 
Summary: Nordic Journal of Computing
A Bisimulation Method for Cryptographic Protocols
Martn Abadi
Systems Research Center
Compaq
ma@pa.dec.com
Andrew D. Gordon
Microsoft Research
adg@microsoft.com
Abstract. We introduce a definition of bisimulation for cryptographic protocols.
The definition includes a simple and precise model of the knowledge of the envi
ronment with which a protocol interacts. Bisimulation is the basis of an e#ective
proof technique, which yields proofs of classical security properties of protocols and
also justifies certain protocol optimizations. The setting for our work is the spi
calculus, an extension of the pi calculus with cryptographic primitives. We prove
the soundness of the bisimulation proof technique within the spi calculus.
1. Introduction
In reasoning about a reactive system, it is necessary to consider not only
the steps taken by the system but also the steps taken by its environment.
In the case where the reactive system is a cryptographic protocol, the envi
