We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.

We present a name-passing calculus that can be regarded as a simplified pi-calculus equipped with a cryptographic table. The latter is a data structure representing the relationships among names. We illustrate how the calculus may be used for modelling cryptographic protocols relying on symmetric shared keys and verifying secrecy and authenticity properties. Following classical approaches [3], we formulate the verification task as a reachability problem and prove its decidability assuming finite principals and bounds on the sorts of the messages synthesized by the attacker.