserved.

We can verify this privacy property by showing \(\textit{Server A}\) and \(\textit{Server B}\) are bisimilar. The point is that there is a warning: we must take care about which bisimilarity we employ. If we employ the famous open bisimilarity (which also is a congruence), the processes are not equivalent.

Using a suitable labelled transition system [28], \(\textit{Server A}\) can reach the following state, at which point open bisimilarity still allows x (a free variable representing an input) to be instantiated with the message bound to u (i.e., \(\texttt {pk}\left( k\right) \)), representing a previously output message.

$$ \begin{array}[t]{rl} \mathopen {\nu k, a_1, r_1.}\big (~ \mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a_1}\!/\!_{u,v}\right\} } \mid&\begin{array}[t]{l} \texttt {if}\,x = \texttt {pk}\left( k\right) \,\texttt {then}\,{\overline{a_1}}\langle \texttt {aenc}\left( \langle m, r_1\rangle , \texttt {pk}\left( k\right) \right) \rangle \, \texttt {else}\,{\overline{a_1}}\langle r_1 \rangle \end{array} \\ \mid &{} \begin{array}[t]{rl} \mathopen {!}\!\!&{} \nu a.{\overline{c}}\langle a \rangle .a(x). \nu r. \\ &{}\texttt {if}\,x = \texttt {pk}\left( k\right) \,\texttt {then}\,{\overline{a}}\langle \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) \rangle \, \texttt {else}\,{\overline{a}}\langle r \rangle ~\big ) \end{array} \end{array} $$

Thus, we have not yet committed to \(x = \texttt {pk}\left( k\right) \) or \(x \not = \texttt {pk}\left( k\right) \), and hence we cannot proceed until we provide more information about x. Therefore the guard in the if-then-else statement above cannot yet be resolved; but \(\textit{Server B}\) cannot reach an equivalent state, since it can only reach a state which is immediately ready to perform an action regardless of whether \(x = \texttt {pk}\left( k\right) \) or \(x \not = \texttt {pk}\left( k\right) \). Note we do not assume \(x = \texttt {pk}\left( k\right) \vee x \not = \texttt {pk}\left( k\right) \) holds, which would be an instance of the law of excluded middle; hence we are in an intuitionistic setting [6, 7]. The presented distinguishing strategy, does not correspond to a real attack on the privacy of \(\textit{Server A}\); hence open bisimilarity is not sufficiently coarse to verify this privacy property.

Fortunately, we will see in this paper that quasi-open bisimilarity addresses the above limitation of open bisimilarity. Quasi-open bisimilarity is also intuitionistic [29]. It handles open terms (with free variables) intuitionistically; but handles private messages that an attacker cannot interfere with more subtly. Private information, such as \(\texttt {pk}\left( k\right) \) (bound to u in the above state), can only be received eagerly by an input action; the effect being that messages such as \(\texttt {pk}\left( k\right) \) in the above example are treated classically. Thereby, after receiving the input either \(x = \texttt {pk}\left( k\right) \) or \(x \not = \texttt {pk}\left( k\right) \) holds; from which we establish that \(\textit{Server A}\) and \(\textit{Server B}\) are indeed quasi-open bisimilar.

The example above, elaborated on in the body of the paper, is selected as a minimal explanation for why quasi-open bisimilarity defines an appropriate attacker model.

A Still More Sophisticated Argument. Those that are not yet satisfied with the above illustration, may question whether the limitation of open bisimilarity is due to a particular lifting of open bisimilarity to the applied \(\pi \)-calculus. This is not the case. There are several possible definitions of open bisimilarity for the applied \(\pi \)-calculus that are, firstly, conservative with respect to the original definition of open bisimilarity for the \(\pi \)-calculus [40] and, secondly, also a congruence relation. However, none of them would be able to prove the privacy property illustrated above. The problem lies with mismatch (the else branches in the above example), which is exactly the problem isolated and explored in related work [29].

We illustrate the argument, by drawing attention to two possible ways of conservatively extending open bisimilarity to the applied \(\pi \)-calculus (which features mismatch or else branches). One approach is to extend the histories in the past (see Sect. 5 [29]); while another is to add explicit inequality constraints [28]. Each of these approaches provide different expressive power, as illustrated by the following pair of processes.

$$\begin{array}{l} \begin{array}{l} \textit{Server C} \triangleq \nu k. \nu l. {\overline{s}}\langle \texttt {pk}\left( k\right) \rangle .{\overline{s}}\langle \texttt {pk}\left( l\right) \rangle .P(k) \ \text{ v.s. } \ \textit{Server D} \triangleq \nu k. \nu l. {\overline{s}}\langle \texttt {pk}\left( k\right) \rangle .{\overline{s}}\langle \texttt {pk}\left( l\right) \rangle .P(l) \\ \end{array} \\[9pt] \text{ where } P(t)\triangleq \mathopen \nu a. {\overline{c}}\langle a \rangle .a(x). \nu r. \texttt {if}\,x = \texttt {pk}\left( t\right) \,\texttt {then}\,{\overline{a}}\langle \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( t\right) \right) \rangle \,\texttt {else}\,{\overline{a}}\langle r \rangle \end{array} $$

When we specify that \(\textit{Server C}\) and \(\textit{Server D}\) should be equivalent, we specify that two servers that respond to different keys (the first or second output) should be indistinguishable. This differs from our previous private server example, where, recall, the specification is stipulated in terms of another private server, \(\textit{Server B}\), that has no information to leak. Surprisingly, the above processes are equivalent under the notion of open bisimilarity obtained by extending histories [29], yet are not equivalent under the notion of open bisimilarity with inequality constraints [28]. Furthermore, processes \(\textit{Server A}\) and \(\textit{Server B}\) from the previous sections are not equivalent under either of the notions of open bisimilarity described, and hence neither extension of open bisimilarity is sufficiently coarse to verify that privacy property.

The fundamental insight is that open bisimilarity is heavily tied to the way it symbolically represents constraints, which gives rise to equivalences that differ for technical reasons which have little to do with the semantics of protocols. Quasi-open bisimilarity however is canonical, as we prove in this work via a completeness result that is independent of any internal constraint system. Finally, quasi-open bisimilarity supports proofs of privacy properties that we expect to hold, as illustrated by the equivalence of \(\textit{Server A}\) and \(\textit{Server B}\) (Sect. 4.2), making it a robust choice that enables compositional reasoning without introducing spurious attacks.

2.2 Too Coarse an Equivalence Misses Real Attacks

Above we have seen an example when a finer property leads to a spurious attack. The situation is mirrored, however, if we attempt to formulate a property using too coarse equivalence: real attacks may be missed. Recent work [26, 28], comprehensively explains an attack on ePassports that allows unauthorised observers to track movements of the holder. This attack was overlooked by trace equivalence, which is strictly coarser than bisimilarity. Thus, taking into consideration both ends of the spectrum, we find that quasi-open bisimilarity is neither too coarse, since it is a bisimilarity, nor too fine, since it does not introduce spurious attacks.

2.3 A Congruence Enables Compositional Reasoning

To illustrate the importance of the presented equivalence being a congruence we briefly introduce a discussion on unlinkability, that is the incapability of determining relationships between two observed protocol sessions. The state-of-the-art approach to unlinkability developed in [28] is as follows. If the process System, reflecting the actual behaviour of the protocol, is equivalent to the process Spec, which specifies the ideal behaviour (from the attacker’s perspective), we say that such a protocol is unlinkable.

Consider an abstract authentication protocol with two roles: \(\mathopen C\) and \(\mathopen T\). The agent playing role \(\mathopen C\) holds credentials signed by the secret key s of the certification authority CA and wants to be able to assume the same identity multiple times without the risk of being reidentified. The goal of the agent playing \(\mathopen T\) is to verify these credentials using the public key \(\texttt {pk}(s)\) of the CA and authenticate \(\mathopen C\). The real-world behaviour of the system can be modelled as follows.

$$ \textit{System} \triangleq \begin{array}[t]{l} \mathopen \nu s.\Big ( \begin{array}[t]{l} \mathopen {!}\nu a.\mathopen {!}\nu ch_c. {\overline{c_{C}}}\langle ch_c \rangle .\mathopen C(s, ch_c, a) \mid {\overline{out}}\langle \texttt {pk}\left( s\right) \rangle . \mathopen {!}\nu ch_t. {\overline{c_{T}}}\langle ch_t \rangle .\mathopen T(\texttt {pk}\left( s\right) , ch_t) ~\Big ) \end{array} \end{array} $$

Initially, the CA’s secret key s is created. The first parallel component above defines agents with identity \(a\) that can participate in an arbitrary number of sessions of the protocol. Each session begins with advertising a fresh session channel \(ch_c\) on the public channel \(c_{C}\), modelling a new connection to a new session. The leftmost replication models that any number of agents can exist in the system, while the subsequent replication is what allow an agent to appear with the same identity across multiple sessions. The second parallel component above makes the public key \(\texttt {pk}\left( s\right) \) of the CA available to the environment via the output on the public channel out. After that, the role \(\mathopen T\) is specified which tries to authenticate a genuine agent in role \(\mathopen C\) making use of \(\texttt {pk}\left( s\right) \). Such sessions in role \(\mathopen T\) also begin by advertising a fresh session channel on public channel \(c_{T}\). The processes \(\mathopen C(s, ch_t)\) and \(\mathopen T(\texttt {pk}\left( s\right) , ch_t)\) can be instantiated to model various protocols.

On the other hand, the ideal system is obtained from System by removing the second replication, which means that the agent with the identity \(a\) can participate in one protocol run only.

$$ \textit{Spec} \triangleq \begin{array}[t]{l} \mathopen \nu s.\Big ( \begin{array}[t]{l} \mathopen {!}\nu a. \nu ch_c. {\overline{c_{C}}}\langle ch_c \rangle .\mathopen C(s, ch_c, a) \mid {\overline{out}}\langle \texttt {pk}\left( s\right) \rangle . \mathopen {!}\nu ch_t. {\overline{c_{T}}}\langle ch_t \rangle .\mathopen T(\texttt {pk}\left( s\right) , ch_t) ~\Big ) \end{array} \end{array} $$

The definition of unlinkability is as follows.

Definition 1

(unlinkability). The system satisfies unlinkability if \(\textit{System} \approx \textit{Spec}\) holds, where \(\approx \) is weak early bisimilarity.

The fact that quasi-open bisimilarity is a congruence allows us to verify an equivalence property for a smaller system and extend the proof to a larger system. Consider a smaller system comprising only agents playing the role \(\mathopen C\).

$$ {Small\_System} \triangleq \begin{array}[t]{l} \mathopen \nu s. \begin{array}[t]{l} {\overline{out}}\langle \texttt {pk}\left( s\right) \rangle . \mathopen {!}\nu a.\mathopen {!}\nu ch_c. {\overline{c_{C}}}\langle ch_c \rangle .\mathopen C(s, ch_c, a) \end{array} \end{array} $$

The corresponding, smaller version of the idealised specification where there is one session per identity is as follows.

$$ {Small\_Spec} \triangleq \begin{array}[t]{l} \mathopen \nu s. \begin{array}[t]{l} {\overline{out}}\langle \texttt {pk}\left( s\right) \rangle . \mathopen {!}\nu a. \nu ch_c. {\overline{c_{C}}}\langle ch_c \rangle .\mathopen C(s, ch_c, a) \end{array} \end{array} $$

We are ready now to prove that if we prove properties using the smaller specification with one role then they hold in the more traditional specification with two roles.

Theorem 1

If \({Small\_System} \sim {Small\_Spec}\), where \(\sim \) is quasi-open bisimilarity, then \(\textit{System} \approx \textit{Spec}\).

Proof

Consider the following context, where \(out'\) is a fresh variable.

Firstly,

\( {\mathcal {C}}\left\{ {Small\_System} \right\} \mathclose {\left\{ ^{out}\!/\!_{out'}\right\} } \sim \tau .\textit{System}\) and \({\mathcal {C}}\left\{ {Small\_Spec} \right\} \mathclose {\left\{ ^{out}\!/\!_{out'}\right\} } \sim \tau .\textit{Spec}\) hold. Furthermore, by the assumption, \({Small\_System} \sim {Small\_Spec}\) and the fact that since quasi-open bisimilarity is a congruence (Theorem 2), the following holds.

$$ {\mathcal {C}}\left\{ {Small\_System} \right\} \sim {\mathcal {C}}\left\{ {Small\_Spec} \right\} $$

Furthermore, since quasi-open bisimilarity is closed under substitutions involving free variables (by definition) we have that the following holds.

$$ {\mathcal {C}}\left\{ {Small\_System} \right\} \mathclose {\left\{ ^{out}\!/\!_{out'}\right\} } \sim {\mathcal {C}}\left\{ {Small\_Spec} \right\} \mathclose {\left\{ ^{out}\!/\!_{out'}\right\} } $$

Hence, since quasi-open bisimilarity is an equivalence relation, we have the following.

$$ \tau .\textit{Spec} \sim \tau .\textit{System} $$

Thus there exists a quasi-open bisimulation \(\mathcal {R}\) such that \(\tau .\textit{Spec} \mathrel {\mathcal {R}} \tau .\textit{System}\). Hence, since it must be the case that and \(\textit{Spec} \mathrel {\mathcal {R}} \textit{System}\). Therefore \(\textit{Spec} \sim \textit{System}\). Finally, since \(\sim \subseteq \approx \) we have \(\textit{Spec} \approx \textit{System}\).    \(\square \)

The key difficulty is, of course, to prove that \({Small\_System} \sim {Small\_Spec}\), but studying a smaller system significantly reduces the amount of work. This approach to verifying unlinkability for a subsystem was taken in [30], where authors study key agreement for contactless payments and employ only honest cards in their model of unlinkability.

3 The Coarsest Bisimilarity Congruence

This section concerns the coarsest (strong) bisimilarity congruence – open barbed bisimilarity. Open barbed bisimilarity is a natural choice of bisimilarity, being, by definition, the greatest bisimilarity congruence. Since open barbed bisimilarity has an objective language-independent definition, there are no design decisions – there is only one reasonable definition as explored in this section.

3.1 An Example Message Term Language and Equational Theory

In the applied \(\pi \)-calculus messages can be defined with respect to any message language subject to any equational theory (\(=_{E}\)). The example equational theory we provide in Fig. 1 is for the purpose of providing meaningful examples. Further theories can also be devised not limited to: sub-term convergent theories [1]; blind signatures and homomorphic encryption [20]; and locally stable theories with inverses [9].

Fig. 1.
figure 1

The applied \(\pi \)-calculus can be instantiated with any message language and equational theory for messages. This example message theory is provided only to provide meaningful examples.

Full size image

The example theory provided in Fig. 1 covers asymmetric encryption. A message encrypted with public key \(\texttt {pk}\left( k\right) \) can only be decrypted using private key k. The theory includes a collision-resistant hash function, with no equations. This theory assumes we have the power to detect whether a message is a pair, but cannot distinguish a failed decryption from a random number.

3.2 Active Substitutions and Labelled Transitions

We define a syntax for the applied \(\pi \)-calculus. The syntax is similar to the \(\pi \)-calculus, except messages and channels can be any term rather than just variables. There is no separate syntactic class of terms for names – names are variables bound by new name binders. In addition to processes, extended processes are defined, which allow active substitutions, denoted \(\sigma \), to float alongside processes and in the scope of new name binders, defined in Fig. 2.

Extended processes in normal form \(\mathopen {\nu \mathbf {x}.}\left( \sigma \mid P\right) \) are subject to the restriction that the variables in \({\mathrm {dom}}\left( \sigma \right) \) are fresh for \(\mathbf {x}\), \({\mathrm {fv}}\!\left( P\right) \) and \({\mathrm {fv}}\!\left( y\sigma \right) \), for all variables y (i.e., \(\sigma \) is idempotent, and substitutions are fully applied to P). We follow the convention that operational rules are defined directly on extended processes in normal form up to \(\alpha \)-conversion. This avoids numerous complications caused by the structural congruence in the original definition of bisimilarity for the applied \(\pi \)-calculus. The set of free variables and \(\alpha \)-conversion are as standard, where \(\nu x.P\) and M(x).P bind x in P.

Intuitionistic mismatch. Mismatch requires special attention. Mismatch models the else branch of an if-then-else statement with an equality guard. Hence we can encode a conditional branching statement \(\texttt {if }M\!=\!N\texttt { then }P\texttt { else }Q\) using process \(\mathopen {\left[ M=N \right] }P \,+\, \mathopen {\left[ M\not =N \right] }Q\).

Fig. 2.
figure 2

Syntax of extended processes and an open early labelled transition system.

Full size image

As uncovered in related work [29], the trick for handling mismatch such that we obtain a congruence is to treat mismatch intuitionistically. Intuitionistic negation enjoys the property that it is preserved under substitutions; a property that fails for classical negation in general. E.g., there are substitutions under which \(\mathopen {\left[ x \not = \texttt {h}\left( y\right) \right] }a(z)\) can perform an input transition and others where it cannot, hence neither \(x = \texttt {h}\left( y\right) \) nor \(x \not = \texttt {h}\left( y\right) \) holds in the intuitionistic setting until more information is provided about the environment. In order to define intuitionistic negation, we require the notion of a fresh substitution.

Definition 2 (fresh)

Consider a set of variables \(\mathbf {z}\). We say \(\mathbf {z}\) is fresh for set of variables \(\mathbf {y}\), whenever \(\mathbf {z}\cap \mathbf {y} = \emptyset \). Given a term, say P, we say \(\mathbf {z}\) is fresh for P, whenever \(\mathbf {z}\) is fresh for the free variables of P. Given a substitution \(\sigma \), we say \(\mathbf {z}\) is fresh for \(\sigma \) whenever \(\mathbf {z}\) is fresh for \({\mathrm {dom}}\left( \sigma \right) \), and, for all \(y \not \in \mathbf {z}\), we have \(\mathbf {z}\) is fresh for \(y\sigma \). Freshness extends point-wise to lists of entities and is denoted \(u,v, \ldots \mathrel {\#} M, N, \sigma , \ldots \).

We say entailment \(\mathbf {z}\models M \not = N\) holds whenever there is no \(\sigma \) such that \(\mathbf {z} \mathrel {\#} \sigma \) and \(M\sigma =_{E} N\sigma \).

Consider the following examples that hold or fail to hold for different reasons. Entailment \(\emptyset \models x \not = h(x)\) holds, since there exists no unifier, witnessed by a simple occurs check. In contrast, \(\emptyset \models x \not = h(y)\) does not hold, since there exists substitution \(\mathclose {\left\{ ^{h(y)}\!/\!_{x}\right\} }\) unifying messages x and h(y), so it is still possible the messages could be equal; thus, there is insufficient information to decide whether the messages are equal or not. By extending the environment such that y is a private name, entailment \(y \models x \not = h(y)\) holds, since y is not fresh for the most general unifier \(\mathclose {\left\{ ^{h(y)}\!/\!_{x}\right\} }\) – an observer who can influence x, cannot make x equal to h(y) without access to y.

To define open barbed bisimilarity, we require the labelled transition system for the applied \(\pi \)-calculus in Fig. 2. It is an early labelled transition system due to the way inputs are treated, and open early, since it does not assume that free variables are ground names, unless stated so explicitly in the name environment to the left of the transition relation. There are three types of label: \(\tau \) representing internal progress due to communication; bound output \(\overline{M}(x)\) representing that something bound to x is sent on channel M; and free input \(M\,N\) representing that we receive N on channel M.

The Mismatch and Res Rules. The Mismatch rule is defined in terms of entailment in Definition 2. The Res rule can also influence mismatches by introducing fresh names. For example, the following derivation shows an input is enabled.

figure a

Notice, the bound variable y is added to the set of names, enabling \(y \models {x \not = h(y)}\).

Active Substitutions and Labels. For a non-trivial example where the active substitution affects the label, observe that the following transition is derivable.

figure b

The conditions on the Res rule ensure bound name m cannot appear in the terms on the label. Fortunately, the Inp rule allows m to be expressed in terms of extruded variable w. Since we have \(m =_E \texttt {fst}(\langle m, n\rangle )\) and the equational theory can be applied in rule Inp, the above input action is enabled, where message \(\texttt {fst}(w)\) indirectly refers to channel m.

The Out Rule. The Out rule for the applied \(\pi \)-calculus does not record the message sent on the label; instead, the message is recorded in an active substitution. The domain of the active substitution is chosen to be a fresh variable appearing as the bound variable in the output action on the label.

In the following example a message is sent using the Out rule, then the Res rule is applied such that the private name n in the active substitution remains bound after the transition.

figure c

Observe, by rule Inp, the following input action is enabled.

figure d

Hence, by Close-l and the above input and output transitions, the following interaction is enabled; and Res is used to bind the key k.

figure e

Note this labelled approach to interaction follows closely how interaction traditionally works in the \(\pi \)-calculus. Thus this formulation of labelled transitions facilitates the lifting of results from the \(\pi \)-calculus to the applied \(\pi \)-calculus. An advantage of our labelled transition system is strong, weak, and other variants of bisimilarity can be studied. In contrast, the original system proposed for the applied \(\pi \)-calculus [2] used a hybrid labelled/reduction system that can only be used to formalise weak equivalences. Furthermore, avoiding a structural congruence avoids having to consider all transitions up to an associative-commutative theory (which can make proofs cumbersome). Also, the use of Rep-act and Rep-close for defining replication, respects image-finiteness (up to \(\alpha \)-conversion) [39].

Note, trying to obtain strong bisimilarity by naïvely restricting the original definition of labelled bisimilarity [2] such that every \(\tau \)-transition is matched by exactly one \(\tau \)-transition results in an ill-formulated notion of strong bisimilarity. Doing so, would allow processes, such as \(\textit{Server A}\) and \(\textit{Server B}\) from Sect. 2, to be wrongly distinguished by counting the number of \(\tau \)-transitions induced by branching statements. The rule Sum-l and its counterpart Sum-r avoid this problem.

3.3 A Testing Regime Defining a Bisimilarity Congruence

A barb represents the ability to observe an input or output action on a channel. Barbs are typically used to define barbed equivalence, or observational equivalence [36]. However, barbed equivalence is a congruence but not a bisimilarity; while observational equivalence is a bisimilarity but not a congruence. For this reason, we prefer open barbed bisimilarity [41], which is, by definition, both a bisimilarity and a congruence. We adopt the convention of writing whenever . We say process P has barb M, written \(P\!\downarrow \!M\), whenever, for some A, , or .

Definition 3 (open barbed bisimilarity)

An open barbed bisimulation \(\mathrel {\mathcal {R}}\) is a symmetric relation over processes such that whenever \(P \mathrel {\mathcal {R}}Q\) holds the following hold:

  • For all contexts \({\mathcal {C}}\left\{ \ \cdot \ \right\} \), \({\mathcal {C}}\left\{ P \right\} \mathrel {\mathcal {R}}{\mathcal {C}}\left\{ Q \right\} \).

  • If \(P\!\downarrow \!M\) then \(Q\!\downarrow \!M\).

  • If , there exists \(Q'\) such that and \(P' \mathrel {\mathcal {R}}Q'\) holds.

Open barbed bisimilarity \(\mathrel {\simeq }\) is the greatest open barbed bisimulation. More specifically, processes P and Q are open barbed bisimilar, written \(P \mathrel {\simeq }Q\), whenever there exists an open barbed bisimulation \(\mathcal {R}\) such that \(P \mathrel {\mathcal {R}} Q\).

The power of open barbed bisimilarity comes from closing by all contexts at every step, not only at the beginning of an execution. Closing by all contexts at every step ensures the robustness of open barbed bisimilarity even if the environment is extended at runtime; i.e., we stay within a congruence relation at every step of the bisimulation game.

Recall that a congruence is an equivalence relation preserved in all contexts. Symmetry and context closure of open barbed bisimilarity are immediate from the definition. Reflexivity is trivial since the identity relation is an open barbed bisimulation. Transitivity is only slightly more involved, proven by checking that the composition of two open barbed bisimulation relations is an open barbed bisimulation.

Open barbed bisimilarity is concise – the definition requires only the open labelled transition system in Fig. 2 and the three clauses in Definition 3. Furthermore, it is the coarsest bisimilarity congruence, in the objective sense that it is defined to be a congruence and defined independently of the content of the messages sent and received. Notice, due to the independence of the information on the labels, open barbed bisimilarity applies to any language; indeed open barbed bisimilarity is a generalisation of dynamic observational equivalence [38], that, historically, was used to objectively identify the greatest bisimulation congruence for CCS. Related work also uses the term saturated bisimilarity for such a reference bisimilarity congruence [13, 14], which shows that a single barb, say \(\textit{ok}\) suffices.

For the above reasons, open barbed bisimilarity is an ideal reference definition. However, it is unwieldy due to closure of the definition under all contexts. This leads us to the notion of quasi-open bisimilarity, defined in the next section.

4 Quasi-open Bisimilarity for the Applied \(\pi \)-Calculus

As highlighted in the previous section, open barbed bisimilarity has a concise and objective definition but is difficult to check, due to the quantification over all contexts. An open variant of labelled bisimilarity, called quasi-open bisimilarity, avoids quantifying over all contexts; and furthermore, coincides with open barbed bisimilarity. In this section, we define quasi-open bisimilarity for the applied \(\pi \)-calculus, generalising established results for the \(\pi \)-calculus [29, 41].

4.1 Introducing Quasi-open Bisimilarity for the Applied \(\pi \)-Calculus

To extend quasi-open bisimilarity to the applied \(\pi \)-calculus the notion of static equivalence is required. Static equivalence is defined over the static information in an extended process – the active substitutions and name restrictions.

Definition 4 (static equivalence)

Two extended processes \(\mathopen {\nu \mathbf {x}.}\left( \sigma \mid P \right) \) and \(\mathopen {\nu \mathbf {y}.}\left( \theta \mid Q \right) \) are statically equivalent whenever for all messages M and N such that \(\mathbf {x}, \mathbf {y} \mathrel {\#} M, N\), we have \(M\sigma =_{E} N\sigma \) if and only if \(M\theta =_{E} N\theta \).

In the above definition, messages M and N represent two different “recipes” for producing messages. Two extended processes are distinguished by static equivalence only when the two recipes produce equivalent messages under one substitution, but distinct messages under the other substitution. The concept of static equivalence is no different from original work on the applied \(\pi \)-calculus [5].

Static Equivalence Example. For example, the following extended processes are not statically equivalent.

$$ \mathopen {\nu k.}\left( \mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\,\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) }\!/\!_{v,\,w}\right\} } \mid 0\right) \text{ is } \text{ distinct } \text{ from }~ \mathopen {\nu k.}\left( \mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\,\texttt {aenc}\left( z, \texttt {pk}\left( k\right) \right) }\!/\!_{v,\,w}\right\} } \mid 0\right) $$

The above are distinguished by messages v and w. Notice \( v\mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\,\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) }\!/\!_{v,\,w}\right\} }\) and \(w\mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\,\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) }\!/\!_{v,\,w}\right\} }\) are both equal to \(\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) \); but the following messages are distinct: \(v\mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\,\texttt {aenc}\left( z, \texttt {pk}\left( k\right) \right) }\!/\!_{v,\,w}\right\} }\) vs. \(w\mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) ,\texttt {aenc}\left( z, \texttt {pk}\left( k\right) \right) }\!/\!_{v,w}\right\} }\).

In order to define quasi-open bisimilarity, we require the notion of an open relation between extended processes. An open relation is preserved under substitutions (respecting bound names, including the domain of active substitution) and extensions of the active substitutions and names in environment. In the following, \(\theta \mathclose {\restriction _D}\) is the restriction of a substitution to a set D.

Definition 5 (open)

A relation over extended processes \(\mathcal {R}\) is open whenever we have that if \(\mathopen {\nu \mathbf {x}.}\left( \theta _1 \mid P \right) \mathrel {\mathcal {R}} \mathopen {\nu \mathbf {y}.}\left( \theta _2 \mid Q \right) \) and there exist idempotent substitutions \(\sigma \), \(\rho \) and variables \(\mathbf {z}\) such that: \(\mathbf {x}, \mathbf {y} \mathrel {\#} \sigma , \rho \) and \(\mathbf {z} \mathrel {\#} {\mathrm {dom}}\left( \rho \right) , \mathbf {x}, \mathbf {y}\) and \({\mathrm {dom}}\left( \theta _i\right) \mathrel {\#} \sigma , \rho , \mathbf {z}\) for \(i \in \left\{ 1,2\right\} \), we have the following:

$$ \mathopen {\nu \mathbf {z}, \mathbf {x}.}\left( \left( \theta _1\circ \sigma \right) \mathclose {\restriction _{{\mathrm {dom}}\left( \theta _1\right) }} \circ \rho \mid P\sigma \right) \mathrel {\mathcal {R}} \mathopen {\nu \mathbf {z}, \mathbf {y}.}\left( \left( \theta _2\circ \sigma \right) \mathclose {\restriction _{{\mathrm {dom}}\left( \theta _2\right) }} \circ \rho \mid Q\sigma \right) $$

Given the definition of an open relation, static equivalence, and the labelled transition system, we can provide the following concise definition of quasi-open bisimilarity for the applied \(\pi \)-calculus.

Definition 6 (quasi-open bisimilarity)

An open symmetric relation between extended processes \(\mathrel {\mathcal {R}}\) is a quasi-open bisimulation whenever, if \(A \mathrel {\mathcal {R}} B\) then the following hold:

  • A and B are statically equivalent.

  • If there exists \(B'\) such that and \(A' \mathrel {\mathcal {R}} B'\).

Processes P and Q are quasi-open bisimilar, written \(P \sim Q\), whenever \(P \mathrel {\mathcal {R}} Q\) for some quasi-open bisimulation \(\mathcal {R}\).

The keyword in the definition above is “open” in the sense of Definition 5. Without ensuring that properties are preserved under reachability, the above definition would simply be a strong version of the classical labelled bisimilarity for the applied \(\pi \)-calculus [5]. We illustrate the impact of insisting on an open relation and allowing messages as channels in the following examples.

Remark 1

The definition of quasi-open bisimilarity above is arguably simpler than in the setting of the \(\pi \)-calculus [41]. In contrast to the original definition, since private names are recorded in extended processes, all types of action are handled by one clause. The \(\pi \)-calculus definition maintains an additional index of extruded private names.

Mobility Example. This work builds on a recent evolution of the applied \(\pi \)-calculus [5], which allows processes such as \(\nu z. {\overline{x}}\langle z,y \rangle .z(w)\) and \(\nu z. {\overline{x}}\langle z,y \rangle \) to be evaluated. These processes should not be equivalent, since they are polyadic \(\pi \)-calculus processes [35] (the \(\pi \)-calculus with tuples), and the applied \(\pi \)-calculus should be conservative with respect to the polyadic \(\pi \)-calculus, which was not the case for older definitions of bisimilarity for the applied \(\pi \)-calculus [2]. The trick to allow processes such as the above to be evaluated is simple: allow channels to be messages. This way, a message, such as \(\texttt {fst}(u)\), can be used to indirectly refer to channels. To see why we can distinguish these processes, firstly, consider the following two transitions with matching actions.

figure f

The labelled transition is enabled for the process on the left. The process on the right above \(\mathopen {\nu z.}\left( {\mathclose {\left\{ ^{\langle z, y\rangle }\!/\!_{v}\right\} }} \mid 0\right) \) is deadlocked, so cannot match this transition. Notice the use of message \(\texttt {fst}(v)\) on the input label to refer to the private channel output at the first step.

Fig. 3.
figure 3

Relation \(\mathcal {S}\) defining a quasi-open bisimulation verifying the anonymity of Server A in the case for a single session, without replication.

Full size image

Example Showing Impact of an Open Relation on Static Equivalence. By insisting that a quasi-open bisimulation is an open relation (Definition 5), static equivalence must also be preserved by all fresh substitutions. This has an impact on examples such as the following.

Processes \(\nu x.{\overline{a}}\langle \texttt {aenc}\left( x, z\right) \rangle \) and \(\nu x.{\overline{a}}\langle \texttt {aenc}\left( \langle x, y\rangle , z\right) \rangle \) are labelled bisimilar but not quasi-open bisimilar. To see why, observe both processes can perform a \(\overline{a}(v)\)-transition to the respective extended processes \(\mathopen {\nu x.}\left( {\mathclose {\left\{ ^{\texttt {aenc}\left( x, z\right) }\!/\!_{v}\right\} }} \mid 0 \right) \) and \(\mathopen {\nu x.}\left( {\mathclose {\left\{ ^{\texttt {aenc}\left( \langle x, y\rangle , z\right) }\!/\!_{v}\right\} }} \mid 0 \right) \). These extended process are statically equivalent (recall z cannot be used to decrypt these cyphertexts in asymmetric cryptography). However, since a quasi-open bisimulation must be preserved under fresh substitutions and \(v \mathrel {\#} \mathclose {\left\{ ^{\texttt {pk}\left( w\right) }\!/\!_{z}\right\} }\), we check static equivalence for \(\mathopen {\nu x.}\left( {\mathclose {\left\{ ^{\texttt {aenc}\left( x, z\right) }\!/\!_{v}\right\} }} \mid 0\right) \mathclose {\left\{ ^{\texttt {pk}\left( w\right) }\!/\!_{z}\right\} }\) and \(\mathopen {\nu x.}\left( {\mathclose {\left\{ ^{\texttt {aenc}\left( \langle x, y\rangle , z\right) }\!/\!_{v}\right\} }} \mid 0\right) \mathclose {\left\{ ^{\texttt {pk}\left( w\right) }\!/\!_{z}\right\} }\). After applying the substitution, the extended processes are no longer statically equivalent, witnessed by distinguishing recipes \(\texttt {snd}(\texttt {adec}\!\left( v, w\right) )\) and y. Thus the processes are not quasi-open bisimilar.

Note that the fact that the attack succeeds above suggests the attacker has the power to influence the message bound to z, in order to stage an attack. In the above example the message chosen is a public key \(\texttt {pk}\left( w\right) \) for which the attacker knows the secret key w. For another such example, \(\nu k.{\overline{a}}\langle \texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) \rangle .{\overline{a}}\langle \texttt {aenc}\left( y, \texttt {pk}\left( k\right) \right) \rangle \) and \(\nu k.{\overline{a}}\langle \texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) \rangle .{\overline{a}}\langle \texttt {aenc}\left( z, \texttt {pk}\left( k\right) \right) \rangle \) are labelled bisimilar (which assumes xyz are distinct names), but not quasi-open bisimilar (which instead assumes xyz are variables). To see why, observe the above processes can reach the extended processes \(\mathopen {\nu k.}\left( \mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) , \texttt {aenc}\left( y, \texttt {pk}\left( k\right) \right) }\!/\!_{v, w}\right\} } \mid 0 \right) \) and \(\mathopen {\nu k.}\left( \mathclose {\left\{ ^{\texttt {aenc}\left( x, \texttt {pk}\left( k\right) \right) , \texttt {aenc}\left( z, \texttt {pk}\left( k\right) \right) }\!/\!_{v, w}\right\} } \mid 0 \right) \), at which point the attacker has the power to set \(x = y\), thereby reaching a scenario explained after Definition 4, where the attacker can observe the same message is output twice for the process on the left but not for the process on the right. This feature of quasi-open bisimilarity is related to the security property of strong secrecy [11], where the open nature of secrets represents that the attacker may interfere with messages at runtime.

4.2 Running Example of a Privacy Property

We now have the mechanisms to verify the minimal privacy example from Sect. 2. For greater clarity, firstly consider the case of a single session, i.e., with replication removed. The equivalence of running examples \(\textit{Server A}\) and \(\textit{Server B}\) for the single session case (without replication) can be established by taking the least symmetric open relation satisfying the constraints in Fig. 3. The critical observation is that message n in Fig. 3 ranges over all permitted inputs. Since \(n = u\) is permitted, we have the following pair in relation \(\mathcal {S}\).

$$ \begin{array}{l} \mathopen {\nu k, a, r.} \left( \mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a}\!/\!_{u, v}\right\} } \mid {\overline{a}}\langle r \rangle \right) ~\mathrel {\mathcal {S}}~ \mathopen {\nu k. a, r.} \Big ( \mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a}\!/\!_{u, v}\right\} } \mid \begin{array}[t]{l} \texttt {if}\,\texttt {pk}\left( k\right) = \texttt {pk}\left( k\right) \,\texttt {then}\, \\ {\overline{a}}\langle \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) \rangle \,\texttt {else}\,{\overline{a}}\langle r \rangle \Big ) \end{array} \end{array} $$

In the above, observe the branch sending an encrypted message is enabled. In contrast to the above, if n is any message term not equivalent to u then we have \(k, a, r \models n\mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a}\!/\!_{u, v}\right\} } \not = \texttt {pk}\left( k\right) \) since if n were a message term such that \(k,a,r \mathrel {\#} n\) such that \(n\mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a}\!/\!_{u, v}\right\} } = \texttt {pk}\left( k\right) \), then n must be equivalent to u. Thus in all other cases the else branch is enabled.

Notice \(\mathopen {\nu k, a, r.} \left( \mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a, \texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) }\!/\!_{u, v, w}\right\} }\!\! \mid \!\! 0 \right) \) and \(\mathopen {\nu k, a, r.} \left( \mathclose {\left\{ ^{\texttt {pk}\left( k\right) , a, r}\!/\!_{u, v, w}\right\} }\!\! \mid \!\! 0 \right) \) are statically equivalent, reachable when \(n =_E u\). To see why, observe that an attacker neither has the key k to decrypt \(\texttt {aenc}\left( \langle m, r\rangle , \texttt {pk}\left( k\right) \right) \), nor can an attacker reconstruct the message \(\langle m, r\rangle \), without knowing r.

For the unbounded case, consider the least symmetric open relation \(\mathcal {T}\) satisfying the constraints in Fig. 4. This generalises the finite case by defining all scenarios where there are l parallel sessions that are either in the state of having just announced the communication channel a, having just received a message, or have responded already. This definition is closed under all transitions and reachability, as required to establish that \(\mathcal {T}\) is a quasi-open bisimulation. Indeed \(\mathcal {T}\) is a quasi-open bisimulation such that Server A \(\mathcal {T}\) Server B. Hence the desired privacy property of Server A, first mentioned in Sect. 2, is verified.

Fig. 4.
figure 4

Relation \(\mathcal {T}\) verifying Server B \(\sim \) Server A in the unbounded case.

Full size image

A subtlety is that \(\mathcal {T}\) is not the least quasi-open bisimulation witnessing \(\textit{Server A}\sim \textit{Server B}\), since we over approximated by allowing inputs to possibly use outputs from the future. This over approximation is correct, since we can always have additional redundant terms in a bisimulation set, as long as they are also closed under the relevant conditions. Indeed, this illustrates a practical benefit of bisimilarity – we can find abstractions that reduce the amount of verification work.

4.3 Quasi-open Bisimilarity is Sound and Complete

As illustrated in the previous sub-section, a core guarantee offered by quasi-open bisimilarity is that it is a congruence relation. We prove quasi-open bisimilarity is preserved by all contexts, notably under input prefixes; and, furthermore, coincides exactly with open barbed bisimilarity, which is the coarsest (strong) bisimilarity congruence.

Theorem 2 (contexts)

If \(P \sim Q\) then for all contexts \({\mathcal {C}}\left\{ \ \cdot \ \right\} \), we have \({\mathcal {C}}\left\{ P \right\} \sim {\mathcal {C}}\left\{ Q \right\} \).

The most involved cases of Theorem 2 are those showing quasi-open bisimilarity is preserved under parallel composition and replication; while the most novel case is for mismatch, which relies on the notion of an open relation given in Definition 5. Given Theorem 2, the soundness of quasi-open bisimilarity with respect to open barbed bisimilarity follows immediately.

Corollary 1 (soundness)

If \(P \sim Q\) then \(P \mathrel {\simeq }Q\).

Completeness, expressed in Theorem 3, supports our claim that quasi-open bisimilarity in Definition 6 is a correct and canonical (strong) bisimilarity congruence for the applied \(\pi \)-calculus. This theorem is the fundamental property of quasi-open bisimilarity that does not hold for open bisimilarity.

Theorem 3 (completeness)

Quasi-open bisimilarity coincides with open barbed bisimilarity.

It is interesting to compare the proof of Theorem 3 to the corresponding proof for the \(\pi \)-calculus [41]. In the corresponding proof for the \(\pi \)-calculus checks are built into bound output transitions to ensure extruded private names are fresh. In the proof of Theorem 3 no such checks are required for output transitions; such checks are subsumed by checking static equivalence.

Strong v.s. Weak Bisimilarity. Observe Theorem 3 is for a strong formulation of quasi-open bisimilarity. The weak/strong dimension [44] (as with other dimensions such as interleaving v.s. true concurrency [45], for instance) is a perpendicular issue to the focus of this paper. Quasi-open variants of various equivalences and preorders can also be defined, so this scientific discussion on attacker models should not be limited to strong bisimilarity. Sometimes weak equivalences can be avoided. For example, for privacy properties, such as unlinkability of ePassports, the traditional formulation in terms of a weak bisimilarity problem [8] has been shown to be reducible to an equivalent strong bisimilarity problem that is easier to check, since we have image finiteness [28], i.e., for any label \(\pi \) each process has finitely many \(\pi \)-labelled transitions.

5 Comparison to Related Work on Observational Equivalence

Most notions of bisimilarity previously introduced for cryptographic calculi (e.g., hedged bisimilarity, labelled bisimilarity, early bisimilarity) coincide with observational equivalence [2, 4, 5, 10, 15,16,17, 31, 32, 34]. Observational equivalence is a restriction of open barbed bisimilarity (Definition 3), considering only contexts of the form \(\left\{ \ \cdot \ \right\} \mid P\) that add a new process in parallel at every step of the bisimulation game. This makes the equivalence strictly coarser than open barbed bisimilarity, however observational equivalence is not a congruence relation. Intermediate results on symbolic bisimulations [18, 25] also closely approximate observational equivalence.

The gap between observational equivalences and open barbed bisimilarity is thoroughly explored in the context of the \(\pi \)-calculus [7, 29, 40, 41]. Open barbed bisimilarity is finer than observational equivalence since, \(\pi .P + \pi .Q\) is observationally equivalent to \(\pi .P + \pi .Q + \pi .\texttt {if}\,x = y\,\texttt {then}\,P\,\texttt {else}\,Q\), but these processes are not open barbed bisimilar in general. Yet these processes are equivalent if we take barbed equivalence [36], which is the largest congruence contained within observational equivalence, lying strictly between open barbed bisimilarity and observational equivalence. In Sect. 4.1, we did mention there are examples of noninterference properties that can be formulated using a congruence. However, it remains an open question whether there exists a realistic privacy property, as opposed to the toy equation immediately above, that cannot be verified using open barbed bisimilarity but can be analysed using barbed equivalence.

If one does insist that a property is defined in terms of observational equivalence, we may still use quasi-open bisimilarity as an under-approximation. If an attack is discovered, we can check whether an attack is also valid classically (possibly making use of modal logic intuitionistic \(\mathcal {F}\!\mathcal {M}\) described in the extended technical report [29]). If the attack is also classically valid it is also a counterexample for observational equivalence. This methodology was used to resolve the problem of whether there is an attack on the BAC protocol for ePassports [26, 28], as originally stated in terms of observational equivalence [8].

6 Conclusion

This paper justifies the bisimilarity congruence quasi-open bisimilarity as a method for reasoning about protocols expressed using the applied \(\pi \)-calculus. The equivalence we converge on, quasi-open bisimilarity, can be seen as an enhancement of existing methods, balancing between the strengths of labelled bisimilarity [4, 10, 15,16,17, 31, 32, 34] and open bisimilarity.

The bisimilarity congruence, open bisimilarity, has previously been introduced for the spi-calculus [19, 42, 43]. However, the spi-calculus could not verify privacy properties demanding mismatch, and is less abstract, being hard-wired with a fixed message theory; which were problems addressed in recent work that lifts open bisimilarity to the more general setting of the applied \(\pi \)-calculus [28]. By moving to the coarser equivalence quasi-open bisimilarity we are able to verify more privacy properties, such as the typical privacy-preserving protocol in Sect. 2, involving if-then-else with a guard depending on private information. Some equivalences, such as differential equivalence [12, 21], which compares two structurally identical processes that differ only in the terms they exchange, are incomplete and hence may report attacks that trivially do not exist. Hence when differential equivalence reports an attack, it may not exist for trivial reasons – a problem minimised by the fact that quasi-open bisimilarity adheres to a completeness criterion for observational congruences (Theorem 3). Equivalences coarser than quasi-open bisimilarity are either not congruences or are not bisimilarities, meaning that some corresponding proof techniques cannot be applied.

The gap between quasi-open bisimilarity and classical labelled bisimilarity is small—we insist on an open relation (Definition 2). However, the gap is significant, since we obtain a complete congruence. In an extended version of this paper in a technical report [27], we go further by demonstrating that we are able to logically characterise quasi-open bisimilarity, using an intuitionistic modal logic useful for describing attacks.