Strand Spaces with Choice via a Process Algebra Semantics

Abstract

Roles in cryptographic protocols do not always have a linear execution, but may include choice points causing the protocol to continue along different paths. In this paper we address the problem of representing choice in the strand space model of cryptographic protocols, particularly as it is used in the Maude-NPA cryptographic protocol analysis tool.

To achieve this goal, we develop and give formal semantics to a process algebra for cryptographic protocols that supports a rich taxonomy of choice primitives for composing strand spaces. In our taxonomy, deterministic and non-deterministic choices are broken down further. Non-deterministic choice can be either explicit, i.e., one of two paths is chosen, or implicit, i.e., the value of a variable is chosen non-deterministically. Likewise, deterministic choice can be either an explicit if-then-else choice, i.e., one path is chosen if a predicate is satisfied, while the other is chosen if it is not, or implicit deterministic choice, i.e., execution continues only if a certain pattern is matched. We have identified a class of choices which includes finite branching and some cases of infinite branching, which we address in this paper.

We provide a bisimulation result between the expected forwards execution semantics of the new process algebra and the original symbolic backwards semantics of Maude-NPA that preserves attack reachability. We have fully integrated the process algebra syntax and its transformation into strands in Maude-NPA. We illustrate its expressive power and naturalness with various examples, and show how it can be effectively used in formal analysis. This allows users to write protocols from now on using the process syntax, which is more convenient for expressing choice than the strand space syntax, in which choice can only be specified implicitly, via two or more strands that are identical until the choice point.

This work has been partially supported by the grants RTI2018-094403-B-C32 and PID2021-122830OB-C42 funded by MCIN/AEI/10.13039/501100011033 and ERDF “A way of making Europe”, by the grant PROMETEO/2019/098 funded by Generalitat Valenciana, and by the grant PCI2020-120708-2 funded by MICIN/AEI/10.13039/501100011033 and the European Union NextGenerationEU/PRTR.

A Proofs

1.1 A.1 Proofs of Section 6.2

The relation \(\mathcal{H}\) relies on the relations \(\mathcal{H}_ LP\_Str \) and \(\mathcal{H}_ PS\_FS \). We define the relation \(\mathcal{H}_ LP\_Str \), which relates a possibly partially executed labeled process and a constrained strand. This relation defines the duality relation between a labeled process and a constrained strands. If a labeled process LP is related to a constrained strand Str by the relation \(\mathcal{H}_ LP\_Str \), then: (i) LP and Str denote the behavior of the same role with the same identity in the same protocol, and (ii) for any strand \(Str_ LP \), \(Str_ LP \) denotes a possible execution path of LP iff Str followed by \(Str_ LP \) forms a valid possible execution path of the protocol.

Definition 13

(Relation \(\mathcal{H}_ LP\_Str \)). Given a protocol \(\mathcal{P}\), and a possibly partially executed labeled process LP of \(\mathcal{P}\), a possibly partially executed constrained strand Str of \(\mathcal{P}\), then \((LP , Str)\in \mathcal{H}_ LP\_Str \) iff

$$ \begin{aligned}&\textit{toCstrSS}(LP) = \& \{ (ro, i) [u_{j+1},\ldots , u_n]\rho _{ro,i}\theta \mid \exists \ \textit{ground substitution}\ \theta \\&\exists (ro)[u_1,\ldots u_j, u_{j+1},\ldots , u_n] \in \mathcal{P}_ Cstr \ \textit{s.t.} \ Str = (ro, i)[u_1,\ldots u_j]\rho _{ro,i}\theta \} \end{aligned}$$

where &\(\{S_1, S_2, \ldots , S_n\}\) is a shorthand for a term \( S_1 \& S_2 \& \ldots \& S_n\) denoting a set of strands. \(\rho _{ro,i}=\{r_1 \mapsto r_1.ro.i, \ldots , r_m\mapsto r_m.ro.i\}\) for fresh variables \(r_1, \ldots , r_m\) in \([u_1,\ldots u_j, u_{j+1}, \ldots , u_n]\).

Example 11

Following Examples 7 and 10, we show a process LP and a strand Str that are related by the relation \(\mathcal{H}_ LP\_Str \). LP (resp. Str) is the labeled process (resp. constrained strand) of the Server role after making the first explicit nondeterministic choice.

$$\begin{aligned} LP=&( Server, 1, 2 ) \ \sigma (+(hs ; retry) \cdot -(hs ; N' ; G' ; gen(G') ; E') \cdot \\&~~~ +(hs ; n({S}_ ? ,r1) ; G' ; gen(G') ; keyG(G',{S}_ ? ,r_2) ; Z({AReq}_ ? ,G',E',S,r_2,{S}_ ? ,HM))) \\ Str=&( Server, 1 ) \ \sigma [ \ \{?,1\} , -(hs ; N ; G ; gen(G) ; E) ] \end{aligned}$$

where \(\sigma \) is a ground substitution to the pattern variables N, G, and E.

We then lift the duality relation between individual processes and strands to a duality relation between PA-State and FW-State.

Definition 14

(Relation \(\mathcal{H}_ PS\_FS \)). Let \( Pst =\{LP_1 \& \ldots \& LP_n \mid \{\textit{IK}\} \}\) be a PA-State and \( Fst =\{Str_1 \& \ldots \& Str_m \& \{\textit{IK}'\} \}\) be a FW-State, if \(( Pst , Fst ) \in \mathcal{H}_ PS\_FS \), then:

1. (i)

   For each labeled process \(LP_k \in Pst \), \(1\leqslant k \leqslant n\), there exists a strand \(Str_{k'} \in Fst \), \(1\leqslant k' \leqslant m\), such that \((LP_k , Str_{k'}) \in \mathcal{H}_ LP\_Str \).

2. (ii)

   For each strand \(Str_{k'} \in Fst \), \(1\leqslant k' \leqslant m\), there exists a labeled process \(LP_k \in Pst \), \(1\leqslant k \leqslant n\), such that \((LP_k , Str_{k'}) \in \mathcal{H}_ LP\_Str \).

The lemma below states that the relation \(\mathcal{H}\) induces the duality relation \(\mathcal{H}_ PS\_FS \).

Lemma 1

Let \( Pst =\{LP_1 \& \ldots \& LP_n \mid \{\textit{IK}\} \}\) be a PA-State and \( Fst =\{Str_1 \& \ldots \& Str_m \& \{\textit{IK}'\} \}\) be a FW-State, if \(( Pst , Fst ) \in \mathcal{H}\), i.e., exists a label sequence \(\alpha \) such that \(P_{ init }\rightarrow _{\alpha } Pst \), and \(F_{ init }\rightarrow _{\alpha } Fst \), then \(( Pst , Fst ) \in \mathcal{H}_ PS\_FS \).

Proof

We first prove property (i). If \(|\alpha | =0\), since both the strand set and the process configuration are empty, the statement is vacuously true.

Now suppose that \(|\alpha | > 0\). Then, without loss of generality, assume there exists a labeled process \(LP_k = ((ro,i, j) \ P_k)\) in \( Pst \), with \(i, j \ge 1\). Then there is at least one label in \(\alpha \) of the form \((ro, i, \_,\_,\_ )\) (\(\_\) is a short hand for any content), therefore, there is a strand \(St_{k'}\) in \( Fst \) of the form \((ro, i) [v_1, \ldots , v_{j'}]\).

We then show that the above-mentioned \(LP_k\) and \(Str_{k'}\) are related by \(\mathcal{H}_ LP\_Str \), i.e., \((LP_k,Str_{k'}) \in \mathcal{H}_ LP\_Str \). Since the state Fst is reachable from the initial state by the label sequence \(\alpha \), and \(Str_{k'}\in Fst\), \([v_1, \ldots , v_{j'}]\) denotes exactly the sequence of messages in the unique sequence of labels \(\alpha |_{(ro, i)}\). Moreover, \(j'= j-1\).

Since the process state \( Pst \) is reachable from the initial state \(P_{init}\) by label sequence \(\alpha \), there exists a unique process \((ro) P_{spec}\) in the specification \(P_{ PA }\), and \(LP_k\) represents all possible behaviors of \((ro) P_{spec}\) after the sequence of transitions \(\alpha |_{(ro, i)}\). Therefore, \(\textit{toCstrSS}(LP_k) =\)

$$ \begin{aligned}& \& \{ (ro, i) [u_{j}, \ldots , u_n]\rho _{ro,i}\theta \mid \\&\exists \ \textit{ground substitution} \ \theta \\&\exists (ro)[u_1, \ldots , u_{j-1}, u_{j}, \ldots , u_n] \in \textit{toCstrSS}((ro)P_ spec ) \\&\textit{s.t.} \ (ro, i)[u_1, \ldots , u_{j-1}]\rho _{ro,i}\theta = (ro, i)[v_1, \ldots , v_{j-1}]\} \end{aligned}$$

By the correspondence between protocol specifications defined in Definition 3 , \( \mathcal{P}_{CstrF} =\textit{toCstrSS}(P_{ PA })\). Also note that \((ro)P_{spec}\) is the only process in \(P_{ PA }\) that has ro as its role name, therefore, \(\textit{toCstrSS}((ro)P_{spec}) = \{ (ro)[u_1, \ldots , u_n] \mid (ro)[u_1, \ldots , u_n] \in \mathcal{P}_{CstrF} \}\). Therefore, \(\textit{toCstrSS}(LP_k) =\)

$$ \begin{aligned}& \& \{ (ro, i) [u_{j}, \ldots u_n]\rho _{ro,i}\theta \mid \\&\exists \ \textit{ground substitution} \ \theta , \\&\exists (ro)[u_1, \ldots , u_{j-1}, u_{j}, \ldots , u_n] \in \mathcal{P}_{CstrF} \\&\textit{s.t.} \ (ro, i)[u_1, \ldots , u_{j-1}]\rho _{ro,i}\theta = (ro, i)[v_1, \ldots , v_{j-1}]\}. \end{aligned}$$

Therefore, \((LP_k,Str_{k'}) \in \mathcal{H}_ LP\_Str \). The proof for property (ii) is similar to the one for property (i).    \(\square \)

Lemma 2 below formalizes the observation that the equivalence of label sequence implies the same intruder knowledge.

Lemma 2

Given a PA-State \( Pst \) and a FW-State \( Fst \) such that \(( Pst , Fst ) \in \mathcal{H}\), i.e., there exists a label sequence \(\alpha \) such that \(P_{init}\rightarrow _{\alpha } Pst \) and \(F_{init}\rightarrow _{\alpha } Fst \), then the contents of intruder knowledge in \( Pst \) and in \( Fst \) are syntactically equal.

Proof

In both semantics the only transition rules that add new elements to the intruder’s knowledge are the ones whose label is of the form \((ro,i, j, +m,n)\). Therefore, given the two states \( Pst \) and \( Fst \) as described above, their intruder’s knowledge can be computed from the sequence of labeled transitions \(\alpha \) as \( IK( Pst ) = \{ m\,{\in }\,\mathcal{I}\, \mid (\_, \_, \_, +m, \_) \in \alpha \} = IK( Fst ) \).    \(\square \)

Based on the lemmas above, we can now show that the relation \(\mathcal{H}\) is a bisimulation.

Theorem 1 (Bisimulation). \(\mathcal{H}\) is a bisimulation.

Proof

Since \(P_{init}\rightarrow _{nil}P_{init}\) and \(F_{init}\rightarrow _{nil}F_{init}\), therefore, \((P_{init}, F_{init}) \in \mathcal{H}\). We then prove that: for all PA-State \( Pst _{n}\), and FW-State \( Fst _{n}\), if \(( Pst _n, Fst _n) \in \mathcal{H}\), and there exists a PA-State \( Pst _{n+1}\) such that \( Pst _n \rightarrow _a Pst _{n+1}\), then there exists a FW-State \( Fst _{n+1}\) such that \( Fst _n\rightarrow _{a} Fst _{n+1}\) and \(( Pst _{n+1}, Fst _{n+1})\in \mathcal{H}\).. If \(( Pst _n, Fst _n) \in \mathcal{H}\), by definition of the relation \(\mathcal{H}\), there exists a label sequence \(\alpha \) s.t. \(P_{init}\rightarrow _{\alpha } Pst_n\) and \(F_{init} \rightarrow _{\alpha } Fst _n\). Suppose there exists state \( Pst _{n+1}\) such that \( Pst _n \rightarrow _a Pst _{n+1}\). We prove by case analysis on label a that there exists \( Fst _{n+1}\) such that \( Fst _n\rightarrow _{a} Fst _{n+1}\). The fact that \(( Pst _{n+1}, Fst _{n+1})\in \mathcal{H}\) then follows this by the definition of relation \(\mathcal{H}\).

In the rest of this proof, \(\overrightarrow{L}, \overrightarrow{L_1}\) and \(\overrightarrow{L_2}\) denote lists of messages, \(M, M'\) and m denote messages, P, Q and R denote processes, PS denotes a process configuration, SS denotes a set of constrained protocol strands, IK and \(IK'\) denote the set of messages in the intruder’s knowledge.

1. 1)

   \(a=(ro, i, j, +m, 0):\) if \(j>1\), according to the semantics, \( Pst _n \rightarrow _a Pst _{n+1}\) by applying rule (PA++), the state \( Pst _n\) is of the form \( \{(ro,i, j)~( +M\cdot P) ~ \& ~ PS ~|~ \{IK\} \}\) s.t. there exists a ground substitution \(\sigma \) binding the choice variables in M and \(m=M\sigma \), the state \( Pst _{n+1}= \{(ro,i, j+1)~P\sigma ~ \& ~ PS ~|~ \{m\in \mathcal{I}, IK\} \}\) and \( m\,{\in }\,\mathcal{I}\, \not \in \textit{IK}\). Since \(Pst_n \ \mathcal{H}\ Fst_n\), by Lemmas 1 and 2, \( Fst _n\) is of the form \( \{(ro, i)~[\overrightarrow{L}] ~ \& ~ SS~ \& ~ \{IK\} \}\) s.t. \((ro,i, j)~( +M\cdot P)~ \mathcal{H}_ LP\_Str ~(ro, i)~[\overrightarrow{L}] \). Let \((ro) \ [\overrightarrow{L_1}, \overrightarrow{L_2}]\) be a constrained strand in \(P_{ CstrSS }\) s.t. there exists a ground substitution \(\theta \) s.t. \(\overrightarrow{L_1}\rho _{ro, i}\theta = \overrightarrow{L}\). By the definition of relation \(\mathcal{H}_ LP\_Str \) and mapping \(\textit{toCstrSS}\), the first message of \(\overrightarrow{L_2}\) is \(+M'\), s.t. \(M'\rho _{ro, i}\theta =M\). Then since \(M\sigma =m \) and \(m\,{\in }\,\mathcal{I}\, \not \in \textit{IK}\), the rule (F++) can be applied for the rewrite \(Fst_n\rightarrow _{a}Fst_{n+1}\), where \( Fst_{n+1} = \{(ro, i)~[\overrightarrow{L}, +m] ~ \& ~ SS~ \& ~ \{m\,{\in }\,\mathcal{I}\,, IK\}\}\).

   If \(j=1\), \( Pst _n \rightarrow _a Pst_{n+1}\) by applying rule (PA &), there exists a process \((ro)~( +M\cdot P) \) in \(P_{ PA }\) and a ground substitution \(\sigma \) s.t. \(M\rho _{ro, i}\sigma = m\). Since \(\textit{toCstrSS}(P_{ PA })= P_{ CstrSS }\), by the definition of \(\textit{toCstrSS}\), for all strands of role ro in \(P_{ CstrSS }\), the first message is \(+M\). Without loss of generality, let \( Pst _n\) be \(\{ PS ~|~ \{IK\} \}\), and \( Fst _n\) be \( \{ SS ~ \& ~ \{IK'\} \}\). Since the rule (PA &) can be applied, \(m\,{\in }\,\mathcal{I}\, \not \in \textit{IK}\). By Lemma 2, \(IK=IK'\). Moreover, by Lemma 1, \(\textit{MaxStrId}(SS, ro) = \textit{MaxProcId}(PS, ro)\), and since \(\textit{MaxProcId}(PS, ro) +1 = i\), by applying the rule (F++ &) we get \( Fst _n\rightarrow _{a} Fst _{n+1}\).

2. 2)

   \(a=(ro, i, j, M\sigma , 0)\): similar to case 1.

3. 3)

   \(a=(ro, i, j, -m, 0)\): if \(j>1\), according to the semantics, \( Pst _n \rightarrow _a Pst _{n+1}\) by applying rule (PA-), \( Pst _n\) is of the form \( \{(ro, i, j)~( -M\cdot P) ~ \& ~ PS ~|~ \{m\,{\in }\,\mathcal{I}\,, IK\} \}\) s.t. \(m=_{E_{\mathcal{P}}} M\sigma \) for some ground substitution \(\sigma \) and \( Pst _{n+1} =\{ (ro, i, j+1)~P\sigma ~ \& ~ PS ~|~ \{m\,{\in }\,\mathcal{I}\,, IK\}\}\). Since \( Pst _n \ \mathcal{H}\ Fst _n\), by Lemmas 1 and 2, \( Fst _n = \{ (ro, i)~[\overrightarrow{L}] \ \& \ SS~ \& ~ \{m\,{\in }\,\mathcal{I}\,, IK\} \}\) s.t. \((ro,i, j)~( -M\cdot P) ~\mathcal{H}_ LP\_Str ~ (ro)~[\overrightarrow{L}] \). Let \((ro)\ [\overrightarrow{L_1}, \overrightarrow{L_2}] \in P_{ CstrSS }\) s.t. there exists a ground substitution \(\theta \) s.t. \(\overrightarrow{L_1}\rho _{ro, i}\theta = \overrightarrow{L}\), then by definition of \(\mathcal{H}_ LP\_Str \) and \(\textit{toCstrSS}\), the first message of \(\overrightarrow{L_2}\) is \(-M'\) s.t. \(M'\rho _{ro, i}\theta = M\). Since \(m=_{E_{\mathcal{P}}} M\sigma \), rule (F-) can be applied to get the transition \(Fst_n \rightarrow _{a} Fst_{n+1}\), where \( Fst_{n+1} = \{ (ro, i)~[\overrightarrow{L}, -m] ~ \& ~ SS~ \& ~ \{m\,{\in }\,\mathcal{I}\,, IK\} \}\).

   If \(j=1\), \(Pst_n \rightarrow _a Pst_{n+1}\) by applying rule (PA &), there exists a process \((ro)~( -M\cdot P) \) in \(P_{ PA }\) and a ground substitution \(\sigma \) s.t. \(M\rho _{ro, i}\sigma = m\). Without loss of generality, let \(Pst_n\) be \(\{ PS ~|~ \{IK\} \}\). Then \(m\,{\in }\,\mathcal{I}\, \in IK\). Since \(\textit{toCstrSS}(P_{ PA })= P_{ CstrSS }\), by the definition of \(\textit{toCstrSS}\), for all strands of role ro in \(P_{ CstrSS }\), the first message is \(-M\). By Lemma 2, \(m\,{\in }\,\mathcal{I}\,\) is in the intruder knowledge of \(Fst_n\). Moreover, by Lemma 1, \(\textit{MaxStrId}(SS, ro) = \textit{MaxProcId}(PS, ro)\), and since \(\textit{MaxProcId}(PS, ro) +1 = i\), by applying the rule (F- &) we get \(Fst_n\rightarrow _{a}Fst_{n+1}\).

4. 4)

   \(a=(ro, i, j, T, 1)\): according to the transition rules, \(Pst_n \rightarrow _a Pst_{n+1}\) by applying rule (PAif1). Therefore \(Pst_n\) is of the form \( \{ (ro,i, j) \ ((\textit{if} \ \ c \ \textit{then} ~P~ \textit{else} ~Q) ~\cdot R) ~ \& ~ PS \mid \{ IK\} \}\), \( Pst_{n+1} = \{(ro,i, j+1)~(P\cdot R) ~ \& ~ PS ~| ~ \{IK\} \}\) and \( c =_{E_{\mathcal{P}}} true\). Since \(Fst_n \ \mathcal{H}\ Pst_n\), by Lemma 1, \( Fst_n = \{ (ro)~[\overrightarrow{L}]~ \& ~ SS ~ \& ~ \{IK'\} \}\) s.t. \( (ro,i, j)~((\textit{if} ~c~ \textit{then} ~P~ \textit{else} ~Q) ~\cdot R) ~\mathcal{H}_ LP\_Str ~ (ro, i)~[\overrightarrow{L}] \). By the definition of the relation \(\mathcal{H}_ LP\_Str \) and the mapping \(\textit{toCstrSS}\), there exists \((ro) \ [\overrightarrow{L_1}, \{C, 1\}, \overrightarrow{L_2}] \in P_{ CstrSS }\) and a ground substitution \(\theta \) s.t. \(\overrightarrow{L} = \overrightarrow{L_1}\rho _{ro, i}\theta \), and \(C\rho _{ro,i}\theta =c\). Since \(c =_{E_{\mathcal{P}}} true\), the rule (Fif) can be applied for the rewrite \(Fst_n \rightarrow _a Fst_{n+1}\), where \( Fst_{n+1}= \{ \{ (ro)~[\overrightarrow{L}, \{t, 1\}]~ \& ~ SS ~ \& ~ \{IK'\} \}\)

5. 5)

   \(a=(ro, i, j, T, 2)\): similar to case 4.

6. 6)

   \(a=(ro, i, j, ?, 1)\): if \(j>1\), \(Pst_n \rightarrow _a Pst_{n+1}\) by applying rule (PA?1). Therefore \(Pst_n \) is of the form \( \{(ro,i, j)~((P~?~Q)\cdot R) ~ \& ~ PS ~|~ \{IK\} \}\) and \( Pst_{n+1} = \{(ro,i, j+1)~(P \cdot R) ~ \& ~ PS ~|~ \{IK\} \}\). Since \(Fst_n \ \mathcal{H}\ Pst_n\), by Lemma 1, \( Fst_n= \{ (ro, i)~[\overrightarrow{L}]~ \& ~ SS ~ \& ~ \{IK'\} \}\) s.t. \( (ro, i, j)~((P~?~Q)\cdot R) ~\mathcal{H}_ LP\_Str (ro, i)~[\overrightarrow{L}] \). By the definition of \(\mathcal{H}_ LP\_Str \) and \(\textit{toCstrSS}\), there is a strand \((ro, i) \ [\overrightarrow{L_1}, \{?, 1\}, \overrightarrow{L_2}] \in P_{ CstrSS }\) s.t. \(\overrightarrow{L} = \overrightarrow{L_1}\theta \). Therefore, rule (F?) can be applied for the rewrite \(Fst_n \rightarrow _a Fst_{n+1}\), and \( Fst_{n+1} = \{ (ro, i)~[\overrightarrow{L}, \{?, 1\}]~ \& ~ SS ~ \& ~ \{IK'\} \}\).

   If \(j=1\), \(Pst_n \rightarrow _a Pst_{n+1}\) by applying rule (PA &). Therefore, there exists a process \((ro)~( (P~?~Q)\cdot R) \) in \(P_{ PA }\). Since \(\textit{toCstrSS}(P_{ PA })= P_{ CstrSS }\), by the definition of \(\textit{toCstrSS}\), there is a strand of role ro whose first message is (?, 1) in \(P_{ CstrSS }\). Moreover, by Lemma 1, \(\textit{MaxStrId}(SS, ro) = \textit{MaxProcId}(PS, ro)\), and since \(\textit{MaxProcId}(PS, ro) +1 = i\), by applying the rule (F? &) we get \(Fst_n\rightarrow _{a}Fst_{n+1}\).

7. 7)

   \(a=(ro, i, j, ?, 2)\) similar to case 6.

Similarly, we can prove that for all PA-State \( Pst _{n}\), and FW-State \( Fst _{n}\), if \(( Pst _n, Fst _n) \in \mathcal{H}\), and there exists a FW-State \( Fst _{n+1}\) such that \( Fst _n \rightarrow _a Fst _{n+1}\), then there exists a PA-State \( Pst _{n+1}\) such that \( Pst _n\rightarrow _{a} Pst _{n+1}\) and \(( Pst _{n+1}, Fst _{n+1})\in \mathcal{H}\)    \(\square \)

1.2 A.2 Proofs of Section 7.2

Extending the proofs in [9], we first prove how the lifting of a ground state to a symbolic state induces a lifting of a forwards rewriting step in the forwards semantics to a backwards narrowing step in the backwards semantics, i.e., the completeness of one-step transition. The lemma below extends the lifting lemma in [9] to strands with constrained messages.

Fig. 4.

Lemma 3

Fig. 5.

Lemma 4

Lemma 3 (Lifting Lemma)

Given a protocol \(\mathcal{P}\), two ground strand states s and \(s'\), a constrained symbolic strand state \( CstrS '={\langle S', \varPsi '\rangle }\) and a substitution \(\theta '\) s.t. \(s \rightarrow s'\) and \( CstrS ' >^{\theta '} s'\), then there exists a constrained symbolic strand state \( CstrS ={\langle S, \varPsi \rangle }\) and a substitution \(\theta \) s.t. \( CstrS >^{\theta } s\) and either or \( CstrS = CstrS '\).

The Lifting Lemma is illustrated by Fig. 4.

Proof

As has been explained before, we only need to consider the new rules: (Fif), (F?), (F? &). The proof in [9] is structured by cases, some of which having specific requirements on intruder knowledge, or involve changes made to the intruder knowledge. Since all the new rules we are considering do not have specific requirements on the intruder knowledge, and do not change the intruder knowledge either, the cases that we need to consider are the following (cases e and f in the proof in [9]), which involve the appearance or non-appearance of certain strand(s):

1. e:

   There is a strand \([u_1,\ldots ,u_{j-1},u_j,\ldots ,u_n]\) in \(P_{ CstrSS }\), \(n \geqslant 1\), \(1 \leqslant j \leqslant n\), and a substitution \(\rho \) such that \([u_1,\ldots ,u_{j-1},u_j]\rho \) is a strand in \(s'\) and \([u_1,\ldots ,u_{j-1}, u_j \mid u_{j+1},\ldots ,u_n]\rho \) is a strand in \(S'\theta '\).

2. f:

   There is a strand \([u_1,\ldots ,u_{j-1},u_j,\ldots ,u_n]\) in \(P_{ CstrSS }\), \(n \geqslant 1\), \(1 \leqslant j \leqslant n\), and a substitution \(\rho \) such that \([u_1,\ldots ,u_{j-1},u_j]\rho \) is a strand in \(s'\) but \([u_1,\ldots ,u_{j-1}, u_j \mid u_{j+1} , \ldots ,u_n]\rho \) is not a strand in \(S'\theta '\).

Now we consider for the forward rewrite rule application in the step \(s\rightarrow s'\).

• Given ground states s and \(s'\) s.t. \(s\rightarrow s'\) using a rule in set (Fif), then there exists a ground substitution \(\tau \), variables SS’ and IK’, and strand \( [ u_1,\ldots ,u_{j-1}, \{T, Num\}, u_{j+1},\ldots ,u_n]\) in \(P_{ CstrSS }\), such that \( s =\{SS'\tau \& \{IK'\tau \} \& (ro) [u_1\tau , \ldots ,u_{j-1}\tau ]\} \), and \( s'=\{SS'\tau \& \{IK'\tau \} \& [u_1\tau ,\ldots ,u_{j-1}\tau , \{T\tau , Num\}]\} \) and \(T\tau =_{E_{\mathcal{P}}} true\). Since there exists a substitution \(\theta '\) s. t. \( CstrS ' >^{\theta '} s'\), we consider the following two cases:

  • Case e) The strand appears in \(S'\theta '\). More specifically, \([ u_1\sigma ,\ldots , u_{j-1}\sigma , \{T\sigma , Num\} \mid u_{j+1}\sigma ,\ldots ,u_n\sigma ]\) is a strand in \(S'\) s.t. \(\sigma \theta ' =_{E_\mathcal{P}} \tau \). If the constraint T is an equality constraint, since \(T\tau =_{E_\mathcal{P}} T\sigma \theta ' =_{E_{\mathcal{P}}} true\), and by the lifting relation, \(E_\mathcal{P}\models \varPsi '\theta '\), rule (Bif=) can be applied for the backwards narrowing , and \( CstrS >^{\theta } s\) such that \(\mu \theta =_{E_\mathcal{P}}\theta '\). If the constraint T is a disequality constraint, since \(T\tau =_{E_\mathcal{P}} T\sigma \theta ' =_{E_{\mathcal{P}}} true\), and by the lifting relation, \(E_\mathcal{P}\models \varPsi '\theta '\), we have \(E_\mathcal{P}\models T\sigma \theta ' \wedge \varPsi '\theta '\). Therefore, rule (Bif\( \ne \)) can be applied for the backwards narrowing, and \( CstrS >^{\theta } s\).

  • Case f) The strand does not appear in \(S'\theta '\). Then \(\theta '\) makes \(S'\) as a valid symbolic strand state of s, i.e., \(S = S'\) and \( CstrS ' >^{\theta '} s\).

• Given ground strand states s and \(s'\) s.t. \(s\rightarrow s'\) using a rule in set (F?), then we consider the following two applicable cases:

  • Case e) The strand appears in \(S'\theta '\) and thus we can perform a backwards narrowing step from \( CstrS '\) with rule (B?), i.e., \( CstrS ' \mathop {{\mathop {\leadsto }\limits ^{}}_{}} CstrS \), and \( CstrS >^{\theta '} s\).

  • Case f) The strand does not appear in \(S'\theta '\). Then \(\theta '\) makes \( CstrS '\) as a valid constraint symbolic state of s, i.e., \( CstrS = CstrS '\) and \( CstrS >^{\theta '} s\).

• Given states s and \(s'\) s.t. \(s\rightarrow s'\) using a rule in set (F? &), the proof is similar with using a rule in the set (F?).

   \(\square \)

The Completeness Theorem below shows that the backwards symbolic reachability analysis is complete with respect to the forwards rewriting-based strand semantics.

Theorem 4 (Completeness)

Given a protocol \(\mathcal{P}\), two ground strand states \(s, s_0\), a constrained symbolic strand state \( CstrS \) and a substitution \(\theta \) s.t. (i) \(s_0\) is an initial state, (ii) \(s_0 \rightarrow ^n s\), and (iii) \( CstrS >^\theta s\). There exists a constrained symbolic initial strand state \( CstrS _0\), two substitutions \(\mu \) and \(\theta '\), and \(k \leqslant n\), s.t. , and \( CstrS _0 >^{\theta '} s_0\).

The Soundness Theorem from [9] can also be extended to constrained backwards and forwards strand semantics. We first show that Lemma 2 in [9], which states the soundness of one-step transition, still holds after extending to constrained states. The Soundness Theorem then follows straightforwardly.

Lemma 4

Given a protocol \(\mathcal{P}\), two constrained symbolic states \( CstrS ={\langle S, \varPsi \rangle }\) and \( CstrS '={\langle S', \varPsi ' \rangle }\), a ground strand state s and a ground substitution \(\theta \), if and \( CstrS >^\theta s\), then there exists a ground strand state \(s'\) and a ground substitution \(\theta '\) such that \(s \rightarrow s'\), and \( CstrS ' >^{\theta '} s'\).

Lemma 4 is illustrated by Fig. 5.

Proof

We only need to consider the new rules: rule (Bif=), (Bif\( \ne \)) and (B?).

1. 1)

   If using rule (B?), then there are associated rules in the sets (F?) and (F? &).

2. 2)

   If using rule (Bif=), there is a strand \([ u_1\sigma ,\ldots ,u_{j-1}\sigma \mid \{(u=v)\sigma , Num\}, u_{j+1}\sigma ,\ldots , u_n\sigma ]\) in S, \([ u_1\sigma ',\ldots ,u_{j-1}\sigma ', \{(u=v)\sigma ', Num\} \mid u_{j+1}\sigma ',\ldots , u_n\sigma ']\) in \(S'\) s.t. \(\sigma =_{E_\mathcal{P}} \sigma '\mu \), \(\varPsi =_{E_\mathcal{P}} \varPsi ' \mu \) and \(u\sigma =_{E_\mathcal{P}}v\sigma \), where \( [ u_1,\ldots ,u_{j-1}, \{u=v, Num\},u_{j+1},\ldots ,u_n]\) is a strand in \(P_{ CstrSS }\). Since \( CstrS >^\theta s\), there is a ground strand \([ u_1\sigma \theta ,\ldots , u_{j-1}\sigma \theta ]\) in s, and \(E_\mathcal{P}\models \varPsi \theta \). Therefore, \(E_\mathcal{P}\models \varPsi ' \mu \theta \) and \(u\sigma \theta =_{E_\mathcal{P}}v\sigma \theta \). By rule (Fif), \(s\rightarrow s'\), and \( CstrS ' >^{\mu \theta } s'\).

If using rule (Bif\( \ne \)), there is a strand \([ u_1\sigma ,\ldots ,u_{j-1}\sigma \mid \{(u\ne v) \sigma , Num\}, u_{j+1}\sigma ,\ldots , u_n\sigma ]\) in S, \([ u_1\sigma ',\ldots ,u_{j-1}\sigma ', \{(u\ne v)\sigma ', Num\} \mid u_{j+1}\sigma ', \ldots , u_n\sigma ']\) in \(S'\) s.t. \(\sigma =_{E_\mathcal{P}} \sigma '\mu \) and \(\varPsi =_{E_\mathcal{P}} \varPsi '\mu \wedge (u\ne v) \sigma '\mu \), where \( [ u_1,\ldots ,u_{j-1}, \{u\ne v, Num\},u_{j+1},\ldots ,u_n]\) is a strand in \(P_{ CstrSS }\). Since \( CstrS >^\theta s\), there is a ground strand \([ u_1\sigma \theta ,\ldots , u_{j-1}\sigma \theta ]\) in s, and \(E_\mathcal{P}\models \varPsi \theta \). Therefore, \(E_\mathcal{P}\models \varPsi '\mu \theta \wedge (u\ne v) \sigma '\mu \theta \). By rule (Fif), \(s\rightarrow s'\), and \( CstrS ' >^{\mu \theta } s'\).    \(\square \)

The Soundness Theorem below shows that the backwards symbolic reachability analysis is sound with respect to the forwards rewriting-based strand semantics.

Theorem 5 (Soundness)

Given a protocol \(\mathcal{P}\), two constrained symbolic strand states \( CstrS _0, CstrS '\), an initial ground strand state \(s_0\) and a substitution \(\theta \) s.t. (i) \( CstrS _0\) is a symbolic initial state, and (ii) , and (iii) \( CstrS _0 >^{\theta } s_0\). Then there exists a ground strand state \(s'\) and a substitution \(\theta '\), s.t. (i) \(s_0 \rightarrow ^* s'\), and (ii) \( CstrS ' >^{\theta '} s'\).

The soundness and completeness results in Theorems 5 and 4 together with the bisimulation proved in Theorem 1 show that the backwards symbolic reachability analysis is sound, Theorem 2, and complete, Theorem 3, with respect to the process algebra semantics.