Events in Security Protocols

Federico Crazzolara

Glynn Winskel

Computer Laboratory, University of Cambridge

England

{fc232,gw104}@cl.cam.ac.uk

ABSTRACT
The events of a security protocol and their causal dependency can play an important role in the analysis of security
properties. This insight underlies both strand spaces and the
inductive method. But neither of these approaches builds
up the events of a protocol in a compositional way, so that
there is an informal spring from the protocol to its model.
By broadening the models to certain kinds of Petri nets, a
restricted form of contextual nets, a compositional eventbased semantics is given to an economical, but expressive,
language for describing security protocols; so the events and
dependency of a wide range of protocols are determined once
and for all. The net semantics is formally related to a transition semantics, strand spaces and inductive rules, as well
as trace languages and event structures, so unifying a range
of approaches, as well as providing conditions under which
particular, more limited, models are adequate for the analysis of protocols. The net semantics allows the derivation
of general properties and proof principles which are demonstrated in establishing an authentication property, following
a diagrammatic style of proof.

1. INTRODUCTION
The last few years have seen the emergence of successful
intensional, event-based, approaches to reasoning about security protocols. The methods are concerned with reasoning
about the events that a security protocol can perform, and
make use of a causal dependency that exists between events.
For example, to show secrecy in a protocol it is shown that
there can be no earliest event violating a secrecy property;
any such event is shown to depend on some earlier event
which itself violates secrecy - because the behaviour of the
protocol does not permit such an infinite regress, the secrecy property is established. In a similar way, dependency
between events is used to establish forms of authentication
by showing that a sequence of communication events of one
BRICS, Centre of the Danish National Research Foundation.

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for prot or commercial advantage and that copies
bear this notice and the full citation on the rst page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specic
permission and/or a fee.
CCS01, November 5-8, 2001, Philadelphia, Pennsylvania, USA.
Copyright 2001 ACM 1-58113-385-5/01/0011 ...$5.00.

agent entails a corresponding sequence of events of the intended participant.

Both the method of strand spaces [12] and the inductive method of Paulson [9] have been designed to support
such an intensional, event-based, style of reasoning. Strand
spaces are based on an explicit causal dependency of events,
whereas in Paulsons method the dependency is implicit in
the inductive rules, which might express, for instance, that
the input of a message depends on its previous output. Both
methods have successfully tackled a number of protocols
though in an ad hoc fashion. Both make an informal spring
from a protocol to its representation, as either a strand space
or a set of inductive rules. Both methods do not address how
to build up their representation of a protocol in a compositional fashion.
We show that Petri nets, and specifically a restricted form
of contextual nets [8], provide a common framework in which
to understand both the strand-space and inductive methods,
and it seems, although we understand it less well, the recent
multiset rewriting method of [3]. But, more importantly,
by moving to a broader class of models we can show how
event-based models can be structured in a compositional
way and so used to give a formal semantics to security protocols which supports proofs of their correctness. To make
the case, and provide semantics to a whole range of protocols once and for all, we study the semantics of SPL (Security Protocol Language). We demonstrate the usefulness
of the net semantics in deriving (in contrast to postulating)
proof principles for security protocols and apply them to
prove an authentication property - the diagrammatic style
of proof may be of interest in itself. We establish precise
relationships between the net semantics and transition semantics, strand spaces, inductive rules, and trace languages
and event structures. The results formally back up the adequacy of strand-space and inductive-rule representations for
broad classes of security protocols and properties, showing
when nothing is lost in moving to these more restrictive
models.

2.

SECURITY PROTOCOLS

As a running example we consider the Needham-Schr

oderLowe (NSL) protocol:
(1)
(2)
(3)

A B : {m, A}P ub(B)

B A : {m, n, B}P ub(A)
A B : {n}P ub(B)

This protocol, like many others of its kind, has two roles: one
for the initiator, here played by agent A (say Alice), and one

for the responder, here B (Bob). It is a public-key protocol

that assumes an underlying public-key infrastructure, such
as RSA [11]. Both agents have their own, secret private key.
Public keys in contrast are available to all participants in
the protocol. The NSL protocol makes use of nonces which
one can think of as newly generated, unguessable numbers
whose purpose is to ensure the freshness of messages.
The protocol describes an interaction between A in the
role of initiator and B as responder: A sends to B a new
nonce m together with her own agent name A, both encrypted with Bs public key. When the message is received
by B, he decrypts it with his secret private key. Once decrypted, B prepares an encrypted message for A that contains a new nonce together with the nonce received from A
and his name B. Acting as responder, B sends it to A, who
recovers the clear text using her private key. A convinces
herself that this message really comes from B by checking
whether she got back the same nonce sent out in the first
message. If that is the case, she acknowledges B by returning his nonce. B does a similar test.
Although in this informal explanation only two agents in
their respective roles are described, the protocol is really a
shorthand for a situation in which a network of distributed
agents are each able to participate in multiple concurrent
sessions as both initiator and responder. There is no assurance that they all stick to the protocol, or indeed that communication goes to the intended agent. An attacker might
dissemble and pretend to be one or several agents, taking
advantage of any leaked keys it possesses in deciphering,
and preparing the messages it sends. However in this paper
we assume cryptography unbreakable and random numbers
unguessable, following the lead of Dolev and Yao [4].
The NSL protocol aims at distributing nonces m and n
in a secure way, allowing no one but the initiator and the
responder to know them (secrecy). Another aim of the protocol is that, for example, Bob should be guaranteed that
m is indeed the nonce sent by Alice (authentication). Lowe
pointed out that the NSL protocol is prone to a middleman attack, violating both these secrecy and authentication properties, if, as in the original protocol, the name B
is not included in the second message [6].

3. SPL - A LANGUAGE FOR SECURITY

PROTOCOLS
In order to be more explicit about the activities of participants in a protocol and those of a possible attacker, and to
express these compositionally, we design an economical process language for the purpose. The language SPL (Security
Protocol Language) is close to an asynchronous Pi-Calculus
[7] and is similar to that adopted in [1], though in its treatment of new names its transition semantics will be closer to
that in [10] (it separates concerns of freshness from concerns
of scope which are combined in the Pi-Calculus restriction).

3.1 The syntax of SPL

We start by giving the syntactic sets of the language:
An infinite set of names N, with elements n, m, A, .
Names range over nonces as well as agent names, and
can also include other values.
Variables over names x, y, , X, Y, .
Variables over messages , 0 , 1 , .

Name expr.
Key expr.
Messages
Processes

v
k
M
p

::=
::=
::=
::=

n, A, | x, X,
P ub(v) | P riv(v) | Key(~v )
v | k | M1 , M2 | {M }k |
~
out new~
xM.p | in pat~
xM.p
| kiI pi

Figure 1: Syntax of SPL

Indices i Indices with which to index components
of parallel compositions.
The other syntactic sets of the language are described by the
grammar shown in Figure 1. Note we use vector notation;
for example, the vector ~x abbreviates some possibly empty
list x1 , , xl .
We take f v(M ), the free variables of a message M , to be
the set of variables which appear in M , and define the free
variables of process terms by:
f v(out new~xM.p)
~
f v(in pat~xM.p)
f v(kiI pi )

=
=
=

(f v(p) f v(M ))\{~x}

~
(f
S v(p) f v(M ))\{~x, }
f
v(p
).
i
iI

As usual, we say that a process without free variables is

closed, as is a message without variables. We shall use standard notation for substitution into the free variables of an
expression, though we will only be concerned with the substitution of names or closed (variable-free) messages, obviating the problems of variable capture.
We use P ub(v), P riv(v) for the public, private keys of v,
and we use Key(~v ) for the symmetric key shared by agents
with names in ~v . Keys can be used in building up encrypted
messages. Messages consist of a name or a key, the composition of two messages M1 , M2 , or an encryption {M }k
representing the message M encrypted using the key k.
An informal explanation of the language:
out new~xM.p This process chooses fresh, distinct names
~n = n1 , , nl and binds them to the variables ~x =
x1 , , xl . The message M [~n/~x] is output to the network and the process resumes as p[~n/~x]. The communication is asynchronous in the sense that the action
of output does not await input. The new construct is
like that of Pitts and Stark [10] and abstracts out an
important property of a value chosen randomly from
some large set: such a value is likely to be new.
~
in pat~xM.p
This process awaits an input that matches the
~
pattern M for some binding of the pattern variables ~x
and resumes as p under this binding. All the pattern
~ must appear in the pattern M .
variables ~x
kiI pi This process is the parallel composition of all components pi for i in the indexing set I. The set I is a
subset of Indices. Indices will help us distinguish in
what agent, which role and what run a particular action occurs. The process, written nil, abbreviates the
empty parallel composition (where the indexing set is
empty).
Convention 3.1. It simplifies the writing of process expressions if we adopt some conventions. Firstly, we simply
write out M.p when the list of new variables is empty.
Secondly, and more significantly, we allow ourselves to write
in M.p in an expression, to be understood as meaning
~
the expression in pat~xM.p
where the pattern vari~
ables ~x are precisely those variables left free in M by the

Init(A, B)

out new x{x, A}P ub(B) .

in{x, y, B}P ub(A) .
out{y}P ub(B) .
nil

Spy1
Spy2
Spy3
Spy4

in 1 .in 2 .out1 , 2 .nil

in1 , 2 .out 1 .out 2 .nil
in x.in .out {}P ub(x) .nil
in P riv(x).in {}P ub(x) .out .nil

Resp(B)

in{x, Z}P ub(B) .

out new y{x, y, B}P ub(Z) .
in{y}P ub(B) .
nil

Spy

ki{1,...,4} Spyi

Figure 3: Attacker code

Figure 2: Initiator and responder code

Pinit
Presp
Pspy

kA,B ! Init(A, B)
kA ! Resp(A)
! Spy

surrounding expression. For example, we can describe a responder in NSL as the process Resp(B) in Figure 2. For
the first input, the variables x, Z in {x, Z}P ub(B) are free
in the whole expression, so by convention are pattern variables. On the other hand, in the second input the variable y
in {y}P ub(B) is bound by the outer out new y and so by
the convention is not a pattern variable, and has to be that
value sent out earlier. Replication of a process, !p, abbreviates ki p, consisting of countably infinite copies of p set in
parallel.

N SL

ki{resp,init,spy} Pi

An obvious structural induction defines the set of names

of a process. We define size(p) of a process term p to be
an ordinal measuring the depth of process operations in the
term.
Definition 3.1. The size of a closed process term is an
ordinal given by the structural induction:
size(out new~xM.p) = 1 + size(p)
~
size(in pat~xM.p)
= 1 + size(p)
size(kiI pi ) = 1 + supiI size(pi ).

(composing)
(decompg)
(encrypting)
(decrypting)

Figure 4: The system

3.3

A transition semantics

We first give a, fairly traditional, transition semantics to

SPL. It says how input and output actions affect configurations; a configuration expresses the state of execution of
the process, the messages so far output to the network and
the names currently in use.
A configuration consists of a triple hp, s, ti where p is a
closed process term, s is a subset of the set of names N,
and t is a subset of closed (i.e., variable-free) messages. We
say the configuration is proper iff the names in p and t are
included in s. The idea is that a closed process p acts in
the context of the set of names s that have been used so
far, and the set of messages t which have been output, to
input a message or to generate new names before outputting
a message.
Actions may be inputs or new-outputs, possibly tagged
by indices to show at which parallel component they occur:
::= out new ~n.M | in M | i :

3.2 NSL as a process

As an illustration, we can program the NSL protocol in
our language, and so formalise the introductory description
given in the Section 2. We assume given a set of agent
names, Agents, of agents participating in the protocol. The
agents participating in the NSL protocol play two roles, as
initiator and responder with any other agent. Abbreviate
by Init(A, B) the program of initiator A Agents communicating with B Agents and by Resp(B) the program of
responder B Agents. The code of both an arbitrary initiator and an arbitrary responder is given in Figure 2. In the
code we are forced to formalise aspects that are implicit in
the informal description, such as the creation of new nonces,
the decryption of messages and the matching of nonces.
We can model the attacker by directly programming it as a
process. Figure 3, shows a general, active attacker or spy.
The spy has the capability of composing eavesdropped messages, decomposing composite message, and using cryptography whenever the appropriate keys are available; the available keys are all the public keys and the leaked private keys.
By choosing a different program for the spy we can restrict
or augment its power, e.g., to passive eavesdropping or active falsification.
The whole system is obtained by putting all components
in parallel. Components are replicated, to model multiple
concurrent runs of the protocol. The system is described in
Figure 4.

where M is a closed message, ~n are names and i is an index drawn from Indices. We write out M for an output
action, outputting a message M , where no new names are
generated.
The way configurations evolve is expressed by transitions

hp, s, ti hp0 , s0 , t0 i, given by the rules shown in Figure 5.

The transition semantics allows us to state formally many
security properties. However, it does not support directly
local reasoning of the kind one might wish to apply in the
analysis of security protocols. To give an idea of the difficulty, imagine we wished to establish that the nonce generated by B as responder in NSL was never revealed as an
open message on the network. A reasonable way to prove
such a property is to find a stronger invariant, a property
which can be shown to be preserved by all the actions of the
process. Equivalently, one can assume that there is an earliest action l in a run which violates the invariant, and derive
a contradiction by showing that this action must depend on
a previous action, which itself violates the invariant.
An action might depend on another action through being, for example, an input depending on a previous output,
or simply through occurring at a later control point in a
process. A problem with the transition semantics is that
it masks such local dependency, and even the underlying
process events on which the dependency rests. The wish
to support arguments based on local dependency leads to a
more refined semantics based on events.

(output) Provided the names ~

n are all distinct and not in s,
hout new~
xM.p, s, ti

out new ~
nM [~
n/~
x]

hp[~
n/~
x], s {~
n}, t {M [~
n/~
x]}i

~ t,
~ /]
(input) Provided M [~
n/~
x, N
~
hin pat~
xM.p,
s, ti

~
~ /]
in M [~
n/~
x,N

~ s, ti
~ /],
hp[~
n/~
x, N

(par)

hpj , s, ti hp0j , s0 , t0 i
j:

The set of events associated with SPL is given by an

inductive definition. Define Events to be the smallest set
which includes all output, input and indexed events:
Output events Out(out new~xM.p; ~n),
where ~n = n1 , , nl are distinct names to match the
variables ~x = x1 , , xl , consist of an event e with
these pre- and postconditions:
c

jI

hkiI pi , s, ti hkiI p0i , s0 , t0 i

where p0i is p0j for i = j, else pi .

e = {out new~xM.p}, oe = , ne = ,

ec = Ic(p[~n/~x]), eo = {M [~n/~x]}, en = {n1 , , nl }.

The action of an output event is
act(Out(out new ~xM.p; ~n)) = out new ~n.M [~n/~x].

Figure 5: Transition semantics

4. THE EVENTS OF SPL

We must first address the issue of what constitutes an
event of a security protocol. Here, we follow the lead from
Petri nets (see Appendix), and define events in terms of how
they affect conditions. Conditions are to represent some
form of local state and we discern conditions of three kinds:
control, output and name conditions.
The set of control conditions C consists of output or input
processes, perhaps tagged by indices, and is given by the
grammar
~
b ::= out new~xM.p | in pat~xM.p
|i:b
where i Indices. A condition in C stands for the point of
control in a (single-thread) process. When C is a subset of
control conditions we will write i : C to mean {i : b | b C}.
The set of output conditions O consists of closed message
expressions. An individual condition M in O stands for the
message M having been output on the network. Output
conditions are persistent; once they are made to hold they
continue to hold forever. This squares with our understanding that once a message has been output to the network it
can never be removed, and can be input repeatedly.
The set of name conditions is precisely the set of names
N. A condition n in N stands for the name n being in use.
We define the initial control conditions of a closed process
term p, to be the subset Ic(p) of C, given by the following
structural induction:
Ic(out new~xM.p) = {out new~xM.p}
~
~
Ic(in pat~xM.p)
= {in pat~xM.p}
[
Ic(kiI pi ) =
i : Ic(pi )

@
@
R
out new ~
nM [~
n/~
x] @

C S M [~n/~x]
Ic(p[~
n/~
x])

/ p p p WC w
S

nk
nk
l
p p p
1
l

out new ~
xM.p

An occurrence of the event Out(out new ~xM.p; ~n) affects the control conditions and puts the new names
n1 , , nl into use, necessarily for the first time as according to the token game the event occurrence must
avoid contact with names already in use.
The definition includes the special case when ~x and
~n are empty lists, and we write Out(out M.p) for
the output event with no name conditions and action
out M .
~
~ where ~n is a list
Input events In(in pat~xM.p;
~n, L),
~
of names to match ~x and L is a list of closed messages
~ consist of an event e with these pre- and
to match ,
postconditions:
o
n
~
~
~ ]},
e = {in pat~xM.p},
e = {M [~n/~x, L/
e = ,

~
~ ]),
ec = Ic(p[~n/~x, L/
eo = , en = .
The action of an input event is
~
~
~ = in M [~n/~x, L/
~ ].
act(In(in pat ~xM.p;
~n, L))
~
in pat ~
xM.p

where the last case also includes the base case nil , when the
indexing set is empty.
We shortly define the set of events Events as a subset of
Pow(C)Pow(O)Pow(N)Pow(C)Pow(O)Pow(N).
e = (ce,o e,n e, ec , eo , en )
where ce is the set of C-preconditions of e, ec is the set
of C-postconditions of e, etc. Write e for ce o e n e, all
preconditions of e, and e for all postconditions ec eo en .
Earlier in the transition semantics we used actions to
specify the nature of transitions. An event e is associated
with a unique action act(e).

~
~ ]

M [~
n/~
x, L/

@
@
R
@

~
~
in M [~
n/~
x, L/]

~
~ ])
p p p
Ic(p[~
n/~
x, L/

iI

So an individual event e Events is a tuple

Indexed events i : e, where e Events, i Indices,

and
c

(i : e) = i :c e ,
(i : e)c = i : ec ,

(i : e) =o e , n(i : e) =n e ,
(i : e)o = eo , (i : e)n = en .

The action of an indexed event is act(i : e) = i : act(e).

When E is a subset of events we will generally use i : E
to mean {i : e | e E}.

In defining the set of conditions and, inductively, the set of

events, we have in fact defined a (rather large) net from the
syntax of SPL. The SPL-net has conditions C O N and
events Events. Its markings M will be subsets of conditions
and so of the form
M=cst

define the token game on the net N et(p) exactly as we did

earlier for the SPL-net, but this time events are restricted to
being in the set Ev(p). Its clear that if an event transition
is possible in the restricted net N et(p) then so is it in the
SPL-net. The converse also holds provided one starts from
a marking whose control conditions either belong to Ic(p)
or are conditions of events in Ev(p).

where c C, s N, and t O. By assumption the set

of conditions O are persistent so the net is a contextual net
with the following token game - see Appendix A.3.
Letting c s t and c0 s0 t0 be two markings,

Definition 6.1. Let p be a closed S

process term. Define
its control-conditions by pc = Ic(p) {ec | e Ev(p)}.

c s t c s t iff
i) e c s t & ec c = & en s = and
ii) c0 = (c \c e) ec & s0 = s en & t0 = t eo .
In particular, the occurrence of e begins the holding of its
name postconditions en - these names have to be distinct
from those already in use to avoid contact.

5. RELATING SEMANTICS
The behaviour of the SPL-net is closely related to the
transition semantics given earlier.
Theorem 5.1.

i) If hp, s, ti hp0 , s0 , t0 i, then for some e Events

e
with act(e) = , Ic(p) s t Ic(p0 ) s0 t0 .
e

ii) If Ic(p) s t M in the SPL-net, then for some

closed process term p0 , for some s0 N and t0 O,
act(e)

hp, s, ti hp0 , s0 , t0 i and M0 = Ic(p0 ) s0 t0 .

Definition 5.1. Let e Events. Let p be a closed proe
cess, s N, and t O. Write hp, s, ti hp0 , s0 , t0 i iff
e
0
0
0
Ic(p) s t Ic(p ) s t in the SPL-net.

6. THE EVENTS OF A PROCESS

Generally for a process p only a small subset of the events
Events can ever come into play. For this reason its useful
to restrict the events to those reachable in the behaviour of
a process.
The set Ev(p) of events of a closed process term p is defined by induction on size:
Ev(out new~xM.p) =
{Out(out new~xM.p; ~n) | ~n distinct names}
[

{Ev(p[~n/~x]) | ~n distinct names}

~
Ev(in pat~xM.p)
=

~
~ | ~n names, L
~ closed messages}
{In(in pat~xM.p;
~n, L)
[
~ | ~n names, L
~ ])
~ closed messages}

{Ev(p[~n/~x, L/
[
Ev(kiI pi ) =
i : Ev(pi ) .

Lemma 6.1. Let M C pc . Let e Events. Then,

e
e
M M0 in the SPL-net iff e Ev(p) & M M0 in
N et(p).
Consequently, in analysing those sequences of event transitions a closed process p can perform it suffices to study the
behaviour of N et(p) with its restricted set of events Ev(p).
This simplification is especially useful in proving invariance
properties because these amount to an argument by cases
on the form of events a process can do.
Proposition 6.2. Let e Events. Suppose that hp, s, ti
and hp0 , s0 , t0 i are configurations, and that hp, s, ti is proper.
e
If hp, s, ti hp0 , s0 , t0 i, then hp0 , s0 , t0 i is also proper.
Important convention: From now on we assume that all
configurations hp, s, ti are proper.

7.

PROVING SECURITY PROPERTIES

To demonstrate the viability of the net semantics as a

tool in proving security properties, we use the semantics to
derive general principles for proving secrecy and authentication. The principles capture the kind of dependency reasoning found in the strand spaces and inductive methods.
To illustrate the principles in action, we apply them to establish an authentication guarantee for the responder part
of the NSL protocol. We introduce a diagrammatic style of
reasoning which we find helpful.

7.1

General proof principles

From the net semantics we can derive several principles

useful in proving authentication and secrecy of security protocols. Write M < M 0 to mean message M in a subexpression of message M 0 , i.e., < is the smallest binary relation on
messages such that:
M <M
M < N M < N, N 0 and M < N 0 , N
M < N M < {N }k
where M, N, N 0 are messages and k is a key expression. We
also write M < t iff M 0 . M < M 0 M 0 t, for a set of
messages t.
Proposition 7.1. (Well-foundedness) Given a property
P on configurations, if a run
e

er+1

r
1
hpr , sr , tr i ,
hp0 , s0 , t0 i

iI

As an example, the events Ev(N SL) are shown in the

Appendix.
A closed process term p denotes a net N et(p) consisting
of the global set of conditions C O N built from SPL,
events Ev(p) and initial control conditions Ic(p). We can

contains a configurations s.t. P(p0 , s0 , t0 ) and P(pj , sj , tj ),

then there is an event eh , 0 < h j, such that P(pi , si , ti )
for all i h and P(ph , sh , th ).
We say that a name m N is fresh on an event e if m en
and we write F resh(m, e).

Proposition 7.2. (Freshness) Within a run

e

er+1

1
r
hp0 , s0 , t0 i

hpr , sr , tr i ,

there is a earliest event following b2 but preceding b3 that

violates Q. Let e be such an event.

i) If n si then either n s0 or there is a previous event

ej such that F resh(n, ej ).
ii) Given a name n there is at most one event ei s.t.
F resh(n, ei ).
iii) If F resh(n, ei ) then for all j < i the name n does not
appear in hpj , sj , tj i.
Proposition 7.3. (Control precedence) Within a run
e1

er+1

er

hp0 , s0 , t0 i hpr , sr , tr i ,

Inspecting the events of the N SL protocol (see Appendix),

using the assumption that P riv(A0 ) 6< t0 , one can show that
e can only be an initiator event a03 with action
act(a03 ) = init : (A, B0 ) : j : out{n0 }P ub(B0 )
for some index j and agent A. There must also be preceding
events a01 , a02 with actions
act(a01 ) =
act(a02 ) =

if M o ei , then either M t0 or there is an earlier event

ej , j < i, such that M ej o .

7.2 An example: authentication for NSL

We will prove authentication for a responder in an NSL
protocol in the sense that: to any complete session of agent
B0 as responder, apparently with agent A0 , there corresponds a complete session of agent A0 as initiator. We refer
to the Appendix for the events of NSL.
In the proof its helpful to make use of a form of diagrammatic reasoning which captures the precedence of events.
/ e0 when e preWhen the run is understood, we draw e
0
0
cedes e in the run, allowing e = e .
Theorem 7.5

(Authentication). If a run of NSL

e

er+1

1
r
hN SL, s0 , t0 i

hpr , sr , tr i ,

contains the responder events b1 , b2 , b3 , with actions

act(b1 ) = resp : B0 : i : in {m0 , A0 }P ub(B0 ) ,
act(b2 ) = resp : B0 : i : out new n0 {m0 , n0 , B0 }P ub(A0 ) ,
act(b3 ) = resp : B0 : i : in{n0 }P ub(B0 ) ,
for an index i, and P riv(A0 ) <
6 t0 , then the run contains
/ b3 , where, for some
initiator events a1 , a2 , a3 with a3
index j,
act(a1 ) = init : (A0 , B0 ) : j : out new m0 {m0 , A0 }P ub(B0 ) ,
act(a2 ) = init : (A0 , B0 ) : j : in{m0 , n0 , B0 }P ub(A0 ) ,
act(a3 ) = init : (A0 , B0 ) : j : out{n0 }P ub(B0 ) .
Proof. By control precedence we obtain:
b1

/ b2

/ b3 .

Consider the property of configurations

Q(p, s, t) M t. n0 < M {m0 , n0 , B0 }P ub(A0 ) < M .
By freshness, the property Q holds immediately after b2 ,
but clearly not immediately before b3 . By well-foundedness

/ b2
/ b3
@@
~?
@@
~
~
@
~~
/ a03
/ a02

a01

er+1

hp0 , s0 , t0 i hpr , sr , tr i ,

init : (A, B0 ) : j : out new m {m, A}P ub(B0 )

init : (A, B0 ) : j : in{m, n0 , B0 }P ub(A)
b1

Proposition 7.4. (Output-input precedence) In a run

er

/ b3
@@
~?
@@
~
@ ~~~
e

if b c ei either b Ic(p0 ) or there is an earlier event ej ,

j < i, such that b ej c .

e1

/ b2

b1

the following properties hold:

Since F resh(b2 , n0 ), the event b2 must precede a02 . The

property Q holds on configurations up to a03 and, in particular, on the configuration immediately before a02 . From
this we conclude that m = m0 and A = A0 . Hence a03 = a3 ,
a02 = a2 , and a01 = a1 as described below.
b1

/ b2

/ b3
O

a1

/ a2

/ a3

(Since F resh(a1 , m0 ), the event a1 precedes b1 .)

8.

RELATING SECURITY MODELS

We have related our net semantics of SPL to a transition

semantics. Now we establish its relations to the security
models of strand spaces, inductive rules, as well as other
traditional models. In security protocols we are largely interested in safety properties, which reduce to a property
holding of all finite behaviours. Thus it suffices to show
how a finite behaviour in one model can be matched by the
finite behaviour in another. In relating the net semantics
to strand spaces and inductive rules we need to constrain
process terms, to allow some repetition of actions, though
this does not seem unduly restrictive in formalising security
protocols.

8.1

Strand spaces

In relating the net semantics to strand spaces we must

face the fact that strand spaces dont compose readily, not
using traditional process operations at least. Their form
doesnt allow prefixing by a single event. Nondeterminism only arises through the choice as to where input comes
from, and there is not a recognisable nondeterministic sum
of strand spaces. Even an easy definition of parallel composition by juxtaposition is thwarted if unique origination
is handled as a global condition on the entire strand space.
This complicates the relation between a compositional semantics and strand spaces.
We can however relate the net behaviour of a !-par process to that of an associated strand space; a !-par process
is a closed process of the form !kiI pi for which no subterm

pi contains a parallel composition. In proving the relation

(though unfortunately not in this short write-up) we find it
useful to extend strand spaces in order to compose them,
chiefly with conflict to permit their nondeterministic sum,
and then finally to observe that for processes with replication the conflict can be eliminated, without upsetting the
strand-space behaviour. (Strand spaces can be viewed as
special forms of event structures - see below; so ideas, such
as the use of a conflict relation, can be adapted from there.)
Definition 8.1. A strand space consists of S = hSi iiI
an indexed set of strands. An individual strand Si , where
i I, is a finite sequence of output or input events carrying
respectively output or input actions of the kind out new~nM
or in M , where M is a closed message and ~n a list of distinct
names that are intended to be fresh (uniquely originating)
at the event. We permit only strands on which any new
names do not appear in previous actions of the strand. (A
set of strands is canonically a strand space in which each
strand has itself as index.)
As usual, a strand space can be seen as a graph whose nodes
are of the form (i, l) with i I index of a strand and l
position of an event in that strand (1 l length(si )).
Each node uniquely identifies an event in a strand. Edges are
of two different kinds: between two nodes that identify
two events of a same strand, one immediately preceding the
other and between two nodes identifying respectively an
output event and an input event with the same message. A
bundle of a strand space S is a finite, acyclic subgraph s.t.
if a node belongs to the bundle, so do all nodes that
precede it on its strand, together with their incident
edges,
each input node has exactly one incoming edge,
two different strands that have a new name in common dont both contribute to the same bundle.
We write C and C for edges of a strand space graph
belonging to a bundle C. Our definition is not quite standard. But the only significant difference is in the treatment
of unique origination which is taken care of in the definition of bundle rather than being a condition on the entire
strand space - the parametric strand spaces of [3] achieve
the same effect and are closely related.
A strand space can be seen as a form of event structure [13]. A strand space determines a stable event structure,
whose family of configurations is the same as the bundles of
the strand space; the bundles of a strand space when ordered
by inclusion form a stable family which ensures not only that
each configuration of events in the family can be equipped
with a local partial order of causal dependency, but that
at the cost renaming events these local partial orders can
be extended to a global partial order of causal dependency,
yielding a prime event structure.
Often in strand spaces the precise identity of indices does
not matter. A re-indexing of a strand space S = hSi iiI is
a permutation of I such that Si and S(i) are sequences
of the same length with the same actions at corresponding
events. A re-indexing of a strand space induces a re-indexing
on its bundles; a bundles nodes and arcs are changed according to the correspondence given by .
To relate the net behaviour of a process to its behaviour as
a strand space we need to linearise bundles. More precisely:

Definition 8.2. Given a bundle C of a strand space S, a

linearisation of C is a sequence of nodes e1 . . . ek such that
{e1 , . . . , ek } are all the nodes of C and for all e in C and all ei
in L, if eC ei or eC ei then e precedes ei in the sequence.
An event-linearisation of a bundle is the sequence of strandspace events associated with the nodes of a linearisation.
Let p be a !-par process and s a set of names containing
all names in p. Take T r(p, s) to be the strand space with
strands consisting of all the maximal sequences e1 . . . ek of
events in Ev(p) such that:
i) c e1 Ic(p) and
ii) for all i, 1 i < k, we have ei n (s{ej n | j < i}) =
and ei c = c ei+1 .
Sequences satisfying the above conditions are necessarily finite as the size of control conditions strictly decreases along
the sequence. The events of the net are already associated
with input and output actions. The net and strand space
behaviour are closely related:
Theorem 8.3. Given p a !-par process and s set of names
containing all names in p, we have that:
i) The sequence of events in a finite run in N et(p) from
the initial configuration hp, s, i is an event-linearisation of a bundle over T r(p, s).
ii) Every bundle over T r(p, s) can be re-indexed so that
any of its event-linearisations is a run in N et(p).
The only way a strand space can cope with there being a
nonempty set of initial output messages is through the slight
clumsiness of introducing extra output events; we avoid this
above by assuming the initial set of output messages is
empty.

8.2

Inductive rules

Paulsons inductive rules for a security protocol capture

the actions it and a spy can perform [9]. Through allowing persistent conditions, we can represent a collection of
inductive rules as a net in which the events stand for rule
instances and runs to sequences of rule instances which form
a derivation from the rules. In particular, instances of inductive rules for security protocols can be represented as events
in a net for which all but the name conditions are persistent.
According to such a semantics, once a protocol can input it
can do so repeatedly. Once it can output generating new
names it can do so repeatedly, provided this doesnt lead
to clashes with names already in use. Paulsons traces and
the associated runs of the net will necessarily include such
stuttering.
We define a net of rule instances from a closed process
term. Take the set of rule-conditions to consist of name
conditions and persistent output conditions, as before, but
now with additional persistent conditions consisting of closed
input and output process terms. Let r be the function from
SPL-conditions to rule-conditions which removes the indices
tagging control conditions and leaves output and name conditions unchanged. Extend r to SPL-events: let r replace
all the control conditions of an SPL-event by their images
under r - intuitively, an event is replaced by a rule instance.
Define the net of rule instances R(p) of a closed process
term p to be the net with rule-conditions and events the
image r Ev(p).

For a closed process term p, let p be the process term

obtained by inserting a replication before every input and
output process subterm in p. Note that R(p ) = R(p) as R
drops indices. Now, having restricted to a process with sufficient replication, we can establish a close relation between
the behaviours of N et(p ) and R(p ).
Theorem 8.4. Let p be a closed process term. Let t be a
subset of closed messages and s a subset of names including
those of p and t. Let M0 = Ic(p ) s t.
e

1
l
i) A run M0

Ml of N et(p ) yields a run

r(e1 )

r(el )

rM0 rMl of R(p ).

e0

e0

l
1
M0l a run of R(p ) with M00 =
ii) To M00

el
e1
Ml of N et(p ),

rM0 , there is a run M0
0
0
with r(ei ) = ei and r(Mi ) = Mi for all i, 0 < i l.

8.3 Basic nets, trace languages and event

structures
Because strand spaces can be easily turned into event
structures, Section 8.1 yields an event structure for each
!-par process. But, without any restrictions, we can relate
the net semantics to traditional independence models such
as event structures and Mazurkiewicz trace languages. The
crux of the construction is that of eliminating the persistent
conditions from the net N et(p), of a closed process term
p, in an initial marking Init(p) s t, to produce a basic net. Its well-known how to unfold a basic net to a
Mazurkiewicz trace language and event structure. Assume
N et(p) has input events In and output events Out. Then:
Theorem 8.5. There is a basic net N with events
E

= Out
{(, e) | e In & oe t}
{(e1 , e) | e In & e1 Out &

e = eo1 }

such that letting the map : E Out In leave events in

Out unchanged and project pairs (, e), (e1 , e) to the component e:
i) If N has a run with events e01 , , e0k , then there is
a run with events (e01 ), , (e0k ) of N et(p) from the
initial marking Init(p) s t.
ii) If N et(p) has a run e1 , , ek from the initial marking
Init(p) s t, then N has a run e01 , , e0k where
e1 , , ek = (e01 ), , (e0k ).
The construction used to obtain N above is an example
of the construction for eliminating colours from a coloured
net - see [14]; first colours are introduced to the persistent
conditions and input events of N et(p) to distinguish the different ways in which they are made to occur, and then eliminated through splitting the conditions and events according
to their colours. The result in this case is a basic net. Its
runs form a Mazurkiewicz trace language from which we can
then obtain an event structure - see [15].

9. CONCLUDING REMARKS
A role of the language SPL is that it can support, and so
help relate, different semantics useful in the analysis of security protocols - we have seen several examples. Future goals
are to relate to a probabilistic semantics, moving away from

the perfect cryptography assumption, and to study what

equivalences and compositional reasoning fit with the rather
intensional event-based methods dealt with here. We hope
our work helps towards a more high-level analysis of security
protocols. To this end, we see the net semantics of SPL as
giving a potentially useful, concrete model theory for logics
for security protocols. The net runs are histories on which to
interpret security properties, perhaps expressed in the style
of BAN logic. On another tack, Petri nets form models of
linear logic [5], close it seems to the linear logic for security protocols based on multiset rewriting [2]. As suggested
by an anonymous referee, the expressiveness of SPL could
be useful in characterising natural classes of protocols with
decidable security properties.
Acknowledgements. We are grateful to Stewart Lee
and an anonymous referee for suggestions and encouragement. GW thanks Martn Abadi for a timely overview of
approaches to security protocols while they were both visiting Microsoft Research, Cambridge.

10.

REFERENCES

[1] M. Abadi and A. Gordon. A calculus for cryptographic

protocols: The Spi calculus. In 4th ACM CCS, 1997.
[2] I. Cervesato, N. A. Durgin, M. Kanovich, and
A. Scedrov. Interpreting strands in linear logic. In
FMCS00, 2000.
[3] I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C.
Mitchell, and A. Scedrov. Relating strands and
multiset rewriting for security protocol analysis. In
13th IEEE CSFW, 2000.
[4] D. Dolev and A. C. Yao. On the security of public key
protocols. IEEE Trans. on Inf. Theory, 2(29), 1983.
[5] U. Engberg and G. Winskel. Linear logic on Petri
nets. In REX, a decade of concurrency, 1993, volume
803 of LNCS, 1994.
[6] G. Lowe. Breaking and fixing the Needham-Schroeder
public-key protocol using FDR. In TACAS96, volume
1055 of LNCS, 1996.
[7] R. Milner. Communicating and mobile systems: The
-calculus. Cambridge University Press, 1999.
[8] U. Montanari and F. Rossi. Contextual nets. Acta
Informatica, (32), 1995.
[9] L. C. Paulson. Proving security protocols correct. In
LICS, 14th Symp., July 1999.
[10] A. M. Pitts and I. Stark. Observable properties of
higher order functions that dynamically create local
names, or: Whats new? In MFCS 18th Int. Symp.,
volume 711 of LNCS, 1993.
[11] R. L. Rivest, A. Shamir, and L. Adleman. A method
for obtaining digital signatures and public-key
cryptosystems. Comm. of the ACM, 21(2), 1978.
[12] J. Thayer, J. Herzog, and J. Guttman. Strand spaces:
Why is a security protocol correct? In 1998 IEEE
Symposium on Security and Privacy.
[13] G. Winskel. Event structures. In Advanced Course on
Petri nets, volume 255 of LNCS, 1986.
[14] G. Winskel. Petri nets, algebras, morphisms, and
compositionality. Inf. & Comput., 72, 1987.
[15] G. Winskel and M. Nielsen. Models for concurrency.
In Handbook of Logic in Comp. Sci., volume 4, 1995.

APPENDIX
A. PETRI NETS
The explanation of general Petri nets involves a little algebra of multisets (or bags), which are like sets but where
multiplicities of elements matters. Its convenient to also
allow infinite multiplicities, so we adjoin an extra element
to the natural numbers, though care must be taken to
avoid subtracting . -Multisets support addition + and
multiset inclusion , and even multiset subtraction X Y
provided Y X and Y has no infinite multiplicities, in
which case we call Y simply a multiset.

A.1 General Petri nets

A general Petri net (place-transition system) consists of
a set of conditions (or places), P ,
a set of events (or transitions), T ,
a precondition map pre, which to each t T assigns a
multiset pre(t) over P - it is traditional to write t for
pre(t),
a postcondition map post which to each t T assigns
an -multiset post(t) over P , traditionally written t ,
a capacity function Cap which is an -multiset over P ,
assigning a nonnegative number or to each condition
p, bounding the multiplicity to which the condition can
hold; a capacity of means the capacity is unbounded.
A state of a Petri net consists of a marking, an -multiset
M over P bounded by the capacity function, i.e. M Cap.
A marking captures a notion of distributed, global state.
Token game for general nets: Markings can change
as events occur, precisely how being expressed by the trant
sitions M M0 events t determine between markings M
0
and M . For markings M, M0 and t T , define
t

M M0 iff t M and M0 = M t + t .
An event t is said to have concession (or be enabled) at a
marking M iff its occurrence leads to a marking, i.e. iff

t M and M t + t Cap .

There is a widely-used graphical notation for nets in which

events are represented by squares, conditions by circles and
the pre- and postcondition maps by directed arcs carrying
numbers or as weights. A marking is represented by the
presence of tokens on a condition, the number of tokens
representing the multiplicity to which the condition holds.
When an event with concession occurs tokens are removed
from its preconditions and put on its postconditions with
multiplicities according to the pre- and postcondition maps.
Because of this presentation, the transition relation on Petri
nets is described as the token game.

A.2 Basic nets

We instantiate the definition of general Petri nets to an
important case where in all the multisets the multiplicities
are either 0 or 1, and so can be regarded as sets. In particular, we take the capacity function to assign 1 to every condition, so that markings become simply subsets of conditions.
The general definition now specialises to the following.
A basic Petri net consists of
a set of conditions, B,

a set of events, E, and

two maps: a precondition map pre : EPow(B), a
postcondition map post : E Pow(B). We can still
write e for the preconditions and e for the postconditions of e E and we require . e e. 6= .
Now a marking consists of a subset of conditions, specifying those conditions which hold.
Token game for basic nets: For markings M, M0 B
and event e E, define
e

M M0 iff (1) e M & (M \ e) e = and

(2) M0 = (M \ e) e .
Property (1) expresses that the event e has concession at
the marking M. Returning to the definition of concession
for general nets, of which it is an instance, it ensures that
the event does not load another token on a condition that is
already marked. Property (2) expresses in terms of sets the
marking that results from the occurrence of an event. So, an
occurrence of the event ends the holding of its preconditions
and begins the holding of its postconditions. (It is possible
for a condition to be both a precondition and a postcondition
of the same event, in which case the event is imagined to end
the precondition before immediately restarting it.)
There is contact at a marking M when for some event e

e M & (M \ e) e 6= .

The occurrence of an event is blocked through conditions,

which it should begin, holding already. Blocking through
contact is consistent with the understanding that the occurrence of an event should end the holding of its preconditions
and begin the holding of its postconditions; if the postconditions already hold, and are not also preconditions of the
event, then they cannot begin to hold on the occurrence of
the event. Avoiding contact ensures the freshness of names
in the semantics of name creation.
Basic nets are important because they are related to many
other models of concurrent computation, in particular, Mazurkiewicz trace languages (languages subject to trace equivalence determined by the independence of actions) and event
structures (sets of events with extra relations of causality
and conflict) - see [15].

A.3

Nets with persistent conditions

Sometimes we have use for conditions which once established continue to hold and can be used repeatedly. If we
are to use net events to represent rules of the kind we find
in inductive definitions, we need conditions that persist.
Persistent conditions can be understood as an abbreviation for conditions within general nets which once they hold,
do so with infinite multiplicity. Consequently any number
of events can make use of them as preconditions but without their ever ceasing to hold. Such conditions, having unbounded capacity, can be postconditions of several events
without there being conflict.
To be more precise, we modify the definition of basic
net given above by allowing certain conditions to be persistent. A net with persistent conditions will still consist
of events and conditions related by pre- and postcondition
maps which to an event will assign a set of preconditions and
a set of postconditions. But, now amongst the conditions
are the persistent conditions forming a subset P . A marking
of a net with persistent conditions will be simply a subset of

conditions, of which some may be persistent. Nets with persistent conditions have arisen independently several times
and have been studied for example in contextual nets [8].
A net with persistent conditions can be understood on
its own terms, or as standing for a general net with the
same sets of conditions and events. The general nets capacity function will be either 1 or on a condition, being
precisely on the persistent conditions. When p is persistent, p e is interpreted in the general net as arc weight
(e. )p = , and p . e as (. e)p = 1. A marking of a net with
persistent conditions will correspond to a marking in the
general Petri net in which those persistent conditions which
hold do so with infinite multiplicity. Graphically, we will
distinguish persistent conditions by drawing them as double
f
circles: h
Token game with persistent conditions: The token
game is modified to account for the subset of conditions P
being persistent. Let M and M0 be markings (i.e. subsets
of conditions), and e an event. Define

out new y{m, y, B}P ub(A) .in{y}P ub(B)

@
@
R out new n{m, n, B}P ub(A)
@

S {m, n, B}

/
w
S P ub(A)
nk
l

in{n}P ub(B)

in{n}P ub(B)

@
@
R
@

{n}P ub(B)

in{n}P ub(B)

Spy events: For compactness we overlap at shared conditions.

M M0 iff (1) e M & (M \ (. e P )) e = and

(2) M0 = (M \ e) e (M P ) .

B. THE EVENTS OF NSL

We classify the events Ev(N SL) of the NSL protocol:
Initiator events:

Init(A, B)

@
@
R out new m{m, A}P ub(B)
@

S {m, A}

/
w
SP ub(B)
l
mk

in{m, y, B}P ub(A) .out{y}P ub(B)

in{m, y, B}P
ub(A) .out{y}P ub(B)

@
{m, n, B}P ub(A)
@
R
@

in{m, n, B}P ub(A)

/
out{n}P ub(B)

out{n}P ub(B)

@
@
R
@

out{n}P ub(B)

S {n}
P ub(B)
w
S
l

Responder events:

@
@
R
@

Resp(B)

{m, A}P ub(B)

in{m, A}P ub(B)

out new y{m, y, B}P ub(A) .in{y}P ub(B)

Composing, Spy1 in 1 .in 2 .out(1 , 2 )

lM1

@
@
R
@

lM2

@
@
R
@

l
>

M1 , M 2

H
H

H
H
j
j

Decomposing, Spy2 in(1 , 2 ).out 1 .out 2

lM1 , M2

@
@
R
@

l
>

M1

l
>

M2

H
H

H
H
j
j

Encrypting, Spy3 in x.in .out {}P ub(x)

ln

@
@
R
@

lM

@
@
R
@

l
>

{M }P ub(n)

H
H

H
H
j
j

Decrypting, Spy4 in P riv(x).in {}P ub(x) .out

lP riv(n)

@
@
R
@

l {M }P ub(n)

@
@
R
@

H
H

H
H
j
j

l
>