In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. These equivalences arise often in applications. We show how to treat them as predicates on the behaviors of a process that represents P and Q at the same time. We develop our techniques in the context

more »

... ues in the context of the applied pi calculus and implement them in the tool ProVerif. * A preliminary version of this work was presented at the 20th IEEE Symposium on Logic in Computer Science (LICS 2005) [20]. As in the applied pi calculus [6], terms are subject to an equational theory. Identifying an equational theory with its signature Σ, we write Σ M = N for an equality modulo the equational theory, and Σ M = N an inequality modulo the equational theory. (We write M = N and M = N for syntactic equality and inequality, respectively.) The equational theory is defined by a finite set of equations Σ M i = N i , where M i and N i are terms that contain only constructors and variables. The equational theory is then obtained from this set of equations by reflexive, symmetric, and transitive closure, closure by substitution (for any substitution σ, if Σ M = N then Σ σM = σN ), and closure by context application (if Σ M = N then Σ M {M/x} = M {N/x}, where {M/x} is the substitution that replaces x with M ). We assume that there exist M and N such that Σ M = N . As previously implemented in ProVerif, destructors are partial, non-deterministic operations on terms that processes can apply. More precisely,