Checking Trace Equivalence: How to Get Rid of Nonces?

Abstract

Security protocols can be successfully analysed using formal methods. When proving security in symbolic settings for an unbounded number of sessions, a typical technique consists in abstracting away fresh nonces and keys by a bounded set of constants. While this abstraction is clearly sound in the context of secrecy properties (for protocols without else branches), this is no longer the case for equivalence properties.

In this paper, we study how to soundly get rid of nonces in the context of equivalence properties. We show that nonces can be replaced by constants provided that each nonce is associated to two constants (instead of typically one constant for secrecy properties). Our result holds for deterministic (simple) protocols and a large class of primitives that includes e.g. standard primitives, blind signatures, and zero-knowledge proofs.

The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007–2013)/ERC grant agreement \(n^{\circ }\) 258865, project ProSecure, and the ANR project JCJC VIP n\(^o\) 11 JS02 006 01.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Security protocols are notoriously difficult to design as exemplified by a long history of attacks. For example, the TLS protocol has been shown once again to be vulnerable to a new attack called FREAK [4]. Formal methods offer symbolic models to carefully analyse security protocols, together with a set of proof techniques and efficient tools such as ProVerif [5], Scyther [17], Maude-NPA [21], or Avispa [3]. Security properties can be divided into two main categories.

• Trace properties are used to express secrecy or various forms of authentication properties. They ensure that a certain statement holds for any execution.

• Equivalence properties are typically used to state privacy properties like anonymity, unlinkability [8], or vote privacy [18]. More generally, equivalence properties may state indistinguishability properties, such as game-based definitions inherited from models used in cryptography [15, 22].

When proving security properties, it is important to obtain guarantees for an unlimited number of sessions. Unfortunately, it is well known that even secrecy is undecidable [20] in this context. Undecidability comes from two main factors. First, messages may grow arbitrarily during an execution. Second, even when considering messages of fixed size, it has been shown that nonces still cause undecidability [2]. Intuitively, nonce freshness may be used to create pointers that are used in turns to build chained lists and thus again arbitrarily large data. Therefore, a standard restriction consists in bounding the number of nonces (and keys). Under this assumption, several decidability results have been established for secrecy [7, 13, 20], as well as for trace equivalence [9, 10].

Replacing nonces by constants is sound in the context of secrecy properties. More precisely, assuming that \(\overline{P}\) is obtained from the security protocol P by replacing nonces (and keys) by constants, whenever \(\overline{P}\) is secure (w.r.t. a trace property such as secrecy) then P is secure as well. Indeed, replacing nonces by constants may only introduce more attacks, since it may only create more equalities, as long as the protocol P under study does not have else branches. Therefore, the decidability results developed for secrecy (e.g. [7, 13, 20]) may be seen as proof techniques: if \(\overline{P}\) falls in a decidable class and can be shown to be secure then the protocol P is secure as well. Unfortunately, such an approach is no longer valid in the context of equivalence properties. Indeed, consider the processes:

$$P=\ ! \;\mathsf {new}\; n. \mathsf {out}(c,\{n\}_k) \ \text{ and } \ Q=\ ! \; \mathsf {out}(c,\{n\}_k).$$

The ! operator denotes the replication. Intuitively, both processes send out an arbitrary number of messages on the public channel c. The process P sends out each time a fresh nonce n encrypted by a (secret) key k while Q always sends the same message. We assume here that encryption is not randomised. Clearly, the processes P and Q are not in equivalence (denoted \(P\not \approx Q\)) since an attacker can easily notice that P sends distinct messages while Q sends identical messages. However, abstracting away fresh names with constants, the resulting equivalence holds (denoted \(\overline{P}\approx \overline{Q}\)). Indeed, the two resulting processes are actually identical: \(\overline{P} \,=\, \overline{Q} \,=\, !\; \mathsf {out}(c,\{n\}_k)\). This illustrates that \(\overline{P}\approx \overline{Q} \not \Rightarrow P\approx Q\).

Main Contribution. We identify a technique to (soundly) get rid of freshly generated data (e.g. nonces, keys). The main idea consists in introducing an additional copy of each replicated nonce. More precisely, we show that:

$$!\,\overline{P}\,\mid \, P^\star \;\approx \; \ !\,\overline{Q}\,\mid \, Q^\star \quad \Rightarrow \quad ! P\; \approx \; ! Q$$

where \(P^\star \) is obtained from P by renaming all fresh nonces and keys to distinct (fresh) constants. Our result holds for simple processes, a notion that has been introduced in [15] and used in several subsequent works (e.g. [10]). Roughly, each process communicates on a distinct channel. This corresponds to the fact that in practice each machine has its own IP address and each session is characterised by some session identifier. We consider a large family of primitives, provided that they can be described by a destructor/constructor theory with no critical pair. In particular, our technique allows one to deal with standard primitives (asymmetric and symmetric encryption, hash, signatures, MACs) as well as e.g. blind signatures and zero-knowledge proofs. As an application, we deduce that the decidability result developed in [10] for tagged protocols without nonces can be applied to study the security of protocols with nonces. The full proofs of the results presented in this paper can be found in [11].

Related Work. Abstracting nonces and keys by constants is known to be sound for secrecy properties as part of the “folklore”. We did not find a precise reference for this result. A related result is a reduction to two agents [14] for trace properties. Reducing the number of nonces can be obtained in a similar way.

The tool ProVerif [5, 6] also makes use of an abstraction for fresh data. In case of secrecy, nonces are abstracted by functions applied to the process inputs. In case of equivalence properties, nonces are additionally given a counter (termination is of course not guaranteed). The abstraction technique is therefore more precise than using only constants but seems dedicated to the internal behaviour of the ProVerif tool.

The only decidability result for equivalence with nonces (for an unbounded number of sessions) has been recently presented in [12]. For protocols that fall in the class of [12], it is therefore more direct to use this decidability result than applying our simplification. However, the class of protocols we consider here is more general: we do not need protocols to be tagged nor to induce an “acyclic dependency graph” and we cover a much wider class of cryptographic primitives.

2 Model for Security Protocols

Security protocols are modelled through a process algebra inspired from [1] that manipulates terms.

2.1 Term Algebra

We assume an infinite set \(\mathcal {N}\) of names, which are used to represent keys and nonces and an infinite set \(\mathcal {X}\) of variables. We assume a signature \(\varSigma \), i.e. a set of function symbols together with their arity, and we make a distinction between constructor symbols and destructor symbols: \(\varSigma = \varSigma _c \uplus \varSigma _d\). Given a signature \(\varSigma \), we denote by \(\mathcal {T}(\varSigma ,\mathsf {A})\) the set of terms built from symbols in \(\varSigma \) and atomic data in \(\mathsf {A}\). Terms without variables are called ground. The set \(\mathcal {T}(\varSigma _c,\mathcal {X}\cup \mathcal {N})\) is the set of constructor terms. Then among the terms in \(\mathcal {T}(\varSigma _c,\mathcal {N})\) we distinguish a special subset of terms called messages and noted \(\mathcal {M}_\varSigma \), and that is stable under renaming of names: a message does not contain any destructor symbol, and \(m \in \mathcal {M}_\varSigma \) implies that \(m\rho \in \mathcal {M}_\varSigma \) for any renaming \(\rho \) (not necessarily a bijective one).

In addition to the set of variables \(\mathcal {X}\), we consider an infinite disjoint set of variables \(\mathcal {W}\). Variables in \(\mathcal {W}\) intuitively refer to variables used to store messages learnt by the attacker. We denote \( vars (u)\) the set of variables that occur in a term u. The application of a substitution \(\sigma \) to a term u is written \(u\sigma \), and we denote \( dom (\sigma )\) its domain. The positions of a term are defined as usual. Two terms u and v are unifiable if there is a substitution \(\sigma \) such that \(u\sigma =v\sigma \).

The properties of the primitives are expressed using rewriting rules of the form \(\mathsf {g}(t_1,\ldots ,t_n)\rightarrow t\) where \(\mathsf {g}\) is a destructor, that is \(\mathsf {g}\in \varSigma _d\), and \(t_1,\ldots ,t_n,t\) are constructor terms. A rewriting rule can only be applied to constructor terms. Formally, we say that u can be rewritten into v if there is a position p and a rule \({\mathsf {g}(t_1,\ldots ,t_n)\rightarrow t}\) such that u at position p is equal to \(\mathsf {g}(t_1,\ldots ,t_n)\theta \) and \(v = u[t\theta ]_p\) (that is u where the term at position p has been replaced by \(t\theta \)) for some substitution \(\theta \) such that \(t_1\theta , \ldots , t_n\theta ,t\theta \) are messages. We only consider sets of rewriting rules that yield convergent rewrite systems. We denote by \(u\mathord {\downarrow }\) the normal form of a given term u. We refer the reader to [19] for the precise definitions of rewriting systems, convergence, and normal forms.

Example 1

A typical signature for representing symmetric encryption and pair is

$$\varSigma = \{\mathsf {senc}, \; \mathsf {sdec}, \; \langle \; \rangle , \; \mathsf {proj}_1, \mathsf {proj}_2\} \uplus \varSigma _0$$

where \(\varSigma _0\) is a set of atomic data. The set \(\varSigma _0\) typically contains the public constants known to the attacker (e.g. agent names \(\mathsf {a}\), \(\mathsf {b}\), ...). The symbols \(\mathsf {senc}\) and \(\mathsf {sdec}\) of arity 2 represent symmetric encryption and decryption. Pairing is modelled using \(\langle \; \rangle \) of arity 2, whereas projection functions are denoted \(\mathsf {proj}_1\) and \(\mathsf {proj}_2\) (both of arity 1). The relations between encryption/decryption and pairing/projections are represented through the following convergent rewrite system:

$$\mathsf {sdec}(\mathsf {senc}(x,y),y) \rightarrow x, \; \;\text{ and } \; \; \mathsf {proj}_i(\langle x_1, x_2 \rangle ) \rightarrow x_i \text{ with } i \in \{1,2\}.$$

We have that \(\mathsf {proj}_1(\mathsf {sdec}(\mathsf {senc}(\langle s_1, s_2 \rangle ,k),k))\mathord {\downarrow }= s_1\). Note that, since a destructor can only be applied on messages, no rewriting rule can be applied on the term \(\mathsf {sdec}(\mathsf {senc}(s,\mathsf {proj}_1(s)),\mathsf {proj}_2(s))\) which is thus in normal form (but not a message). This signature \(\varSigma \) is split into two parts as follows: \(\varSigma _c = \{\mathsf {senc}, \,\langle \; \rangle \} \uplus \varSigma _0\) and \(\varSigma _d = \{\mathsf {sdec}, \,\mathsf {proj}_1, \, \mathsf {proj}_2\}\). Then, we may consider \(\mathcal {M}_\varSigma \) to be \(\mathcal {M}_{c}=\mathcal {T}(\varSigma _c,\mathcal {N})\) the set of all ground constructor terms. We may also restrict \(\mathcal {M}_\varSigma \) to be \(\mathcal {M}_{\mathsf {atomic}}\), the set of ground constructor terms that only use atomic data in key position.

Finally, we assume \(\varSigma \) to be split into two parts, and this distinction is orthogonal the one made between destructor and constructor symbols. We denote by \(\varSigma _\mathsf {pub}\) the set of function symbols that are public, i.e. available to the attacker, and \(\varSigma _\mathsf {priv}\) for those that are private. Actually, an attacker builds his own messages by applying public function symbols to terms he already knows. Formally, a computation done by the attacker is modelled by a term in \(\mathcal {T}(\varSigma _\mathsf {pub},\mathcal {W})\), called a recipe. Note that such a term does not contain any name. Indeed, all names are initially unknown to the attacker.

2.2 Process Algebra

Let \(\mathcal {C}h\) be an infinite set of channels. We consider processes built using the grammar below where \(u \in \mathcal {T}(\varSigma _c, \mathcal {N}\cup \mathcal {X})\), \(v \in \mathcal {T}(\varSigma , \mathcal {N}\cup \mathcal {X})\), \(n \in \mathcal {N}\), and \(c,c' \in \mathcal {C}h\):

$$\begin{array}{rclcl} P,Q &{}:=&{} 0 &{} &{} { null }\\ &{}\mid &{} \mathsf {in}(c, u).P &{}&{} { input }\\ &{}\mid &{}\mathsf {out}(c, u).P &{}&{}{ output } \\ &{}\mid &{} \mathsf {let}\; x = v \;\mathsf {in}\; P&{}&{} { evaluation } \end{array} \begin{array}{rclcl} \;\;\; &{} \mid \; &{} (P \mid Q)&{}&{}{ parallel }\\ &{}\mid &{} !P &{}&{} { replication } \\ &{}\mid &{} \mathsf {new}\ n. P &{}&{} { restriction }\\ &{}\mid &{} \mathsf {new}\ c'. \mathsf {out}(c,c').P &{}&{} { channel ~generation } \end{array} $$

The process 0 does nothing. The process “\(\mathsf {in}(c, u).P\)” expects a message m of the form u on channel c and then behaves like \(P\sigma \) where \(\sigma \) is a substitution such that \(m = u\sigma \). The process “\(\mathsf {out}(c, u).P\)” emits u on channel c, and then behaves like P. The variables that occur in u are instantiated when the evaluation takes place. The process “\(\mathsf {let}\; x = v\; \mathsf {in}\;P\)” tries to evaluate v and in case of success the process P is executed; otherwise the process is blocked. The process “\({P \mid Q}\)” runs P and Q in parallel. The process “!P” executes P some arbitrary number of times. The restriction “\(\mathsf {new}\ n\)” is used to model the creation of a fresh random number (e.g., a nonce or a key) whereas channel generation “\(\mathsf {new}\, c'.\mathsf {out}(c,c').P\)” is used to model the creation of a fresh channel name that shall immediately be made public. Note that we consider only public channels. It is still useful to generate fresh channel names to let the attacker identify the different sessions (as it is often the case in practice through sessions identifiers).

Note that our calculus allows both message filtering as well as explicit application of destructor symbols. For example, to represent a process that waits for a message, decrypts it with a key k, and sends the plaintext in clear, we may write \(P=\mathsf {in}(c,\mathsf {senc}(x,k)).\mathsf {out}(c,x)\) as well as \(Q=\mathsf {in}(c,y). \mathsf {let}\; x=\mathsf {sdec}(y,k)\;\mathsf {in}\; \mathsf {out}(c,x)\). However, the choice of filtering or \(\mathsf {let}\) yields a slightly different behaviour since a message will be received in P only if it matches the expected format while any message will be received in Q (and then the format is checked).

We write \( fv (P)\) for the set of free variables that occur in P, i.e. the set of variables that are not in the scope of an input or a let construction. We assume \({\mathcal {C}h= \mathcal {C}h_0\uplus \mathcal {C}h^\mathsf {fresh}}\) where \(\mathcal {C}h_0\) and \(\mathcal {C}h^\mathsf {fresh}\) are two infinite sets of channels. Intuitively, channels of \(\mathcal {C}h^\mathsf {fresh}\), denoted \( ch _1, \ldots , ch _i, \ldots \) will be used in the semantics to instantiate the channels generated during the execution of a protocol. They shall not be part of its specification.

Definition 1

A protocol P is a process such that P is ground, i.e. \( fv (P) = \emptyset \); and P does not use channel names from \(\mathcal {C}h^\mathsf {fresh}\).

Example 2

The Yahalom protocol [23] is a key distribution protocol using symmetric encryption and a trusted server. The Paulson’s version of this protocol can be described informally as follows:

$$\begin{array}{l} 1. \;\;A\rightarrow B:\; A, \;N_a\\ 2.\;\; B \rightarrow S:\; B, \;N_b, \;\{A, N_a\}_{K_{bs}}\\ 3. \;\;S \rightarrow A\,:\; N_b, \;\{B, K_{ab}, N_a\}_{K_{as}}, \; \{A, B, K_{ab},N_b\}_{K_{bs}}\\ 4. \;\; A \rightarrow B:\; \{A, B, K_{ab}, N_b\}_{K_{bs}}, \; \{N_b\}_{K_{ab}} \end{array}$$

where \(\{m\}_k\) denotes the symmetric encryption of a message m with key k, A and B are agents trying to authenticate each other, S is a trusted server, \(K_{as}\) (resp. \(K_{bs}\)) is a long term key shared between A and S (resp. B and S), \(N_a\) and \(N_b\) are nonces generated by A and B, whereas \(K_{ab}\) is a key generated by S.

We propose a modelling of the Yahalom protocol in our formalism using the signature given in Example 1. We use restricted channels to model the use of unique session identifiers used along an execution of the protocol. Below, \(k_{as}\), \(k_{bs}\), \(n_a\), \(n_b\), \(k_{ab}\) are names, whereas \(\mathsf {a}\) and \(\mathsf {b}\) are constants from \(\varSigma _0\) and \(c_A\), \(c_B\), and \(c_S\) are (public) channel names for respectively the role of A, B, and S. We denote by \(\langle x_1, \ldots , x_{n-1}, x_n \rangle \) the term \(\langle x_1, \langle \ldots \langle x_{n-1}, x_n \rangle \rangle \rangle \).

$$\begin{array}{ll} P_{\mathsf {Yah}} = !\,\mathsf {new}\;c_1.\mathsf {out}(c_A,c_1).P_A \mid \; !\,\mathsf {new}\;c_2.\mathsf {out}(c_B,c_2).P_B \mid \; !\, \mathsf {new}\;c_3.\mathsf {out}(c_S,c_3).P_S \end{array}$$

where the processes \(P_A\), \(P_B\), and \(P_S\) are given below:

$$\begin{array}{rcl} P_A &{}=&{} \mathsf {new}\;n_a.\; \mathsf {out}(c_1,\langle \mathsf {a}, n_a\rangle ).\; \mathsf {in}(c_1, \langle x_{nb}, \mathsf {senc}(\langle \mathsf {b}, x_{ab}, n_a\rangle , k_{as}), x_{bs}\rangle ).\\ &{}&{}\mathsf {out}(c_1,\langle x_{bs}, \mathsf {senc}(x_{nb}, x_{ab})\rangle );\\ P_B &{}=&{} \mathsf {in}(c_2,\langle \mathsf {a}, y_{na}\rangle ). \;\mathsf {new}\;n_b. \;\mathsf {out}(c_2,\langle \mathsf {b}, n_b, \mathsf {senc}(\langle \mathsf {a}, y_{na}\rangle ,k_{bs})\rangle ).\\ &{}&{}\mathsf {in}(c_2, \langle \mathsf {senc}(\langle \mathsf {a}, \mathsf {b}, y_{ab }, n_b \rangle , k_{bs}), \mathsf {senc}(n_b, y_{ab})\rangle ); \\ P_S &{}=&{} \mathsf {in}(c_3, \langle \mathsf {b}, z_{nb}, \mathsf {senc}(\langle \mathsf {a}, z_{na}\rangle , k_{bs}) \rangle ). \; \mathsf {new}\;k_{ab}. \;\\ &{}&{}\mathsf {out}(c_3, \langle n_b, \mathsf {senc}(\langle \mathsf {b}, k_{ab}, z_{na} \rangle , k_{as}), \mathsf {senc}(\langle \mathsf {a}, \mathsf {b}, k_{ab}, {z_{n_b}}\rangle , k_{bs}) \rangle ). \end{array} $$

2.3 Semantics

The operational semantics of a process is defined using a relation over configurations. A configuration is a pair \((\mathcal {P}; \phi )\) where:

• \(\mathcal {P}\) is a multiset of ground processes.

• \(\phi = \{\mathsf {w}_1 \triangleright m_1, \ldots , \mathsf {w}_n \triangleright m_n\}\) is a frame, i.e. a substitution where \(\mathsf {w}_1, \ldots , \mathsf {w}_n\) are variables in \(\mathcal {W}\), and \(m_1,\ldots , m_n\) are messages, i.e. terms in \(\mathcal {M}_\varSigma \).

We often write P instead of \((\{P\}; \emptyset )\), and \(P \cup \mathcal {P}\) or \(P \mid \mathcal {P}\) instead of \(\{P\} \cup \mathcal {P}\). The terms in \(\phi \) represent the messages that are known by the attacker. The operational semantics of a process is induced by the relation \(\mathop {\rightarrow }\limits ^{\alpha }\) as defined below. \((\mathsf {in}(c,u).P \cup \mathcal {P}; \phi )\; \mathop {-\!\!\!-\!\!\!-\!\!\!-\!\!\!\longrightarrow }\limits ^{\mathsf {in}(c,R)} \; (P \sigma \cup \mathcal {P}; \phi )\) where R is a recipe such that \(R\phi \mathord {\downarrow }\) is a message and \(R\phi \mathord {\downarrow }= {u\sigma }\) for some \(\sigma \) with \( dom (\sigma ) = vars (u) (\mathsf {out}(c,u).P \cup \mathcal {P}; \phi ) \mathop {-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\longrightarrow }\limits ^{\mathsf {out}(c, \mathsf {w}_{i+1})} \; (P \cup \mathcal {P}; \phi \cup \{\mathsf {w}_{i+1} \triangleright u\} )\) where u is a message and i is the number of elements in \(\phi (\mathsf {new}\, c'. \mathsf {out}(c,c').P \cup \mathcal {P}; \phi ) \mathop {-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\longrightarrow }\limits ^{\mathsf {out}(c, ch _{i})} \; (P\{{}^{ ch _{i}}/{}_{c'}\} \cup \mathcal {P}; \phi )\) where \( ch _{i}\) is the “next” fresh channel name available in \(\mathcal {C}h^\mathsf {fresh}(\mathsf {let}\; x = v \; \mathsf {in}\; P \cup \mathcal {P}; \phi ) \; \mathop {\rightarrow }\limits ^{\tau } (P\{{}^{v\mathord {\downarrow }}/{}_{x}\} \cup \mathcal {P}\; \phi )\) where \(v\mathord {\downarrow }\) is a message \((\mathsf {new}\; {n}.P \cup \mathcal {P}; \phi ) \; \mathop {\rightarrow }\limits ^{\tau } \; (P\{{}^{n'}/{}_{n}\} \cup \mathcal {P}; \phi )\) where \(n'\) is a fresh name in \(\mathcal {N}(!P \cup \mathcal {P}; \phi ) \; \mathop {\rightarrow }\limits ^{\tau } \; (P \,\cup \, !P \cup \mathcal {P}; \phi )\).

The first rule allows the attacker to send to some process a term built from publicly available terms and symbols. The second rule corresponds to the output of a term: the corresponding term is added to the frame of the current configuration, which means that the attacker can now access the sent term. Note that the term is outputted provided that it is a message. The third rule corresponds to the special case of an output of a freshly generated channel name. In such a case, the channel is not added to the frame but it is implicitly assumed known to the attacker, as all the channel names. These three rules are the only observable actions. The fourth rule corresponds to the evaluation of the term v; if this succeeds, i.e. if \(v\mathord {\downarrow }\) is a message then x is bound to the result and P is executed; otherwise the process is blocked. The two remaining rules are quite standard and are unobservable by the attacker.

The relation \(\mathop {\rightarrow }\limits ^{\alpha _1 \ldots \alpha _n}\) between configurations (where \(\alpha _1 \ldots \alpha _n\) is a sequence of actions) is defined as the transitive closure of \(\mathop {\rightarrow }\limits ^{\alpha }\). Given a sequence of observable actions \(\mathsf {tr}\), we write \(K \mathop {\Longrightarrow }\limits ^{\mathsf {tr}\,\,\,} K'\) when there exists a sequence \(\alpha _1 \ldots \alpha _n\) such that \(K \mathop {-\!\!\!-\!\!\!-\!\!\!\longrightarrow }\limits ^{\alpha _1 \ldots \alpha _n} K'\) and \(\mathsf {tr}\) is obtained from \(\alpha _1\ldots \alpha _n\) by erasing all occurrences of \(\tau \). For every protocol P, we define its set of traces as follows:

$$\begin{array}{c} \mathsf {trace}(P) = \{(\mathsf {tr},\phi ) ~|~ P \mathop {\Longrightarrow }\limits ^{\mathsf {tr}\,\,\,} (\mathcal {P};\phi ) \text{ for } \text{ some } \text{ configuration } (\mathcal {P}; \phi )\}. \end{array}$$

Example 3

The Yahalom protocol as presented in Example 2 is known to be flawed as informally described below.

$$\begin{array}{lrl} (i) \;\; 1.\; &{} I(A)\rightarrow B:\;&{} A, \;N_i\\ (i) \;\; 2.\; &{} B \rightarrow I(S):\;&{} B, \;N_b, \;\{A, N_i\}_{K_{bs}}\\ &{}\;(ii) \; 1.\; &{} \;I(A)\rightarrow B:\; A, \;B, \;K_i,\; N_b\\ &{}\;(ii) \; 2.\; &{} \;B \rightarrow I(S):\; B, \;N_b', \;\{A, \;B, \;K_i,\; N_b\}_{K_{bs}}\\ (i) \;\; 4.\; &{}I(A) \rightarrow B:\;&{} \{A, B, K_i, N_b\}_{K_{bs}}, \; \{N_b\}_{K_i} \end{array} $$

Intuitively, the attacker opens two sessions with B. In the second session (ii), the attacker uses B as an encryption oracle. This attack can be reflected by the following sequence \(\mathsf {tr}\).

$$\begin{array}{ll} \mathsf {tr}=&{}\!\!\! \mathsf {out}(c_B, ch _1).\mathsf {in}( ch _1,\langle \mathsf {a}, \mathsf {n}_i\rangle ). \mathsf {out}( ch _1,\mathsf {w}_1). \mathsf {out}(c_B, ch _2).\mathsf {in}( ch _2, \langle {\mathsf {a},}\mathsf {b}, \mathsf {k}_i, R_b\rangle ).\\ &{} \!\!\!\mathsf {out}( ch _2,\mathsf {w}_2).\mathsf {in}( ch _1,\langle \mathsf {proj}_2(\mathsf {proj}_2(\mathsf {w}_2)),\mathsf {senc}(R_{b},\mathsf {k}_i)\rangle ) \end{array}$$

where \(\mathsf {k}_i\) and \(\mathsf {n}_i\) are public constants from \(\varSigma _0\), and \(R_b = \mathsf {proj}_1(\mathsf {proj}_{{2}}(\mathsf {w}_1))\). This sequence \(\mathsf {tr}\) allows one to reach the frame:

$$\begin{array}{l} \phi =\{ \mathsf {w}_1\triangleright \langle \mathsf {b}, n_b, \mathsf {senc}(\langle \mathsf {a}, \mathsf {n}_i\rangle , k_{bs})\rangle , \; \mathsf {w}_2\triangleright \langle \mathsf {b}, n'_b, \mathsf {senc}(\langle \mathsf {a}, \langle \mathsf {b}, \mathsf {k}_i, n_b\rangle \rangle , k_{bs})\rangle \}. \end{array}$$

We have that \((\mathsf {tr},\phi )\in \mathsf {trace}(P_{\mathsf {Yah}})\). Roughly, agent \(\mathsf {b}\) has completed a session apparently with agent \(\mathsf {a}\), and has established a session key \(\mathsf {k}_i\). However, the agent \(\mathsf {a}\) has never participated to this execution, and \(\mathsf {k}_i\) is actually a key known to the attacker.

2.4 Trace Equivalence

Intuitively, two protocols are equivalent if they cannot be distinguished by any attacker. Trace equivalence can be used to formalise many interesting security properties, in particular privacy-type properties, such as those studied for instance in [8, 18]. We first define symbolic indistinguishability of sequences of messages, called static equivalence.

Definition 2

Two frames \(\phi _1\) and \(\phi _2\) are statically equivalent, \({\phi _1 \sim \phi _2}\), when we have that \( dom (\phi _1) = dom (\phi _2)\), and:

• for any recipe R, \(R\phi _1\mathord {\downarrow }\in \mathcal {M}_\varSigma \) if, and only if, \(R\phi _2\mathord {\downarrow }\in \mathcal {M}_\varSigma \); and

• for all recipes \(R_1\) and \(R_2\) such that \(R_1\phi _1\mathord {\downarrow },R_2\phi _1\mathord {\downarrow }\in \mathcal {M}_\varSigma \), we have that \(R_1\phi _1\mathord {\downarrow }= R_2\phi _1\mathord {\downarrow }\) if, and only if, \(R_1\phi _2\mathord {\downarrow }= R_2\phi _2\mathord {\downarrow }\).

Intuitively, two frames are equivalent if an attacker cannot see the difference between the two situations they represent. If some computation fails in \(\phi _1\) for some recipe R, i.e. \(R\phi _1\mathord {\downarrow }\) is not a message, it should fail in \(\phi _2\) as well. Moreover, the frames \(\phi _1\) and \(\phi _2\) should satisfy the same equalities. In other words, the ability of the attacker to distinguish whether a recipe R produces a message, or whether two recipes \(R_1, R_2\) produce the same message should not depend on the frame. The choice of \(\mathcal {M}_\varSigma \) as well as the choice of public symbols allow to fine-tune what an attacker can observe. The set of public function symbols tell exactly which functions the attacker may use. Then the choice \(\mathcal {M}_\varSigma \) defines when computations fail. For example, if \(\mathcal {M}_\varSigma \) represents the set of terms with atomic keys only, then an attacker may potentially observe that some computation fails because he was able to inject a non atomic key.

Example 4

Consider \(\phi _1 = \{\mathsf {w}_1 \triangleright \mathsf {senc}(\mathsf {m}_1, \mathsf {k}_i)\}\), and \(\phi _2 = \{\mathsf {w}_1 \triangleright \mathsf {senc}(\mathsf {m}_2, \mathsf {k}_i)\}\). Assuming that \(\mathsf {m}_1\), \(\mathsf {m}_2\) are public constants from \(\varSigma _0\), we have that \(\phi _1 \not \sim \phi _2\). An attacker can observe that decrypting the message of \(\phi _1\) with the public constant \(\mathsf {k}_i\) leads to the public constant \(\mathsf {m}_1\). This is not the case in \(\phi _2\). Consider the recipes \(R_1 = \mathsf {sdec}(\mathsf {w}_1,\mathsf {k}_i)\) and \(R_2 = \mathsf {m}_1\). We have that \(R_1\phi _1\mathord {\downarrow }= R_2\phi _1\mathord {\downarrow }\) whereas \(R_1\phi _2\mathord {\downarrow }\ne R_2\phi _2\mathord {\downarrow }\).

Intuitively, two protocols are trace equivalent if, however they behave, the resulting sequences of messages observed by the attacker are in static equivalence.

Definition 3

Let P and Q be two protocols. We have that \(P \sqsubseteq Q\) if for every \((\mathsf {tr},\phi ) \in \mathsf {trace}(P)\), there exists \((\mathsf {tr}', \phi ') \in \mathsf {trace}(Q)\) such that \({\mathsf {tr}= \mathsf {tr}'}\) and \({\phi \sim \phi '}\). They are in trace equivalence, written \(P \approx Q\), if \({P \sqsubseteq Q}\) and \({Q \sqsubseteq P}\).

Example 5

We wish to check strong secrecy of the key received by B for the Yahalom protocol. A way of doing so is to check that \(P^1_{\mathsf {Yah}}\approx P^2_{\mathsf {Yah}}\) where \(P^i_{\mathsf {Yah}}\) (with \(i \in \{1,2\}\)) is as \(P_{\mathsf {Yah}}\) but we add the instruction \(\mathsf {out}(c_2,\mathsf {senc}(\mathsf {m}_i,y_{ab}))\) at the end of the process \(P_B\). The terms \(\mathsf {m}_1\) and \(\mathsf {m}_2\) are two distinct public constants from \(\varSigma _0\). The idea is to check whether an attacker can see the difference when the key that has been established is used to encrypt different public constants. Actually, this equivalence does not hold.

Let \(\mathsf {tr}' = \mathsf {tr}. \mathsf {out}( ch _1,\mathsf {w}_3)\), and \(\phi '_j = \phi \cup \{\mathsf {w}_3 \triangleright \mathsf {senc}(\mathsf {m}_j, \mathsf {k}_i)\}\) (with \(j \in \{1,2\}\)) where \((\mathsf {tr},\phi )\) is as described in Example 3. We have that \((\mathsf {tr}',\phi '_1) \in \mathsf {trace}(P^1_{\mathsf {Yah}})\) and \((\mathsf {tr}',\phi '_2) \in \mathsf {trace}(P^2_{\mathsf {Yah}})\). However, we have that \(\phi '_1 \not \sim \phi '_2\) (as explained in Example 4). Thus, \(P^1_{\mathsf {Yah}}\) and \(P^2_{\mathsf {Yah}}\) are not in trace equivalence. An attacker can observe the encrypted message sent at the end of the execution and see which constant has been encrypted since he knows the key \(\mathsf {k}_i\).

3 Main Contribution: Getting Rid of Nonces

As explained in introduction, our main contribution is to provide a transformation that soundly abstracts nonces. Informally, we prove an implication of the following form:

$$!\,\overline{P}\,\mid \, P^\star \;\approx \; \ !\,\overline{Q}\,\mid \, Q^\star \quad \Rightarrow \quad ! P\; \approx \; ! Q$$

where \(\overline{P}\) is obtained from P by replacing nonces by constants, and \(P^\star \) is a copy of P. Before defining formally this transformation in Sect. 3.2, we introduce in Sect. 3.1 which hypotheses are required for the soundness of our transformation.

3.1 Our Hypotheses

Our technique soundly abstracts nonces and keys for trace equivalence, for simple protocols and for a large family of security primitives, namely adequate theories, that we define in this section. We first introduce the class of simple protocols, similar to the one introduced e.g. in [10, 15].

Definition 4

A simple protocol P is a protocol of the form:

$$\begin{array}{c} ! \mathsf {new}\; c'_1. \mathsf {out}(c_1,c'_1).B_1 \,\mid \, ...\,\mid \, ! \mathsf {new}\; c'_m. \mathsf {out}(c_m,c'_m).B_m \mid B_{m+1} \mid \ldots \mid B_{m+p} \end{array}$$

where each \(B_i\) with \(1 \le i \le m+p\) is a basic process on \(c_i\), that is a ground process built using the following grammar:

$$B := 0 \; |\; \mathsf {in}(c_i,u).B \;|\; \mathsf {out}(c_i,u).B \;|\; \mathsf {let}\; x = v \; \mathsf {in}\; B \;|\; \mathsf {new}\, n. \,B$$

where \(u \in \mathcal {T}(\varSigma _c, \mathcal {N}\cup \mathcal {X})\), \(v \in \mathcal {T}(\varSigma , \mathcal {N}\cup \mathcal {X})\), and \(n \in \mathcal {N}\). Moreover, we assume that \(c_1,\ldots ,c_m, c_{m+1},\ldots , c_{m+p}\) are pairwise distinct.

Even if considering simple processes may seem to be restricted, in practice it is often the case that an attacker may identify processes through e.g. IP addresses and even sessions using sessions identifiers. Therefore, encoding protocols in such a class may be considered as a good practice since it allows to potentially discover more flaws. Indeed, it gives more power to the attacker and allows him to know from which agent he receives a message.

Example 6

The protocol \(P_{\mathsf {Yah}}\) (see Example 2), as well as \(P^1_{\mathsf {Yah}}\) and \(P^2_{\mathsf {Yah}}\) as described in Example 5, are simple protocols.

In order to establish our result, we have to ensure that considering two distinct constants instead of fresh nonces is sufficient. We need this property to hold on terms first. Intuitively, when a term cannot be reduced further, it should be possible to isolate two nonces that cause the reduction to fail. This is indeed the case for a large class of primitives. We formalise this notion as follows:

Definition 5

Given a signature \(\varSigma = \varSigma _c\,\uplus \,\varSigma _d\), a convergent rewriting system \(\mathcal {R}\), and a set of messages \(\mathcal {M}_\varSigma \), we say that the theory \((\varSigma ,\mathcal {R})\) is adequate w.r.t. \(\mathcal {M}_\varSigma \) when for any term \(t \in \mathcal {T}(\varSigma ,\mathcal {N}) \backslash \mathcal {M}_\varSigma \) in normal form, there exist \(n_1,n_2 \in \mathcal {N}\) such that for any renaming \(\rho \) with \(\rho (n_1) \ne \rho (n_2)\) then \(t\rho \mathord {\downarrow }\not \in \mathcal {M}_\varSigma \).

Intuitively, we require that whenever a term t is not a message, it is possible to fix two names of t such that any renaming of t (preserving these two names) is still not a message. We could generalise our criterion to n-adequate theories where the number of names that need to fixed is bounded by n but two names are actually sufficient to deal with most of the theories.

Example 7

The theory described in Example 1 is adequate w.r.t. to the two notions of messages \(\mathcal {M}_c\) and \(\mathcal {M}_{\mathsf {atomic}}\) that have been introduced. Intuitively, when a term is not a message, either this property is actually stable for any renaming (e.g. \(\mathsf {sdec}(n,k)\)) or is due to the failure of a decryption (e.g. \(\mathsf {sdec}(\mathsf {senc}(n,k),k')\)). In such a case, maintaining the disequality between the terms modelling the encryption and the decryption keys is sufficient to ensure that the resulting term will not become a message.

Since proving a theory to be adequate may be a bit tedious, we develop in Sect. 4.2 a criterion that allows us to conclude for the theory given above and many others.

3.2 Our Transformation

We now explain how to formally get rid of nonces. Our transformation is actually modular w.r.t. which nonces shall be abstracted. Let P be a simple process in which any name is bound at most once. This means that any name that does not occur explicitly in the scope of a restriction is distinct from those introduced by the \(\mathsf {new}\) operator. Moreover, a same name can not be introduced twice by the operator \(\mathsf {new}\). Our transformation is parametrised by a set of names \(\mathsf {N}\) which correspond to the \(\mathsf {new}\) instructions that we want to remove (typically those under a replication).

We denote by \(\overline{P}^\mathsf {N}\) (or simply \(\overline{P}\) when \(\mathsf {N}\) is clear from the context) the process obtained from P by removing every instruction \(\mathsf {new}\; n\) for any \(n \in \mathsf {N}\). Given B(c) a basic process built on channel c, we denote by \(B^\star (c^\star )\) the process obtained from B by applying a bijective alpha-renaming on each name bound by a \(\mathsf {new}\) instruction and replacing each occurrence of the channel c with the channel \(c^\star \) (that is assumed to be fresh).

Example 8

Consider the process \(P \,=\, ! \mathsf {new}\; c'. \mathsf {out}(c,c'). B\) where B is a basic process built on channel \(c'\). Let \(B = \mathsf {new}\;n. \mathsf {out}(c', \mathsf {senc}(n,k))\), and \(\mathsf {N} = \{n\}\). We have that:

1. 1.

   \(\overline{P} \,=\, ! \mathsf {new}\; c'. \mathsf {out}(c,c'). \mathsf {out}(c', \mathsf {senc}(n,k))\), and

2. 2.

   \(B^\star (c^\star ) \,=\, \mathsf {new}\, n^\star . \mathsf {out}(c^\star ,\mathsf {senc}(n^\star ,k))\).

Note that B and \(B^\star (c^\star )\) are identical up to the fact that they proceed on different channel. The transformation \(\star \) applied on the basic process is just here to emphasise the fact that bound names are renamed to avoid some confusion due to name clashes.

Now, our transformation consists of combining these two building blocks. When removing fresh names from a process P, we keep a copy of one of the replicated basic processes of P, identified by its channel c. More formally, given a simple process P of the form \(P \,=\, !\,\mathsf {new}\, c'. \mathsf {out}(c,c').B \mid P'\), and a set of names \(\mathsf {N}\), the resulting process \(\overline{P}^{\mathsf {N},c}\) is defined as follows:

$$\overline{P}^{\mathsf {N},c} \;\; \mathop {=}\limits ^{\mathsf {def}} \;\;\overline{P}^{\mathsf {N}} \mid {B}^\star (c^\star ).$$

Sometimes we simply write \(\overline{P}^c\) instead of \(\overline{P}^{\mathsf {N},c}\) when \(\mathsf {N}\) is clear from the context.

Example 9

Continuing Example 8, we have that:

$$\overline{P}^{\mathsf {N},c} \,=\; !\, \mathsf {new}\; c'. \mathsf {out}(c,c'). \mathsf {out}(c', \mathsf {senc}(n,k)) \; \mid \; \mathsf {new}\, n^\star . \mathsf {out}(c^\star ,\mathsf {senc}(n^\star ,k)).$$

3.3 Main Result

We are now able to state our main result. We consider a signature \(\varSigma = \varSigma _c \uplus \varSigma _d\) together with a convergent rewriting system \(\mathcal {R}\), and a notion of messages \(\mathcal {M}_\varSigma \) such that the theory \((\varSigma ,\mathcal {R})\) is adequate w.r.t. \(\mathcal {M}_\varSigma \). Given a simple process P, we note \(\mathsf {Ch}(P)\) the set of public channel names occurring under a replication in P.

Theorem 1

Let P and Q be two simple protocols such that \(\mathsf {Ch}(P) = \mathsf {Ch}(Q)\), and \(\mathsf {N}\) be a set of names (intuitively those that we want to abstract away). We have that:

$$[\forall c \in \mathsf {Ch}(P).\ \overline{P}^{\mathsf {N},c} \approx \overline{Q}^{\mathsf {N},c}] \; \Rightarrow \; P \approx Q $$

Note that, in case \(\mathsf {Ch}(P) \ne \mathsf {Ch}(Q)\), we trivially have that \(P \not \approx Q\) since one process is able to emit on a channel whereas the other is not.

This theorem shows that whenever two processes are not in trace equivalence, then it is possible to find a witness of non-equivalence when nonces are replaced by constants provided that one basic process under a replication has been duplicated.

Example 10

Continuing the example developed in introduction and pursued in Sect. 3.2, we consider

1. 1.

   \(P \,=\, ! \mathsf {new}\; c'. \mathsf {out}(c,c'). \mathsf {new}\;n_P. \mathsf {out}(c', \mathsf {senc}(n_P,k))\), and

2. 2.

   \(Q \,=\, ! \mathsf {new}\; c'.\mathsf {out}(c,c'). \mathsf {out}(c',\mathsf {senc}(n_Q,k))\).

Let \(\mathsf {N} = \{n_P\}\). We have that:

1. 1.

   \(\overline{P}^c \,=\, ! \mathsf {new}\; c'. \mathsf {out}(c,c'). \mathsf {out}(c', \mathsf {senc}(n_P,k)) \; \mid \; \mathsf {new}\, n_P^\star . \mathsf {out}(c^\star ,\mathsf {senc}(n_P^\star ,k))\), and

2. 2.

   \(\overline{Q}^c \,=\, ! \mathsf {new}\; c'. \mathsf {out}(c,c').\mathsf {out}(c',\mathsf {senc}(n_Q,k)) \; \mid \; \mathsf {out}(c^\star ,\mathsf {senc}(n_Q,k))\).

Clearly \(\overline{P}^c \not \approx \overline{Q}^c\) since an attacker can observe that \(\overline{P}^c\) may send two distinct messages while \(\overline{Q}^c\) cannot. Intuitively, the attack reflecting that \(P \not \approx Q\) can be reflected in \({\overline{P}^c \not \approx \overline{Q}^c}\). Another choice for \(\mathsf {N}\) is to consider the set \(\{n_P,n_Q\}\) but this would lead exactly to the same result.

3.4 Sketch of Proof

To establish our result, we first establish how to map traces from P to \(\overline{P}^{\mathsf {N}}\). Given a simple process P, and a trace \((\mathsf {tr},\phi ) \in \mathsf {trace}(P)\), we denote by \(\rho ^{P,\mathsf {N}}_{(\mathsf {tr},\phi )}\) the replacement that associates to each name \(r \in \mathcal {N}\) generated during the execution under study and occurring in the frame \(\phi \), the name \(n \in \mathsf {N}\) that occurs in the instruction \(\mathsf {new}\ n\) of P and that is responsible of the generation of this fresh name. This amounts in losing freshness of all the \(\mathsf {new}\ n\) instructions with \(n \in {\mathsf {N}}\). Indeed all nonces induced by such an instruction are collapsed into a single nonce n. Our transformation is parametric in \(\mathsf {N}\): we may replace all \(\mathsf {new}\) instructions or simply part of them. Note that, for simple processes, once \((\mathsf {tr},\phi )\) is fixed, this replacement is uniquely defined.

Lemma 1

Let P be a simple protocol, \(\mathsf {N}\) be a set of names, and \((\mathsf {tr},\phi ) \in \mathsf {trace}(P)\). We have that \((\mathsf {tr},\phi \rho ^{P,\mathsf {N}}_{(\mathsf {tr},\phi )}) \in \mathsf {trace}(\overline{P}^{\mathsf {N}})\).

This proposition is shown by induction on the length of the trace under study and by case analysis on the rule of the semantics that is applied to allow the process to evolve. The crucial point is that the lack of freshness induced by considering \(\overline{P}^\mathsf {N}\) instead of P only generates more equalities between terms, and thus more behaviours. Now, it remains to ensure that the disequality that is needed to witness the non-equivalence still remains, and this is the purpose of considering a fresh copy, namely \(B^\star (c^\star )\).

Sketch of proof of Theorem 1 . The idea is to show that a witness of non-equivalence for \(P \not \approx Q\) can be converted into a witness of non-equivalence for \(\overline{P}^c \not \approx \overline{Q}^c\) for at least one \(c \in \mathsf {Ch}(P) = \mathsf {Ch}(Q)\). Due to the fact that we consider simple processes, three main cases may occur (the three other symmetric cases can be handled similarly). We have that \((\mathsf {tr},\phi )\in \mathsf {trace}(P)\), and

1. 1.

   there exists \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\) and two recipes \(R_1,R_2\) such that \(R_1\phi \mathord {\downarrow }\), \(R_2\phi \mathord {\downarrow }\), \(R_1\psi \mathord {\downarrow }\) and \(R_2\psi \mathord {\downarrow }\) are messages; \(R_1\phi \mathord {\downarrow }=R_2\phi \mathord {\downarrow }\) and \(R_1\psi \mathord {\downarrow }\ne R_2\psi \mathord {\downarrow }\); or

2. 2.

   there exists \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\) and a recipe R such that \(R\phi \mathord {\downarrow }\) is a message but \(R\psi \mathord {\downarrow }\) is not; or

3. 3.

   there exists no frame \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\).

Each case is proved separately, following the same lines. First, thanks to Lemma 1, in case \((\mathsf {tr},\phi \rho ^{P,\mathsf {N}}_{(\mathsf {tr},\phi )})\) is still a witness of non-equivalence, we easily conclude. This roughly means that we do not even need the fresh copy to exhibit the non-equivalence. Otherwise, we need to maintain a disequality to ensure that the distinguishing test will not hold on the Q side. Since we consider adequate theories, we know that this disequality can be maintained through the use of two distinct names. This is exactly why a fresh copy is needed. The other cases can be handled similarly.

4 Scope of Our Result

In this section, we explain why we need to assume simple processes and adequate theories and we discuss which class of protocols and primitives can be covered.

4.1 Simple Processes

Simple processes are really necessary for our simplification result to hold. We provide below a small counter example to our result for non simple processes.

Example 11

We consider symmetric encryption and pairs as in Example 1 with \({\mathsf {ok}\in \varSigma _0}\). We define the two following processes.

$$\begin{array}{rclcl} P \!\!\!&{}=&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {new}\, n. \mathsf {out}(c, \mathsf {senc}(n,k)) &{}&{}\!\!\! (1)\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(x,k), \mathsf {senc}(y,k)\rangle ).\mathsf {out}(c, \mathsf {ok})&{}&{}\!\!\!(2)\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(y,k), \mathsf {senc}(x,k)\rangle ).\mathsf {out}(c, \mathsf {ok})&{}&{}\!\!\!(3)\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(y,k), \mathsf {senc}(x,k), \mathsf {senc}(x,k)\rangle ).\mathsf {out}(c, \mathsf {ok})&{}&{}\!\!\!(4)\\ Q \!\!\!&{} =&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {new}\, n. \mathsf {out}(c, \mathsf {senc}(n,k)) &{}&{} \\ \!\!\!&{} \mid &{}\!\!\!{!}\, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(y,k), \mathsf {senc}(z,k)\rangle ).\mathsf {out}(c, \mathsf {ok}). \end{array} $$

Intuitively P expects a list of three ciphertexts among which two must be identical, while Q expects any three ciphertexts. The process Q is simple but P is not since several processes in parallel proceed on channel \(c_2\). We have that \(P \not \approx Q\): it is possible using (1) to generate distinct ciphertexts, concatenate them, and send the resulting message on \(c_2\). This message will not be accepted in P, but it will be accepted in Q.

Now, consider the process \(\overline{P}^{c_1}\) and \(\overline{Q}^{c_1}\) with \(\mathsf {N} = \{n\}\), that is the processes obtained by applying our transformation on channel \(c_1\) (the only branch that contains nonce generation) with the goal of getting rid of the instruction \(\mathsf {new}\, n\) on both sides. We obtain:

$$\begin{array}{rcl} \overline{P}^{c_1} \!\!\!&{}=&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {out}(c, \mathsf {senc}(n,k)) \\ \!\!\!&{}\mid &{}\!\!\! \, \mathsf {new}\, n^\star . \,\mathsf {out}(c^\star ,\mathsf {senc}(n^\star ,k))\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(x,k), \mathsf {senc}(y,k)\rangle ).\mathsf {out}(c, \mathsf {ok})\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(y,k), \mathsf {senc}(x,k)\rangle ).\mathsf {out}(c, \mathsf {ok})\\ \!\!\!&{}\mid &{} \!\!\!{!} \, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(y,k), \mathsf {senc}(x,k), \mathsf {senc}(x,k)\rangle ).\mathsf {out}(c, \mathsf {ok})\\ \overline{Q}^{c_1}\!\!\!&{}=&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {out}(c, \mathsf {senc}(n,k)) \\ \!\!\!&{}\mid &{} \!\!\!\, \mathsf {new}\, n^\star . \,\mathsf {out}(c^\star ,\mathsf {senc}(n^\star ,k))\\ \!\!\!&{}\mid &{}\!\!\!{!}\, \mathsf {new}\, c. \mathsf {out}(c_2,c). \mathsf {in}(c,\langle \mathsf {senc}(x,k), \mathsf {senc}(y,k), \mathsf {senc}(z,k)\rangle ).\mathsf {out}(c, \mathsf {ok}). \end{array}$$

It is quite easy to see that the witness of non-equivalence given above is not a valid one anymore. Actually, we have that \(\overline{P}^{c_1}\) and \(\overline{Q}^{c_1}\) are in trace equivalence since only two distinct ciphertexts may be produced.

Note that it is easy to express standard protocols as simple processes. As explained previously, encoding security protocols as simple processes is a good practice, and gives power to the attacker. However, it prevents the modeling of unlinkability properties.

4.2 Adequate Theories

The fact that we consider adequate theories may seem to be a proof artefact. We could probably go beyond adequate theories, but this would be at the price of considering a more complex transformation, and in particular additional constants. We provide below an example of a theory that reflects the same kind of issues than the ones illustrated by the processes presented in Example 11.

Example 12

In addition to the signature introduced in Example 1, we consider an additional destructor symbol \(\mathsf {g}\) together with the following rewriting rules:

$$\begin{array}{rcl} \mathsf {g}(\langle \mathsf {senc}(x,z),\mathsf {senc}(x,z),\mathsf {senc}(y,z)\rangle ) &{} \rightarrow &{} \mathsf {ok}\\ \mathsf {g}(\langle \mathsf {senc}(x,z),\mathsf {senc}(y,z),\mathsf {senc}(x,z) \rangle ) &{} \rightarrow &{} \mathsf {ok}\\ \mathsf {g}(\langle \mathsf {senc}(y,z),\mathsf {senc}(x,z),\mathsf {senc}(x,z)\rangle ) &{} \rightarrow &{} \mathsf {ok}\end{array}$$

Assume for instance that \(\mathcal {M}_\varSigma \) is \(\mathcal {M}_{c}=\mathcal {T}(\varSigma _c,\mathcal {N})\) the set of all ground constructor terms. The resulting theory is not adequate. For instance, we have that the term \(t = \mathsf {g}(\langle \mathsf {senc}(n_1,k), \mathsf {senc}(n_2,k), \mathsf {senc}(n_3,k)\rangle )\) is in normal form and not a message. However, any renaming \(\rho \) that preserves distinctness between only two names among \(n_1,n_2,n_3\), will be such that \(t\rho \mathord {\downarrow }\in \mathcal {M}_\varSigma \). This yields a counter-example to our result, illustrated by the two following processes.

$$\begin{array}{rcl} P' \!\!\!&{}=&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {new}\, n. \mathsf {out}(c, \mathsf {senc}(n,k)) \\ \!\!\!&{}\mid &{} \!\!\!\, \, \mathsf {in}(c_2,\langle \mathsf {senc}(x_1,k), \mathsf {senc}(x_2,k), \mathsf {senc}(x_3,k)\rangle ). \\ \!\!\!&{}&{} \!\!\!\qquad \qquad \mathsf {let}\;y=\mathsf {g}(\langle \mathsf {senc}(x_1,k), \mathsf {senc}(x_2,k), \mathsf {senc}(x_3,k)\rangle )\;\mathsf {in}\;\mathsf {out}(c_2, y).\\ Q' \!\!\!&{} =&{} \!\!\!! \, \mathsf {new}\, c. \mathsf {out}(c_1,c). \mathsf {new}\, n. \mathsf {out}(c, \mathsf {senc}(n,k)) \\ \!\!\!&{}\mid &{} \!\!\!\mathsf {in}(c_2,\langle \mathsf {senc}(x_1,k), \mathsf {senc}(x_2,k), \mathsf {senc}(x_3,k)\rangle ).\mathsf {out}(c_2, \mathsf {ok}). \end{array} $$

The process \(P'\) expects three ciphertexts and returns the result of applying \(\mathsf {g}\) to them while \(Q'\) directly returns \(\mathsf {ok}\). For the same reasons as those explained in Example 11, we have that \(P' \not \approx Q'\) whereas \(\overline{P'}^{c_1} \approx \overline{Q'}^{c_1}\).

The equational theory above is contrived, and actually most of the equational theories useful to model cryptographic protocols can be shown to be adequate. An example of a non-adequate theory is \(\mathsf {tdcommit}\) as described in [18] which does not fit the structure of our rules. Since the adequacy hypothesis might be cumbersome to prove by hand for each theory, we exhibit a simple criterion that ensures adequacy: the absence of critical pair.

Definition 6

Given a signature \(\varSigma = \varSigma _c \uplus \varSigma _d\), and a convergent rewriting system \(\mathcal {R}\), we say that the theory \((\varSigma ,\mathcal {R})\) has no critical pair if \(\ell _1\) and \(\ell _2\) are not unifiable for any distinct rules \(\ell _1 \rightarrow r_1\), and \(\ell _2 \rightarrow r_2\) in \(\mathcal {R}\).

Our notion of critical pairs actually coincide with the usual one for the theories we consider. Indeed, rewrite rules are all of the form \(\ell \rightarrow r\) such that the head symbol of \(\ell \) is a destructor symbol and destructors may not appear anywhere else in \(\ell \) nor r. Theories without critical pairs are convergent and adequate.

Lemma 2

Given a signature \(\varSigma =\varSigma _c\uplus \varSigma _d\), a convergent rewriting system \(\mathcal {R}\), and a set of messages \(\mathcal {M}_\varSigma \) such that \(\mathcal {T}(\varSigma _c,\mathcal {N})\backslash \mathcal {M}_\varSigma \) is stable by renaming. If the theory \((\varSigma , \mathcal {R})\) has no critical pair, then \((\varSigma ,\mathcal {R})\) is convergent and adequate w.r.t. \(\mathcal {M}_\varSigma \).

This lemma allows us to conclude that many theories used in practice to model security protocols are actually adequate. This is the case of the theory given in Example 1, and the theories that are presented below.

Standard Cryptographic Primitives. We may enrich the theory described in Example 1 with function symbols to model asymmetric encryption, and digital signatures.

$$\varSigma ^+ = \varSigma \cup \{\mathsf {aenc}, \mathsf {adec}, \mathsf {sign}, \mathsf {checksign}, \mathsf {getmsg}, \mathsf {pub}, \mathsf {priv}, \mathsf {ok}\}.$$

Symbols \(\mathsf {adec}\)/\(\mathsf {aenc}\) and \(\mathsf {sign}\)/\(\mathsf {checksign}\) of arity 2 are used to model asymmetric encryption and signature, whereas \(\mathsf {pub}/\mathsf {priv}\) of arity 1 will be used to model key pairs, and the symbol \(\mathsf {priv}\) will be part of the signature \(\varSigma _\mathsf {priv}\). The symbol \(\mathsf {getmsg}\) may be used in case we want to consider a signature algorithm that does not protect the signed message. The corresponding rewrite rules are defined as follows:

$$\begin{array}{rcl} \mathsf {checksign}(\mathsf {sign}(x,\mathsf {priv}(y)),\mathsf {pub}(y)) &{}\rightarrow &{}\mathsf {ok}\\ \mathsf {getmsg}(\mathsf {sign}(x,\mathsf {priv}(y))) &{}\rightarrow &{} x \end{array} \;\;\;\;\;\; \mathsf {adec}(\mathsf {aenc}(x,\mathsf {pub}(y)),\mathsf {priv}(y)) \; \rightarrow \; x $$

Regarding the notion of messages, a reasonable choice for \(\mathcal {M}_{\varSigma ^+}\) is to consider \(\mathcal {M}_c^+ = \mathcal {T}(\varSigma _c \uplus \{\mathsf {aenc},\mathsf {sign},\mathsf {pub},\mathsf {priv},\mathsf {ok}\},\mathcal {N})\) the set of all ground constructor terms. We may also restrict \(\mathcal {M}_{\varSigma _+}\) in various ways to only allow some specific terms in key positions.

Blind Signatures. The following theory is often used to model blind signatures (see e.g. [18]), \(\mathsf {checksign}\) and \(\mathsf {unblind}\) are the only destructor symbols.

$$\begin{array}{rcl} \mathsf {checksign}(\mathsf {sign}(x,\mathsf {priv}(y)), \mathsf {pub}(y)) \!\!&{} \rightarrow &{}\!\! x\\ \mathsf {unblind}(\mathsf {blind}(x,y),y) \!\!&{} \rightarrow &{} \!\!x\\ \mathsf {unblind}(\mathsf {sign}(\mathsf {blind}(x,y),\mathsf {priv}(z)),y) \!\!&{} \rightarrow &{} \!\!\mathsf {sign}(x,\mathsf {priv}(z)) \end{array}$$

Zero-Knowledge Proofs. A typical signature for representing zero-knowledge proofs is \(\varSigma _\mathsf {ZKP}=\{\mathsf {Verify},\mathsf {ZKP},\mathsf {ok}\}\) where \(\mathsf {ZKP}\) represents a zero-knowledge proof and \(\mathsf {Verify}\) models the verification of the proof. To ease the presentation, we present how to model the proof of a particular statement, namely the fact that a ciphertext is the encryption of either 0 or 1. Such proofs are thoroughly used for example in the context of e-voting protocols such as Helios. In particular, the theory we consider here has been introduced in [16]. Specifically, let \(\varSigma _\mathsf {ZKP}^+=\varSigma _\mathsf {ZKP}\uplus \{\mathsf {raenc},\mathsf {radec},\mathsf {pub},\mathsf {priv},\mathsf {0},\mathsf {1}\}\) and consider the following rewrite rules.

$$\begin{array}{rcl} \mathsf {radec}(\mathsf {raenc}(x,z,\mathsf {pub}(y)),\mathsf {priv}(y)) \!\!&{}\rightarrow &{}\!\!x\\ \mathsf {Verify}(\mathsf {ZKP}(x,\mathsf {raenc}(\mathsf {0},x,\mathsf {pub}(y)),\mathsf {pub}(y)),\mathsf {raenc}(\mathsf {0},x,\mathsf {pub}(y)),\mathsf {pub}(y))\!\!&{}\rightarrow &{}\!\!\mathsf {ok}\\ \mathsf {Verify}(\mathsf {ZKP}(x,\mathsf {raenc}(\mathsf {1},x,\mathsf {pub}(y)),\mathsf {pub}(y)),\mathsf {raenc}(\mathsf {1},x,\mathsf {pub}(y)),\mathsf {pub}(y))\!\!&{}\rightarrow &{}\!\!\mathsf {ok}\\ \end{array}$$

The symbol \(\mathsf {raenc}\) represents randomised asymmetric encryption as reflected by the first rewrite rule. The two last rules ensure that a proof is valid only if the corresponding ciphertext contains either \(\mathsf {0}\) or \(\mathsf {1}\) and nothing else. Many variants of zero-knowledge proofs can be modelled in a very similar way.

5 Application of Our Result

Abstracting nonces with constants (as done in Theorem 1) may introduce false attacks. A typical case is when protocols make use of temporary secrets.

Example 13

Consider the signature described in Example 1. Let P and Q be:

$$\begin{array}{rcl} P \!\!&{}=&{} \!\!! \, \mathsf {new}\, c'. \mathsf {out}(c,c'). \mathsf {in}(c',x).\mathsf {new}\, n.\mathsf {out}(c',\mathsf {senc}(\mathsf {ok},n)).\\ &{}&{} \qquad \qquad \qquad \mathsf {let}\;y=\mathsf {sdec}(x,n)\;\mathsf {in}\;\mathsf {out}(c',y) ;\\ Q \!\!&{}=&{} \!\!! \, \mathsf {new}\, c'. \mathsf {out}(c,c').\mathsf {in}(c',x).\mathsf {new}\, n. \mathsf {out}(c',n).\\ \end{array}$$

The two processes are in equivalence: \(P \approx Q\). Now, consider the processes \(\overline{P}^{c}\) and \(\overline{Q}^{c}\) with \(\mathsf {N} = \{n\}\), that is, the processes obtained by applying our transformation on channel c to get rid of the fresh nonces.

$$\begin{array}{rcl} \overline{P}^{c} \!\!&{}=&{} \!\!! \, \mathsf {new}\, c'. \mathsf {out}(c,c'). \mathsf {in}(c',x). \mathsf {out}(c',\mathsf {senc}(\mathsf {ok},n)). \mathsf {let}\; y = \mathsf {sdec}(x,n)\; \mathsf {in}\; \mathsf {out}(c',y)\\ \!\!&{}&{} \!\!| \; \mathsf {in}(c^\star ,x). \mathsf {out}(c^\star ,\mathsf {senc}(\mathsf {ok},n^\star )). \mathsf {let}\; y = \mathsf {sdec}(x,n^\star ) \; \mathsf {in}\; \mathsf {out}(c^\star ,y) \end{array}$$

\(\overline{Q}^{c}\) is defined similarly. It is easy to notice that the output of the constant \(\mathsf {ok}\) is now reachable, yielding \(\overline{P}^{c} \not \approx \overline{Q}^{c}\).

5.1 Is Our Abstraction Precise Enough?

Our transformation may in theory also introduce false attacks for protocols without temporary secrets. In this section, we review several (secure) protocols of the literature and study whether a false attack is introduced by our transformation. To perform this analysis we rely on the ProVerif tool. For each protocol, we first consider a scenario with honest agents only as for the Yahalom protocol (Sect. 2). We then consider a richer scenario where honest agents are also willing to engage communications with a dishonest agent. In each case, we check whether ProVerif is able to establish:

1. 1.

   the equivalence between the original processes (left column);

2. 2.

   all the equivalences obtained after getting rid of all the nonces using our transformation (right column).

The results are reported on the table below: a \(\checkmark \) means that ProVerif succeeded and a  ✗ means that it failed. Actually, on most of the protocols/scenarios we have considered, our abstraction does not introduce any false attack. ProVerif models of our experiments are available online at http://www.lsv.ens-cachan.fr/~chretien/prot.tar.

Protocol name	Original (with nonces)	Our transformation (no nonce)
Yahalom (corrected version)
- simple scenario	\(\checkmark \)	\(\checkmark \)
- with a dishonest agent	\(\checkmark \)	\(\checkmark \)
Otway-Rees
- simple scenario	\(\checkmark \)	\(\checkmark \)
- with a dishonest agent	\(\checkmark \)	\(\checkmark \)
Kao-Chow (tagged version)
- simple scenario	\(\checkmark \)	\(\checkmark \)
- with a dishonest agent	\(\checkmark \)	\(\checkmark \)
Needham-Schroeder-Lowe
- simple scenario (secrecy of \(N_a\))	\(\checkmark \)	✗
- simple scenario (secrecy of \(N_b\))	\(\checkmark \)	\(\checkmark \)
- with a dishonest agent (secrecy of \(N_b\))	\(\checkmark \)	\(\checkmark \)
Denning-Sacco (asymmetric)
- simple scenario	\(\checkmark \)	\(\checkmark \)
- with a dishonest agent	\(\checkmark \)	\(\checkmark \)

Needham Schroeder Lowe Protocol. We briefly comment on the false attack introduced by our transformation on the Needham Schroeder Lowe protocol.

$$\begin{array}{lcl} \begin{array}{ll} 1.\;A \rightarrow B : &{}\!\!\{A, N_a\}_{\mathsf {pub}(B)} \\ 2.\; B \rightarrow A: &{} \!\!\{N_a, N_b, B\}_{\mathsf {pub}(A)}\\ 3.\; A \rightarrow B:&{} \!\!\{N_b\}_{\mathsf {pub}(B)} \end{array} &{}\;\;\;\;\;&{} \begin{array}{ll} 1.\; I(A) \rightarrow B :&{} \!\!\{A, N_i\}_{\mathsf {pub}(B)}\\ 2.\;B \rightarrow I(A): &{}\!\!\{N_i, N_b, B\}_{\mathsf {pub}(A)}\\ 3.\; I(A) \rightarrow B: &{}\!\!\{N_b\}_{\mathsf {pub}(B)} \end{array} \end{array}$$

The protocol is given on the left, and the (false) attack depicted on the right. This attack scenario (and more precisely step 3 of this scenario) is only possible when nonces are abstracted away with constants. Indeed, the attacker will not be able to decrypt the message \(\{N_i,N_b,B\}_{\mathsf {pub}(A)}\) he has received to retrieve the nonce \(N_b\). Instead he will simply replay an old message coming from a previous honest session between A and B. Since nonces have been replaced by constants, B will accept this old message, and will assume that \(N_i\) is a secret shared between A and B, while \(N_i\) is known by the attacker. Unfortunately, this abstraction does not seem to help ProVerif prove the security of new protocols. Nonetheless it can still be used as a proof technique to prove the security of protocols in classes defined in [9, 10].

5.2 Proof Technique

Our result can be used as a proof technique to show that two simple protocols are in trace equivalence. In particular, we have that the decidability result developed in [10] for tagged protocols without nonces can now, thanks to our transformation, be applied to study the security of protocols with nonces.

The decidability result given in [10] applies on type-compliant protocols. This roughly means that ciphertexts cannot be confused and this can be achieved by adding some identifier (a tag that is re-used in all sessions) in each ciphertext.

Applying our transformation to a simple, type-compliant protocol yields a process that belongs to the decidable class of [10].

Proposition 1

Let \((\varSigma ,\mathcal {R})\) be the theory given in Example 1 with \(\mathcal {M}_\varSigma = \mathcal {M}_\mathsf {atomic}\). Let P and Q be two simple and type-compliant protocols built on \((\varSigma ,\mathcal {R})\), and such that \(\mathsf {Ch}(P) = \mathsf {Ch}(Q)\). Let \(\mathsf {N}\) be the set of names that occur in P or Q.

The problem of deciding whether \(\overline{P}^{\mathsf {N},c}\) and \(\overline{Q}^{\mathsf {N},c}\) are in trace equivalence is decidable (for any \(c \in \mathsf {Ch}(P)\)).

6 Conclusion

Our simplification result allows to soundly reduce the equivalence of processes with nonces to the equivalence of processes without nonce. This can be seen as a proof technique. For example for tagged simple protocols with symmetric encryption, the resulting protocols fall in the decidable class of [10]. Similarly, we could use the decidability result of [9] for ping-pong protocols with one variable per transition.

Our result assumes protocols to be simple processes. Otherwise, to prevent some transition, it could be necessary to maintain several disequalities. We plan to go slightly beyond simple processes and simply require some form of determinacy. More generally, we plan to study whether such a reduction result can be obtained for arbitrary processes, that is, study whether it is possible to compute a bound on the number of fresh copies from the structure of the processes.

Regarding adequate theories, we believe that our criterion is general enough to capture even more theories like exclusive or, or other theories with an associative and commutative operator. This would however require to extend our formalism to arbitrary terms (not just destructor/constructor theories).

A Appendix

Lemma 1 is a direct corollary of Lemma 3 which we state below. In the following, we will only consider theories adequate w.r.t. \(\mathcal {M}_\varSigma \). Given a frame \(\phi \) (resp. \(\psi \)) and a name r in \(\phi \) (resp. \(\psi \)), let n(r) be the nonce in P (resp. Q) such that r is an instance of n(r) and let c(r) be the channel of the protocol’s branch which generated it. Actually, it can be computed as the channel on which r appeared first in \(\mathsf {tr}\phi \mathord {\downarrow }\) (resp. \(\mathsf {tr}\psi \mathord {\downarrow }\)). We note \(\mathcal {D}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\}\) and for any \(A \subseteq D_\phi \), we denote n(A) the application having A as domain, and such that \(n(A)(r) = n(r)\) for any \(r \in A\). To each nonce \(n\in \mathsf {N}\), we can associate a new name \(n^\star \): we can then define the function \(n^\star (\cdot )\) to be the function mapping any \(r\in \mathcal {D}_\phi \) to \((n(r))^\star \). Similarly, for any \(A \subseteq \mathcal {D}_\phi \), we denote \(n^\star (A)\) the function mapping any \(r \in A\) to \((n(r))^\star \).

Lemma 3

We have the two following properties.

1. 1.

   Let \((\mathsf {tr},\phi )\in \mathsf {trace}(P)\), \(\mathcal {D}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\}\) and \(\rho _0=n(D_\phi )\). Then \((\mathsf {tr},\phi \rho _0)\in \mathsf {trace}(\overline{P}^\mathsf {N})\).

2. 2.

   Moreover, let ch be a channel such that \(\mathsf {tr}=\mathsf {tr}_1.\mathsf {out}(c,ch).\mathsf {tr}_2\), \(\tilde{\mathcal {D}}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\) and \(\rho = n(\mathcal {D}_\phi \backslash \tilde{\mathcal {D}}_\phi )\;\cup \; n^\star (\tilde{\mathcal {D}}_\phi )\). Then \((\mathsf {tr}^{\star },\phi \rho )\in \mathsf {trace}(\overline{P}^{\mathsf {N},c})\), where \(\mathsf {tr}^\star =\mathsf {tr}_1.\mathsf {tr}_2\{^{c^\star }/_{ch}\}\).

Proof

The proof of case 2 is done by induction on the length of the execution of \(\mathsf {tr}\) in P. For any rule in our semantics, we prove that the renaming \(\rho \) does not prevent the action from being executed as it only introduces new equalities and that the resulting multiset of processes and frame are similar, up to application of \(\rho \). Finally, case 1 can be seen as a special instance of case 2.    \(\square \)

Theorem 1

Let P and Q be two simple protocols such that \(\mathsf {Ch}(P) = \mathsf {Ch}(Q)\), and \(\mathsf {N}\) be a set of names (intuitively those that we want to abstract away). We have that:

$$[\forall c \in \mathsf {Ch}(P).\ \overline{P}^{\mathsf {N},c} \approx \overline{Q}^{\mathsf {N},c}] \; \Rightarrow \; P \approx Q. $$

Proof

Let us assume there exists a witness of non-equivalence \((\mathsf {tr},\phi )\in \mathsf {trace}(P)\). Three main cases can occur:

1. 1.

   there exists \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\) and two recipes \(R_1,R_2\) such that \(R_1\phi \mathord {\downarrow }\), \(R_2\phi \mathord {\downarrow }\), \(R_1\psi \mathord {\downarrow }\) and \(R_2\psi \mathord {\downarrow }\) are messages; \(R_1\phi \mathord {\downarrow }=R_2\phi \mathord {\downarrow }\) and \(R_1\psi \mathord {\downarrow }\ne R_2\psi \mathord {\downarrow }\);

2. 2.

   or there exists \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\) and a recipe R such that \(R\phi \mathord {\downarrow }\) is a message but \(R\psi \mathord {\downarrow }\) is not;

3. 3.

   or, finally, there exists no frame \(\psi \) such that \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\).

Note that the remaining symmetric cases are handled by considering a witness \((\mathsf {tr},\psi )\in \mathsf {trace}(Q)\) instead, as P and Q are both simple. We will deal with each case separately, with the same intermediate goal: define a renaming \(\rho \) on \(D_\psi \) such that any test failing in \(\psi \) still fails in \(\psi \rho \) while the successful tests in \(\phi \) remain so; then translate it into a valid trace of \(\overline{P}^{\mathsf {N},c}\) for some \(c\in \mathsf {Ch}(P)\).

Case 1: Let us examine \(R_1\psi \mathord {\downarrow }\) and \(R_2\psi \mathord {\downarrow }\). If the two terms do not share the same constructors, then for any renaming \(\rho \), \(R_1(\psi \rho )\mathord {\downarrow }\ne R_2(\psi \rho )\mathord {\downarrow }\), while for any renaming \(\rho '\), \(R_1(\phi \rho ')\mathord {\downarrow }=R_2(\phi \rho ')\mathord {\downarrow }\) (as the constructors are left unchanged, because every term is a message). Now, if the two terms share the same constructors, there must exist a leaf position p in them such that \(R_1\psi \mathord {\downarrow }|_p\ne R_2\psi \mathord {\downarrow }|_p\). Let us call t and s these terms respectively. If s or t is not an element of \(\mathcal {D}_\psi \), then \(s\rho \ne t\rho \) for any \(\rho \) with \( dom (\rho )=\mathcal {D}_\psi \). As in the previous case, we get that \(R_1(\psi \rho )\mathord {\downarrow }\ne R_2(\psi \rho )\mathord {\downarrow }\), while \(R_1(\phi \rho ')\mathord {\downarrow }=R_2(\phi \rho ')\mathord {\downarrow }\) for any renaming \(\rho '\). Else, assume \(s=r_1\) and \(t=r_2\) are two nonces of \(\mathcal {D}_\psi \) such that \(n(r_1)=n_1\in \mathsf {N}\) (resp. \(n(r_2)=n_2\in \mathsf {N}\)). If \(n_1\ne n_2\), consider the renaming \(\rho ^Q_0\) mapping any \(r \in \mathcal {D}_\psi \) to n(r). Then \(s\rho ^Q_0\ne t\rho ^Q_0\) and we get that \(R_1(\psi \rho ^Q_0)\mathord {\downarrow }\ne R_2(\psi \rho ^Q_0)\mathord {\downarrow }\). By Lemma 3, \((\mathsf {tr},\psi \rho ^Q_0)\in \mathsf {trace}(\overline{Q}^\mathsf {N})\).

Similarly, by defining \(\rho ^P_0\) as the function mapping any name \(r \in \mathcal {D}_\phi \) to n(r), we have that \((\mathsf {tr},\phi \rho ^P_0)\in \mathsf {trace}(\overline{P}^\mathsf {N})\). and \(R_1(\phi \rho ^P_0)\mathord {\downarrow }=R_2(\phi \rho ^P_0)\mathord {\downarrow }\). Hence we get a witness of non-equivalence between \(\overline{P}^\mathsf {N}\) and \(\overline{Q}^\mathsf {N}\), which can translate into a witness between \(\overline{P}^{\mathsf {N},c}\) and \(\overline{Q}^{\mathsf {N},c}\) for any \(c\in \mathsf {Ch}(P)\).

Else, if \(n(r_1)=n(r_2)=n\), we need to be more precise to define a proper \(\rho \). Let \(\mathsf {out}(c,ch)\) be the action of \(\mathsf {tr}\) such that \(\mathsf {tr}=\mathsf {tr}_1.\mathsf {out}(c,ch).\mathsf {tr}_2\) and \(c(r_2)=ch\). Let \(\tilde{\mathcal {D}}_\psi =\{r\in \psi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\) and \(\tilde{\mathcal {D}}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\). \(r_1\in \mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi \) but \(r_2\in \tilde{\mathcal {D}}_\psi \) Consider now \(\rho _Q=n(\mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi )\cup n^\star (\tilde{\mathcal {D}}_\psi )\). In particular, \(r_1\rho _Q=n\) while \(r_2\rho _Q=n^\star \). Then \(s\rho _Q\ne t\rho _Q\) and we get that \(R_1(\psi \rho _Q)\mathord {\downarrow }\ne R_2(\psi \rho _Q)\mathord {\downarrow }\) and Lemma 3 ensures \((\mathsf {tr}^\star ,\psi \rho _Q)\in \mathsf {trace}(\overline{Q}^{\mathsf {N},c})\). Similarly, by defining \(\rho _P=n(\mathcal {D}_\phi \backslash \tilde{\mathcal {D}}_\phi )\cup n^\star (\tilde{\mathcal {D}}_\phi )\), Lemma 3 ensures \((\mathsf {tr}^\star ,\phi \rho _P)\in \mathsf {trace}(\overline{P}^{\mathsf {N},c})\) and \(R_1(\phi \rho _P)\mathord {\downarrow }=R_2(\phi \rho _P)\mathord {\downarrow }\) (only equalities have been introduced by removing the name restriction in P). Hence we get a witness of non-equivalence between \(\overline{P}^{\mathsf {N},c}\) and \(\overline{Q}^{\mathsf {N},c}\)

Case 2: Because \(R\psi \mathord {\downarrow }\) is not a message and our signature is adequate (see Definition 5), there must exist \(a,b\in \mathcal {N}\) such that \(a\ne b\) and for any renaming \(\sigma :\mathcal {N}\rightarrow \mathcal {N}\), \(a\sigma \ne b\sigma \Rightarrow t\sigma \mathord {\downarrow }\notin \mathcal {M}_\varSigma \). If \(a\notin \mathcal {D}_\psi \) or \(b\notin \mathcal {D}_\psi \), consider the renaming \(\rho ^Q_0\) mapping any name \(r \in \mathcal {D}_\psi \) to n(r): as \(a\rho ^Q_0=a\) and \(n(r)\ne a\) for any \(r\in \mathcal {D}_\psi \), \(R(\psi \rho ^Q_0)\mathord {\downarrow }\) is still not a message. On the other hand, if \(\rho ^P_0=n(\mathcal {D}_\phi )\), as \(R\phi \mathord {\downarrow }\) is a message, \(R\phi \mathord {\downarrow }\rho ^P_0=R(\phi \rho ^P_0)\mathord {\downarrow }\) is a message. Hence, Lemma 3 ensures \((\mathsf {tr},\phi \rho ^P_0)\in \mathsf {trace}(\overline{P}^\mathsf {N})\) while \((\mathsf {tr},\psi \rho ^Q_0)\notin \mathsf {trace}(\overline{Q}^\mathsf {N})\), leading to a witness of non-equivalence between \(\overline{P}^\mathsf {N}\) and \(\overline{Q}^\mathsf {N}\).

Else, assume \(a = r_1\) and \(b=r_2\) are two nonces in \(\mathcal {D}_\psi \). If \(n(r_1)\ne n(r_2)\), \(r_1\rho ^Q_0\ne r_2\rho ^Q_0\) and we can apply the same exact reasoning as before. So let us consider the case where \(n(r_1)=n(r_2)=n\). Let \(\mathsf {out}(c,ch)\) be the action of \(\mathsf {tr}\) such that \(\mathsf {tr}=\mathsf {tr}_1.\mathsf {out}(c,ch).\mathsf {tr}_2\) and \(c(r_2)=ch\). Let \(\tilde{\mathcal {D}}_\psi =\{r\in \psi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\) and \(\tilde{\mathcal {D}}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\). \(r_1\in \mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi \) but \(r_2\in \tilde{\mathcal {D}}_\psi \) Consider now \(\rho _Q=n(\mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi )\cup n^\star (\tilde{\mathcal {D}}_\psi )\). In particular, \(r_1\rho _Q=n\) while \(r_2\rho _Q=n^\star \). Definition 5 ensures \(R(\psi \rho ^Q_0)\mathord {\downarrow }\) is still not a message. On the other hand, if \(\rho _P=n(\mathcal {D}_\phi \backslash \tilde{\mathcal {D}}_\phi )\cup n^\star (\tilde{\mathcal {D}}_\phi )\), as \(R\phi \mathord {\downarrow }\) is a message, \(R\phi \mathord {\downarrow }\rho _P=R(\phi \rho _P)\mathord {\downarrow }\) is a message. Hence, Lemma 3 ensures \((\mathsf {tr}^\star ,\phi \rho _P)\in \mathsf {trace}(\overline{P}^{\mathsf {N},c})\) while \((\mathsf {tr}^\star ,\psi \rho _Q)\in \mathsf {trace}(\overline{Q}^{\mathsf {N},c})\), leading to a witness of non-equivalence between \(\overline{P}^{\mathsf {N},c}\) and \(\overline{Q}^{\mathsf {N},c}\).

Case 3: if \(\mathsf {tr}\) ends with an output \(\mathsf {out}(c,\mathsf {w})\) such that \(\mathsf {w}\psi \) is not a message, we can define \(\rho _Q\) and \(\rho _P\) as in case 2 and obtain a witness of non-equivalence. Similarly, if \(\mathsf {tr}\) ends with an input or output \(\mathsf {out}(c,\mathsf {w})\) which cannot be executed in Q because a \(\mathsf {let}\) action did not reduce to a message, we can define \(\rho _Q\) and \(\rho _P\) as in case 2 and obtain a witness of non-equivalence. Consider now the subcase where \(\mathsf {tr}=\mathsf {tr}'.\mathsf {in}(c,R)\) for some \(\mathsf {tr}'\) such that \((\mathsf {tr}',\phi )\in \mathsf {trace}(P)\) and \((\mathsf {tr}',\psi )\in \mathsf {trace}(Q)\) for some frame \(\psi \). Because P and Q are both simple protocols, there exists a unique term \(u_P\) (resp. at most one term \(u_Q\)) in the multiset \(\mathcal {P}\) (resp. \(\mathcal {Q}\)) of processes from the execution of \(\mathsf {tr}'\) in P (resp. in Q) such that \(\mathsf {in}(c,u_P).M\in \mathcal {P}\) for some M (resp. \(\mathsf {in}(c,u_Q).N\in \mathcal {Q}\) for some N). Moreover, there exists \(\sigma _P\) such that \(R\phi \mathord {\downarrow }=u_P\sigma _P\) while there is no \(\sigma \) such that \(R\psi \mathord {\downarrow }=u_Q\sigma \). As before, we consider the renamings \(\rho ^Q_0=n(\mathcal {D}_\psi )\) and \(\rho ^P_0=n(\mathcal {D}_\phi )\). As \((\mathsf {tr},\phi \rho ^P_0)\in \mathsf {trace}(\overline{P}^\mathsf {N})\) and \((\mathsf {tr},\psi \rho ^Q_0)\in \mathsf {trace}(\overline{Q}^\mathsf {N})\) by Lemma 3, if there exists no \(\sigma \) such that \(u_Q\rho ^Q_0\sigma =R\psi \mathord {\downarrow }\rho ^Q_0\), \(\mathsf {tr}\) is a witness of non-equivalence between \(\overline{P}^\mathsf {N}\) and \(\overline{Q}^\mathsf {N}\) and we are done. So let us then assume there exists \(\sigma _0\) such that \(u_Q\rho ^Q_0\sigma _0=R\psi \mathord {\downarrow }\rho ^Q_0\) while \(u_Q\sigma \ne R\psi \mathord {\downarrow }\) for every \(\sigma \). There exist two leaves with positions \(p_1\) and \(p_2\) in \(R\psi \mathord {\downarrow }\) which corresponds to positions below variables in \(u_Q\) such that \(R\psi \mathord {\downarrow }|_{p_1}\ne R\psi \mathord {\downarrow }|_{p_2}\) but \(R(\psi \rho ^Q_0)\mathord {\downarrow }|_{p_1}=R(\psi \rho ^Q_0)\mathord {\downarrow }|_{p_2}\) and \(R\psi \mathord {\downarrow }|_{p_1}=r_1\) and \(R\psi \mathord {\downarrow }|_{p_2}=r_2\) such that \(n(r_1)=n(r_2)=n\in \mathsf {N}\). As repeatedly before, let \(\mathsf {out}(c,ch)\) be the action of \(\mathsf {tr}\) such that \(\mathsf {tr}=\mathsf {tr}_1.\mathsf {out}(c,ch).\mathsf {tr}_2\) and \(c(r_2)=ch\). Let \(\tilde{\mathcal {D}}_\psi =\{r\in \psi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\) and \(\tilde{\mathcal {D}}_\phi =\{r\in \phi ~|~n(r)\in \mathsf {N}\wedge c(r)=ch\}\). We have that \(r_1\in \mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi \) but \(r_2\in \tilde{\mathcal {D}}_\psi \). Consider now \(\rho _Q=n(\mathcal {D}_\psi \backslash \tilde{\mathcal {D}}_\psi )\cup n^\star (\tilde{\mathcal {D}}_\psi )\). In particular, \(r_1\rho _Q=n\) while \(r_2\rho _Q=n^\star \). As \(R\psi \mathord {\downarrow }\) is a message (by virtue of our semantics), \(R\psi \mathord {\downarrow }\rho _Q=R(\psi \rho _Q)\mathord {\downarrow }\) and now \(R(\psi \rho _Q)\mathord {\downarrow }|_{p_1}\ne R(\psi \rho _Q)\mathord {\downarrow }|_{p_2}\). As such, \(u_Q\rho _Q\sigma \ne R\psi \rho _Q\mathord {\downarrow }\) for any \(\sigma \). By defining \(\rho _P=n(\mathcal {D}_\phi \backslash \tilde{\mathcal {D}}_\phi )\cup n^\star (\tilde{\mathcal {D}}_\phi )\), as \(R\phi \mathord {\downarrow }\) is a message, \(R\phi \mathord {\downarrow }\rho _P=R(\phi \rho _P)\mathord {\downarrow }\) is a message. Hence, Lemma 3 ensures \((\mathsf {tr}^\star ,\phi \rho _P)\in \mathsf {trace}(\overline{P}^{\mathsf {N},c})\) while \((\mathsf {tr}^\star ,\psi )\notin \mathsf {trace}(\overline{Q}^{\mathsf {N},c})\) for any \(\psi \), leading to a witness of non-equivalence between \(\overline{P}^{\mathsf {N},c}\) and \(\overline{Q}^{\mathsf {N},c}\).    \(\square \)