Deciding equivalence-based properties using constraint solving1

Formal methods have proved their usefulness for analyzing the security of protocols. Most existingresults focus on trace properties like secrecy or authentication. There are however several securityproperties, which cannot be de ned (or cannot be naturally de ned) as trace properties and requirea notion of behavioural equivalence. Typical examples are anonymity, privacy related propertiesor statements closer to security properties used in cryptography.In this paper, we consider three notions of equivalence de ned in the applied pi calculus:observational equivalence, may-testing equivalence, and trace equivalence. First, we study therelationship between these three notions. We show that for determinate processes, observationalequivalence actually coincides with trace equivalence, a notion simpler to reason with. We exhibit alarge class of determinate processes, called simple processes, that capture most existing protocolsand cryptographic primitives. While trace equivalence and may-testing equivalence seem verysimilar, we show that may-testing equivalence is actually strictly stronger than trace equivalence.We prove that the two notions coincide for imagenite processes, such as processes withoutreplication.Second, we reduce the decidability of trace equivalence (for nite processes) to deciding sym-bolic equivalence between sets of constraint systems. For simple processes without replication andwith trivial else branches, it turns out that it is actually su cient to decide symbolic equivalencebetween pairs of positive constraint systems. Thanks to this reduction and relying on a result rstproved by M. Baudet, this yields the rst decidability result of observational equivalence for ageneral class of equational theories (for processes without else branch nor replication). Moreover,based on another decidability result for deciding equivalence between sets of constraint systems,we get decidability of trace equivalence for processes with else branch for standard primitives.