Replace this file with prentcsmacro.

sty for your meeting,

or with entcsmacro.sty for your meeting. Both can be
found at the ENTCS Macro Home Page.

Adding Branching to the Strand Space Model

Sibylle Fröschle1
Department für Informatik
Universität Oldenburg
Oldenburg, Germany

Abstract
The strand space model is one of the most successful and widely used formalisms for analysing security
protocols. This might seem surprising given that the model is not able to reflect choice points in a protocol
execution: the key concept in the strand space model is that of a bundle, which models exactly one possible
execution of a security protocol. Inspired by the branching processes of Petri nets, we show that branching
can be introduced into the strand space model in a very natural way: bundles can be generalized to
branching bundles, which are able to capture several conflicting protocol executions. Our investigations of
the theory of branching bundles will motivate the concept of symbolic branching bundles, and culminate in
the result that every protocol has a strand space semantics in terms of a largest symbolic branching bundle.
We hope our results provide a strong theoretical basis for comparing models and providing process calculi
semantics in security protocol analysis. Altogether our work is related but different to a series of works by
Crazzolara and Winskel. Throughout we will profit from a close relationship of the strand space model to
event structures, which has already been pointed out by these authors.

Keywords: Models for security protocol analysis, strand spaces, event structures, branching processes

1 Introduction
The strand space model [5] is one of the most successful and widely used formalisms
for analysing security protocols. For example, it has been employed to verify security
properties by hand, to give formal semantics to protocol logics, and as the underlying
model of model-checking tools (c.f. [7]). In spite of this success two points of criticism
have been brought against it: one is that, in contrast to models based on multiset
rewriting, it is an ad hoc model rather than rooted in a rich theory. The second is
that it is not able to reflect aspects of branching such as choice points in a protocol
execution. To explain the latter we recall that the central concept of the strand
space model is that of the bundle. A bundle models exactly one snapshot of a
protocol execution: a set of strands represents the sessions that have occurred so
far while a relation between the send and receive events of the strands describes
how messages have flowed between them.

1 Email: [email protected]

c 2008
! Published by Elsevier Science B. V.
 Fröschle

Both points of criticism have been countered by results of Crazzolara and Winksel
[2,1,3]. On the one hand, they have shown that the strand space model is closely re-
lated to event-based models for concurrency such as event structures. On the other
hand, aiming to obtain compositional event-based semantics for protocol languages,
they have shown how the strand space model can be extended by a notion of conflict
[3]. Their notion of conflict is introduced at the level of strand spaces, which are
conceptually a level lower than bundles: a strand space fixes all the sessions that
are to be considered in the protocol analysis; it is the space from which bundles are
‘carved out’.
In this paper our thesis is that branching can be introduced into the strand
space model very directly at the conceptual level of bundles. The idea is to general-
ize bundles to branching bundles in the same way as in Petri net theory branching
processes generalize Petri net processes. Petri net branching processes [4] are in-
troduced as a formalization of an initial part of a run of a Petri net, which can
include conflicting choices. They come with a very satisfying theory: the branching
processes of a Petri net form a complete lattice (modulo isomorphism) with respect
to a natural notion of approximation. The largest element of this lattice captures
all possible behaviour of the Petri net, and is called its unfolding.
In this paper we wish to investigate whether protocols have as satisfying a theory
of branching bundles. If every protocol P had indeed a largest branching bundle,
this branching bundle would capture all possible behaviour of P , and would thus
provide a natural strand space semantics. This could provide a strong theoretical
basis for comparing models and providing semantics for protocol languages. Our
contributions are as follows:
(1) We show that bundles can indeed be generalized to branching bundles in a
very natural way. Branching bundles are able to capture several conflicting protocol
executions.
(2) We investigate the theory of branching bundles. We find that every branching
bundle can be viewed as a labelled prime event structure. This will motivate a
notion of computation state for branching bundles in terms of sub-bundles, and a
transition relation between them. Following the approach of [4] we will investigate
whether the branching bundles of a protocol form a complete lattice with respect to
a natural notion of approximation. We will however obtain a negative result: the
branching bundles of a protocol do not even form a complete partial order.
(3) By analysing this negative result we will, however, be led to a notion of sym-
bolic branching bundle. We will obtain that the symbolic branching bundles of a
protocol indeed form a complete lattice (modulo isomorphism). Thus, every proto-
col can be given a strand space semantics in terms of a largest symbolic branching
bundle. We will motivate that this semantics is suitable for most situations in
security protocol analysis.
In the following section we will introduce the strand space model using variations
on the original definition of [2] and [6]. The remainder of the paper is structured
according to the above contributions. All proofs can be found in the full version of
the paper.

2
 Fröschle

2 The Strand Space Model

Graph Terminology
A labelled (directed) graph is a tuple (E, K, L, l) where E is the set of nodes, which
in our context will depict events, K ⊆ E ×E is the set of edges, L is the set of labels,
and l : E → L is a labelling function that assigns a label to every node. When L is
clear from the context we will often keep it implicit for notational simplicity.
A labelled graph (E, K, L, l) is totally ordered if there is a total ordering e1 e2 . . .
of the elements of E such that (ei , ej ) ∈ K if and only if j = i + 1. A labelled graph
(E, K, L, l) is a labelled tree if K is acyclic and there is no backwards branching, i.e.,
if (e" , e) ∈ K and (e"" , e) ∈ K then e" = e"" . A branch of a tree is a possibly empty,
finite or infinite sequence e1 e2 . . . of elements of E such that (ei , ei+1 ) ∈ K for all
indices i. A labelled bi-graph is a tuple (E, ⇒, →, L, l) such that both (E, ⇒, L, l)
and (E, →, L, l) are labelled graphs.

Message Algebra
In the following we assume that messages are modelled by a message algebra. The
results we present here are independent of the actual structure of this algebra. We
only assume a set of messages Mesg, a set of atomic messages AMesg, from which
Mesg is built up from, and a binary relation & on Mesg that says when one message
is contained in another. Messages and atomic messages may contain variables. A
message is ground if it does not contain any variables. We denote the set of ground
messages by GMesg.

Actions, Roles, and Protocols

In a protocol execution, principals can either send or receive messages. If a message
is sent then it can contain data that have just been freshly generated such as nonces.
This gives rise to the following set of actions:

Act = { + fresh N in M | M ∈ Mesg & N ⊆ AMesg & ∀N ∈ N , N & M }

∪ { − M | M ∈ Mesg}.
In an action of the form ‘+ fresh N in M ’, ‘+’ indicates that message M is thought
to be sent while N specifies which elements of M are thought to be freshly generated.
We assume that only atomic messages can be freshly generated. In an action of the
form ‘− M ’, ‘−’ indicates that message M is thought to be received. Given an
action A ∈ Act of either of the two forms we use mesg(A) to depict M , sign(A) to
depict ‘+’, or ‘−’ respectively. If sign(A) = + we will further use fresh(A) to depict
N . A ground action is an action that does not contain any variables. We denote
the set of ground actions by GAct. In the context of a labelled graph with label set
GAct we will carry over the previous concepts for actions to the events of the graph
in the obvious way. A trace is a finite sequence of ground actions.
A role defines the actions a principal can perform in a protocol session. Formally,
a role is a finite sequence of actions R = A1 . . . An such that
R1 for all i ∈ [1, n], for all N ∈ fresh(Ai )
(a) N is a variable, and
3
 Fröschle

(b) Ai is the first action that contains N : ∀j < i, N *& mesg(Aj ).

Axiom (R1) makes sure that we cannot specify a constant to be freshly generated,
and that variables that represent data to be freshly generated at some action cannot
occur in previous actions.
A protocol is a finite set of roles P = {Ri }i∈r where r ∈ IN.

Intruder Model
The power of the Intruder is typically modelled by two ingredients: the set of
messages initially known to the Intruder such as all public keys and his own private
key; and a set of Intruder roles, which specify the Intruder’s basic elements of attack
such as decrypting a message with a key that he has already obtained. (Intruder
roles are originally called parametric Intruder traces [5].) Similarly to protocol roles,
Intruder roles are essentially sequences of signed messages, where ‘+’ denotes output
and ‘−’ denotes input.
The results here are independent of the actual format of the Intruder roles.
We only assume that an Intruder theory is given as a pair I = (KI , RI ) where
KI ⊆ GMesg is the set of initial Intruder knowledge and R is the set of Intruder
roles, and that each Intruder role is a finite sequence of actions of the following
form:
IAct = { + M | M ∈ Mesg} ∪ { − M | M ∈ Mesg}
∪ { + M of I -Knowledge | M ∈ Mesg}.
We redefine the set of actions Act defined in the previous paragraph to include
actions of this form: Act := Act ∪ IAct.

Strands, Strand Spaces, and Bundles

We now come to the core notions of the strand space model: strands and bundles.
We define these concepts relative to a fixed protocol P .
A strand represents an instantiation of a protocol or Intruder role or of a prefix
thereof. (We admit prefixes to be able to model incomplete protocol or Intruder
sessions, a situation that naturally arises in a snaphot of a protocol execution.)
Formally, a strand of P is a totally ordered labelled graph s = (E, ⇒, GAct, l) such
that there is a prefix R of a role of P or RI and a ground substitution σ so that,
assuming
• E = {e1 , . . . , en } with e1 ⇒ . . . ⇒ en , and
• R = A1 . . . Am ,
we have
S1 l(e1 ) . . . l(en ) = A1 σ . . . Am σ,
S2 ∀i ∈ [1, n], if sign(ei ) = + and n ∈ fresh(ei ) then for all j < i, n *& mesg(ej ),
S3 ∀e ∈ E, if l(e) is of the form ‘+ m of I -Knowledge’ then m ∈ KI .
Observe how the axioms ensure that s can indeed be understood as an instantiation
of R via σ. We call E the set of events of s, denoted by events(s). If an event e has
sign ‘+’, we call it a send event, and if it has sign ‘−’, a receive event respectively.
4
 Fröschle

We say message m originates on event ei if ei is a send event, m & mesg(ei ), and

for all j < i, m *& mesg(ej ). Note that Axiom (S2) ensures that when an atomic
message is freshly generated at an event then it originates on that event. We call
l(e1 ) . . . l(en ) the trace of strand s. We say two strands are disjoint if their sets of
events are disjoint.
A snapshot of a protocol execution consists of the set of (complete and incom-
plete) protocol and Intruder sessions that have been executed so far plus information
on how the messages flow between the sessions. This leads us to the concept of strand
space. 2 A strand space of P is a pair B = (S, →) where S is a set of pairwise disjoint
!
strands of P , and → ⊆ E×E is a relation on the events of S, E = s∈S events(s).
The single-arrow relation is thought to represent the flow of messages. It is clear
that we can equivalently regard B as a labelled bi-graph (E, ⇒, →, GAct, l), a view
we will often adopt. We call E the set of events of B, denoted by events(B).
A strand space can contain situations that are counter-intuitive such as a receive
event leading to a send event. A snapshot of a protocol execution is modelled by a
bundle. Formally, a bundle of P is a strand space B = (E, ⇒, →, GAct, l) of P such
that the following axioms are satisfied:
B1 if e1 → e2 then sign(e1 ) = +, sign(e2 ) = −, and mesg(e1 ) = mesg(e2 ),
B2 if e1 → e2 then there is no other e"1 such that e"1 → e2 ,
B3 ∀e ∈ E, if sign(e) = − then there is e" ∈ E such that e" → e,
B4 the relation (→ ∪ ⇒) is acyclic,
B5 ∀e ∈ E, {e" | e" (→ ∪ ⇒)∗ e} is finite,
B6 ∀e ∈ E, if sign(e) = + and n ∈ fresh(e) we have: n is uniquely originating on
e: there is no event e" with e" =
* e such that n originates on e" .
Axiom (B1) ensures that messages flow from send events to receive events. Ax-
iom (B2) enforces that an event can receive its message from at most one event.
Axiom (B3) guarantees that each receive event is matched up with a send event.
Axiom (B4) ensures that the reflexive and transitive closure of → ∪ ⇒ is a partial
order, which, as we will explain below, captures causality. Axiom (B5) ensures that
every event depends on only finitely many previous events. It is necessary in our
setting since we allow bundles to contain infinitely many events. Axiom (B6) en-
sures that if an atomic message is specified to be freshly generated on some event
then on any other strand it has to be received before it can be sent.
We denote the relation → ∪ ⇒ by ≺1 . ≺1 expresses immediate causality: If
e → e" then e is an immediate cause of e" due to the message flow causality between
received messages and sent messages. If e ⇒ e" then e is an immediate cause of e"
due to the execution order causality within a protocol session. The reflexive and
transitive closure of ≺1 , denoted by ,, is a partial order, which captures causality.
For every event e of a bundle there is at most one event e" such that e" ⇒ e,
and at most one event e"" such that e"" → e. If the first exists define ⇒-pred (e) = e"
otherwise define ⇒-pred (e) = nil . If the latter exists define →-pred (e) = e"" , and
→-pred (e) = nil otherwise. Naturally we assume nil *∈ E.

2 This notion slightly varies from the standard notion of strand space related to in the introduction.

5
 Fröschle

• + Client Hello

• - Server Hello

• - Certificate

• +{a, na }Kb
- Certificate Request • • - Server Hello Done

−{na , n1 }Ka • • −{na , n2 }Ka

- Server Hello Done • • + Client Key Exchange

+{n1 }Kb • • +{n2 }Kb

A → B : {A, NA }KB + Certificate •
B → A : {NA , NB }KA
A → B : {NB }KB

(a) (b)
Fig. 1. Sources of branching within a session

3 Branching Bundles
We now define our concept of branching bundles. As motivated in the introduction
branching bundles should be capable of representing several conflicting protocol
executions. To obtain them as a natural generalization of bundles, we will define
them as bi-graphs of events labelled by actions of GAct. In contrast to bundles
we will allow them to contain events that represent conflicting points in a protocol
execution. We can distinguish between three situations when two events e1 and e2
of a protocol execution should naturally be considered to be in conflict with each
other:
(i) e1 and e2 belong to different futures of the same session;
(ii) one of e1 and e2 , say e1 , is a send event that sends as part of its message
a freshly generated atomic message n, while the other event, e2 , contradicts
unique origination of n: e2 sends n as part of its message but n has never been
received earlier in the session of e2 .
(iii) e1 and e2 are causally dependent on two events that are in conflict according
to (i) or (ii).
The first situation motivates that a concept of branching bundles must be based
on a concept of branching strands. So let us analyse in turn what sources of branch-
ing there are within a session. When does a session split into different futures?
(i) The receive actions of a protocol specification typically contain variables to be
bound to parts of the incoming message. A session with such a receive action
will have different futures depending on the received message. (The different
futures will, however, be equivalent modulo the value that is bound to the
respective input variable.) This situation is depicted in Figure 1(a).
(ii) The protocol specification may contain choice points. For example, the course
of the SSL/TLS handshake protocol depends on which method for establishing
the pre-master-secret is negotiated at the start, and on whether client authen-
6
 Fröschle

tication is requested by the Server or not. Typically the choice between several
options of a protocol will be resolved by received input. On the other hand, to
abstract away from detail, we may allow protocols to contain nondeterministic
choice. The first situation is depicted in Figure 1(b).
There is yet another source of branching if we take a purely observational view.
Say Eavesdropper Eve observes the first two actions of a session, but she cannot tell
to which role these actions belong to: according to their format the actions could
form an initial part of an instance of role A or of role B. Then in one future of
Eve the observed session may evolve into an instance of role A, whereas in another
future of Eve it will evolve into an instance of role B.
(iii) An observed session may have different futures due to ambiguity in the protocol
specification.
To include (iii) as a source of branching is a design decision and may seem
counter-intuitive at first. To include it seems, however, in the spirit of the strand
space model: it is consistent with the fact that if there is ambiguity in the protocol
specification then a strand may be interpreted as an instance of several roles. To
resolve this type of ambiguity one would need to keep a role identifier at each strand,
which would make the model less abstract and technically cumbersome. As we will
now see our decision to include (iii) leads to a very simple formalization of branching
strand. In the following, let P be a protocol.
Definition 3.1 A branching strand of P , abbreviated b-strand of P , is a labelled
tree s = (E, ⇒, GAct, l) such that all branches of s are strands of P . (Note that
this implies that branching strands are trees of finite depth.)

By definition every strand is a b-strand, and every b-strand whose events are
totally ordered is a strand. We carry over all the concepts defined for strands in
Section 2 in the obvious way. The notation ⇒-pred (e) naturally also carries over.
Having defined a notion of b-strands we obtain b-strand spaces in the obvious
way. A b-strand space of P is a pair B = (S, →) where S is a set of disjoint b-
!
strands of P , and → ⊆ E × E is a relation on the events of S, E = s∈S events(s).
Analogously to strand spaces, we will often view B as a labelled bi-graph (E, ⇒, →,
GAct, l). The three situations of conflict pinpointed in the beginning of the section
give rise to a binary conflict relation on the events of a b-strand space.
Definition 3.2 Let B = (E, ⇒, →, GAct, l) be a b-strand space of P . Two distinct
events e1 , e2 ∈ E are in immediate conflict, written e1 #1 e2 , if
(i) ⇒-pred (e1 ) = ⇒-pred (e2 ), or
(ii) sign(e1 ) = +, and there is n ∈ fresh(e1 ) such that n originates on e2 , or
(iii) the symmetric condition holds.
Two events e1 , e2 ∈ E are in conflict, written e1 #B e2 , if there exist distinct events
e"1 , e"2 ∈ E such that e"1 #1 e"2 and e"i (⇒ ∪ →)∗ ei for i = 1, 2. For e ∈ E, we say e is
in self-conflict if e#B e.

To be able to interpret a b-strand space as a branching protocol execution we

need to impose axioms. Naturally we will adopt Axioms (B1) to (B5) of the def-
7
 Fröschle

inition of bundles. However, Axiom (B6) will be dropped: the axiom on unique
origination is clearly not needed when events are allowed to be in conflict. On the
other hand, in the presence of conflict a new axiom will be required: we need to
make sure that events are never in conflict with any of the events they are causally
dependent on. Formally, this gives rise to the following definition.

Definition 3.3 A branching bundle of P , abbreviated b-bundle of P , is a b-strand

space B of P such that Axioms (B1) to (B5) as well as the following axiom hold:
BB No event of B is in self-conflict.

Analogously to bundles, due to Axiom (B4), we can associate a causality relation

,B with each b-bundle B; we carry over all concepts related to ,B from bundles
to b-bundles. Due to Axiom (BB), for every b-bundle B, #B is irreflexive as well
as symmetric; this is what one would expect of a binary conflict relation.
Finally, we show that bundles are exactly those b-bundles where no events are
in conflict. This illustrates that b-bundles are indeed the generalization of bundles
we have been looking for.
Proposition 3.4 For every b-strand space B of P , B is a bundle of P if and only
if B is a b-bundle with #B = ∅.

4 Towards a Theory of Branching Bundles

We now investigate whether b-bundles have as satisfying a theory as Petri net
branching processes. In Section 4.2 we examine the relationship of b-bundles to
event structures. In Section 4.3 we explore whether the b-bundles of a protocol
approximate (modulo isomorphism) a largest b-bundle. In preparation, we intro-
duce a notion of sub-b-bundle in Section 4.1, which is analogous to that of Petri net
sub-b-processes [4].
In the following, we work as usual relative to a fixed protocol P . Given a b-
bundle B of P we will implicitly assume B = (E, ⇒, →, GAct, l). We carry this
convention over to b-bundles B1 , B2 , and B " in the obvious way; e.g., we assume
B1 = (E1 , ⇒1 , →1 , GAct, l1 ).
B-bundles come with a notion of isomorphism induced by the standard notion
for labelled bi-graphs. As usual the relation ‘isomorphic’ is an equivalence relation.
Next to isomorphism a notion of homomorphism for b-bundles will be central. A
homomorphism h from b-bundle B1 to b-bundle B2 formalizes the fact that B1
can be folded onto a part of B2 . Given an event e of a b-bundle B, we define
⇓ e = {e" ∈ E | e" (⇒)∗ e}.

Definition 4.1 Let B1 and B2 be two b-bundles of P . A homomorphism from B1

to B2 is a mapping h from E1 to E2 such that
(i) for every e ∈ E1 , l1 (e) = l2 (h(e)),
(ii) for every e ∈ E1 , the restriction of h to ⇓1 e is a bijection between ⇓1 e and
⇓2 h(e), and
(iii) for every e, e" ∈ E1 , if e →1 e" then h(e) →2 h(e" ).

8
 Fröschle

It is easy to show that the composition of two homomorphisms is a homomor-

phism. If a homomorphism is bijective then the converse of (iii) is also true (using
the fact that B1 and B2 are b-bundles). Thus, an isomorphism is a bijective homo-
morphism.

4.1 Sub-b-bundles
We introduce a natural notion of sub-b-bundle, which formalizes when a b-bundle
is an initial part of another b-bundle.

Definition 4.2 Let B and B " be two b-bundles of P . B " is a sub-b-bundle of B if

E " ⊆ E and the identity on E " is a homomorphism from B " to B. If B " is a bundle
we also say that B " is a sub-bundle of B.

In other words, B " is a sub-b-bundle of B if, E " ⊆ E, and for every e ∈ E " ,
(1) l" (e) = l(e), (2) ⇒" -pred (e) = ⇒ -pred (e), and (3) →" -pred (e) = → -pred (e)
(using the fact that B and B " are b-bundles). This shows that B " really is an initial
part of B.
We provide a characterization of the sub-b-bundles and sub-bundles of a b-
bundle B in terms of downwards-closed subsets of E. This will further illustrate
the concept of sub-b-bundle but will also be needed in the next section. A subset
E " of E is downwards-closed if, for all e1 , e2 ∈ E, if e1 ,B e2 and e2 ∈ E " then
e1 ∈ E " . If B " is a sub-b-bundle of B then E " is clearly downwards-closed. This
follows from the observation of the previous paragraph. On the other hand, every
downwards-closed set of events determines a sub-b-bundle in a natural way.

Definition 4.3 Let B be a b-bundle, and let E " be a downwards-closed subset of

E. The sub-b-bundle associated with E " , denoted by sbb(E " ) is defined as (E " , ⇒" ,
→" , GAct, l" ), where ⇒" , →" , and l" are obtained as the restriction of ⇒, →, and l
respectively, to the events in E " .

It is immediate that sbb(E " ) is indeed a b-bundle. It is clearly a sub-b-bundle

by definition. We are now ready to state the characterization.
Proposition 4.4 Let B be a b-bundle.
(i) A b-bundle B " is a sub-b-bundle of B if and only if B " = sbb(E " ) for some
downwards-closed subset E " of E.
(ii) A bundle B " is a sub-bundle of B if and only if B " = sbb(E " ) for some
downwards-closed and conflict-free subset E " of E.

4.2 Branching Bundles and Event Structures

A (labelled prime) event structure is a tuple (E, ≤, #, L, l) consisting of a set E of
events, which are partially ordered by ≤, the causal dependency relation, a binary,
symmetric and irreflexive relation # ⊆ E × E, the conflict relation, a set L of labels,
and a labelling function l : E → L, which assigns a label to each event. Further,
the following conditions must be satisfied for all e, e" , e"" ∈ E:
E1 e ↓ = {e" | e" ≤ e} is finite,
9
 Fröschle

E2 if e#e" and e" ≤ e"" then e#e"" .

Axiom (E1) means we only consider discrete processes where an event occurrence
depends on finitely many previous events. Axiom (E2) makes sure that each event
inherits conflict from the events it is causally dependent on.
Event structures come equipped with a notion of computation state, called con-
figuration, and a transition relation between configurations. A configuration of an
event structure (E, ≤, #, L, l) is a set X ⊆ E, which is
(i) downwards-closed: ∀e, e" ∈ E : e" ≤ e & e ∈ X ⇒ e" ∈ X, and
(ii) conflict-free: ∀e, e" ∈ X : ¬(e#e" ).
l(e)
For two configurations X, X " and an event e we write X −→ X " when e ∈ / X and
X " = X ∪ {e}. In this way every event structure gives rise to a labelled transition
system.
We shall now see that b-bundles are closely related to event structures. The
following is straightforward:
(i) Every b-bundle B of P can be viewed as an event structure. This event struc-
ture gives a more abstract representation of B in that it abstracts away from
the distribution of events over b-strands.

Proposition 4.5 Let B = (E, ⇒, →, GAct, l) be a b-bundle of P . Then

bb2ev (B) := (E, ,B , #B , GAct, l) is an event structure.

Just as the configurations of an event structure define its computation states,

the sub-bundles of a b-bundle can be considered to define the reachable states of
that part of the protocol execution described by the b-bundle. From Section 4.1 we
know that the sub-bundles of a b-bundle can be captured in terms of conflict-free
and downwards-closed subsets of events. Hence, we obtain:
(ii) There is a one-to-one correspondence between the sub-bundles of B and the
configurations of bb2ev (B), given by:

Proposition 4.6 Let B be a b-bundle of P .

(i) If B " is a sub-bundle of B then E " (the set of events of B " ) is a configuration
of bb2ev (B).
(ii) If E " is a configuration of bb2ev (B) then sbb(E " ) is a sub-bundle of B " .

We can define a transition relation between the sub-bundles of a b-bundle anal-

ogously to how this is done for event structures: given a b-bundle B, for two sub-
l(e)
bundles B " , B "" of B, and an event e ∈ E, we write B " −→ B "" when e *∈ E " and
E "" = E " ∪ {e}. Altogether, we have:
(iii) Every b-bundle B induces a labelled transition system, where the states are
given by the sub-bundles of B and the transition relation describes how a sub-
bundle can evolve into a new one by executing an action. The induced labelled
transition system is isomorphic to that induced by bb2ev (B).

10
 Fröschle

4.3 Approximation
Every b-bundle of a protocol P captures an initial part of the behaviour of P .
We now wish to investigate whether the b-bundles of P consistently approximate,
modulo isomorphism, a largest b-bundle. If every protocol P had indeed a largest
b-bundle, this b-bundle would capture all possible behaviour of P , and would thus
provide a natural strand space semantics for protocols. Furthermore, in view of the
results of the previous section this strand space semantics would come with a notion
of computation state in terms of bundles, and a transition relation between them.
The induced labelled transition system would give the corresponding interleaving
semantics of the protocol, while the protocol would also have an abstract partial
order semantics in terms of the induced labelled event structure.
First, we need to define a natural notion of approximation for b-bundles. Intu-
itively, one b-bundle approximates another when it is, up to isomorphism, an initial
part of the other. This can be formalized as follows.

Definition 4.7 Let B1 , B2 be two b-bundles of P . B1 approximates B2 , written

B1 ≤ B2 , if there exists an injective homomorphism from B1 to B2 .

The following observation justifies the naturalness of this definition:

Proposition 4.8 Let B1 , B2 be two b-bundles of P . B1 ≤ B2 if and only if B1 is
isomorphic to a sub-b-bundle of B2 .
Naturally, approximation is preserved by isomorphism. Thus, ≤ can be extended
to isomorphism classes of b-bundles. Let IBB (P ) denote the set of isomorphism
classes of b-bundles of P . As one would expect ≤ is a partial order on IBB (P ).

Proposition 4.9 (IBB (P ), ≤) is a partial order.

To establish that the b-bundles of P consistently approximate a largest b-bundle

we would further like to obtain that (IBB (P ), ≤) is a complete lattice. However,
we will now demonstrate that this does not hold. Indeed we have:

Proposition 4.10 (IBB (P ), ≤) is neither a lattice nor a complete partial order.

Proof. To prove this result we will exhibit two b-bundles that have upper bounds
but no least upper bound. The b-bundles (which are also bundles) are presented in
Figure 2.
Bundle A contains one instance of trace +m1 +m2 and one instance of trace
−m1 −m2 , with the send and receive events matched up in the obvious way. Bundle
B contains two instances of trace +m1 +m2 and one instance of trace −m1 −m2 ,
with the receive events of the latter matched up to send events of different strands.
Observe that A and B are incomparable: B can clearly not be injectively folded
onto A; while there cannot be a homomorphism from A to B because there is no
strand in B with two outgoing message-flow arrows.
By a similar argument it is clear that any upper bound of A and B must contain
at least two instances of trace +m1 +m2 and two instances of trace −m1 −m2 . If
two b-bundles contain the same number of events and are comparable with respect
to ≤ then there will be a bijective homomorphism between them, and hence an
11
 Fröschle

• +m1 • +m1 • +m1

• +m2 • +m2 • +m2

• −m1 • −m1

• −m2 • −m2

A B

• +m1 • +m1 • +m1 • +m1

• −m1 • −m1
• +m2 • +m2 • +m2 • +m2

• −m2 • −m2

• −m1 • −m1

• −m2 • −m2

U V

Fig. 2. m1 and m2 are ground messages, +m1 stands short for + fresh ∅ in m1 , and similarly for +m2 . It
is clear that there is a protocol P such that A to V are b-bundles of P .

isomorphism. Thus, any upper bound of A and B which contains only eight events
is, up to isomorphism, a minimal upper bound of A and B.
Consider b-bundles U and V of Figure 2. It is easy to check that both of them
are upper bounds of A and B. Further, both of them have only eight events, and
thus, up to isomorphism, they must be minimal upper bounds. On the other hand,
U and V are not isomorphic: e.g., U has an event labelled by +m1 with two outgoing
message-flow arcs while V does not. !

Since (IBB (P ), ≤) is not even a complete partial order, ≤ cannot be interpreted

as a notion of approximation in the information-ordering sense: a b-bundle that
is higher in the order does not extend the information of the elements below in a
consistent way. It also indicates that a largest b-bundle might simply not exist.
Thus, the theory of branching bundles does not turn out to be very satisfying.
Analysing the above counter-example will, however, lead us to a satisfying theory
of symbolic b-bundles.

Remark 4.11 Those readers who are familiar with the strand space model may
wonder whether a counter-example could still be obtained if the →-relation in bun-
dles was disallowed to be forwards-branching (and the Intruder must duplicate mes-
sages explicitly). Note that for b-bundles forwards-branching would still be natural,
12
 Fröschle

• +fresh a in m1

• +m2
• +m2

• −m2 • −m2

• +m3 • +m3

# • −m3

• +a

Fig. 3. Assume a &' m2 & a &' m3 .

and a more involved counter-example could be constructed.

5 Symbolic Branching Bundles

Let us take another look at the bundles of Figure 2. One could argue that A and
B represent the same information with respect to the Intruder’s viewpoint. On
the one hand, at both, A and B, the information the Intruder has gained so far is
essentially the same:
the input to a strand with trace −m1 −m2 can be obtained from the send events
of a strand with trace +m1 +m2 , where instances of the latter trace do not require
any input.
On the other hand, the information the Intruder may gain in the future is also
essentially the same at both, A and B:
for example, to simulate a future of B by a future of A, if the Intruder employs
one of the two +m1 -events of B as send input to a future strand, he can use the
one +m1 -event of A in exactly the same way. Furthermore, if in a future of B
each of the two +m1 +m2 strands is extended by an action such that the actions
are different but non-conflicting, then in A a new strand with trace +m1 +m2 can
be spawned, so as to obtain two non-conflicting strands with analogous traces.
This is why, on second look, it is not surprising that b-bundles do not form an
information ordering: there are many inconsistent ways of representing the same
information. On the positive side, this also suggests that we may still obtain an
information ordering if we work with a notion of symbolic b-bundle.
How could a notion of symbolic b-bundle look like? We would expect that in
a symbolic b-bundle all branches that represent essentially the same information
are ‘glued together’, thereby folding a space of b-strands together into a space of
symbolic b-strands. A space of symbolic b-strands is a b-strand space whose b-
strands are considered symbolically. This means we need to relax our notion of
conflict. Since a b-strand may now represent several, possibly parallel, sessions, two
events that have the same ⇒-predecessor are not necessarily in conflict any more:
13
 Fröschle

as long as there is no conflict due to unique origination we could have instantiated

parallel sessions.

Definition 5.1 Let B = (E, ⇒, →, GAct, l) be a b-strand space of P . Whenever

we wish to consider the b-strands of B symbolically then we call B a symbolic b-
strand space, and redefine the conflict relation #B by deleting clause (i) from the
definition of immediate conflict in Def. 3.2.

Next we need to clarify: when do two branches of a b-bundle represent essentially

the same information? One condition is, naturally, that their trace must be the
same. However, Figure 3 motivates that we need to adopt a second condition. It
illustrates that two strands that have the same trace but different pasts can have
different futures: the +m3 -event of the strand on the right-hand side can be used as
input to the −m3 -event of the lowest strand. However, this is not possible for the
+m3 -event of the strand on the left-hand side, since this would lead to a self-conflict
of the +a-event due to violation of unique origination. Thus, we only wish to ‘glue
together’ branches when they have the same trace and the same past. In more
detail: if two branches b and b" have the same trace and for all positions i of the
trace, the ith event of b has the same →-predecessor as the ith event of b" then b
and b" are to be identified. We can capture this condition more succinctly in terms
of events: if two events have the same label and the same predecessors then they
are to be identified. Altogether, this leads to the following definition of symbolic
b-bundle.

Definition 5.2 A symbolic b-bundle B of P is a symbolic b-strand space such that

Axioms (B1) to (B5) and (BB) of the definition of b-bundle hold (the latter with
respect to the redefined conflict relation). In addition we impose the following
axiom:
SBB for every e1 , e2 ∈ E, if
(a) l(e1 ) = l(e2 ), and
(b) ⇒-pred (e1 ) = ⇒-pred (e2 ), and
(c) →-pred (e1 ) = →-pred (e2 )
then e1 = e2 .

Axiom (SBB) is analogous to, and inspired by, a requirement for Petri net
branching processes (Definition 7 of [4]). We also derive a notion of symbolic bundle.
Naturally, they are based on symbolic b-strands.

Definition 5.3 A symbolic bundle is a conflict-free symbolic b-bundle (where the

conflict relation is as redefined above).

We will now demonstrate that every b-bundle B of P can indeed be folded onto
a symbolic b-bundle. By induction on the causal depth of events we successively
identify those events that satisfy conditions (a) to (c) of the definition of symbolic
b-bundle. Formally, we define an equivalence relation ∼ on E ∪ {nil } inductively as
follows:
(i) nil ∼ nil ,
14
 Fröschle

(ii) e1 ∼ e2 if
(a) l(e1 ) = l(e2 ),
(b) ⇒-pred (e1 ) ∼ ⇒-pred (e2 ), and
(c) →-pred (e1 ) ∼ →-pred (e2 ).
It is easy to check that ∼ is indeed an equivalence relation. Denote the equiv-
alence class of event e by [e]∼ . Given a b-bundle B, the folding of B, denoted by
fold (B), is defined to be the tuple (Ef , ⇒f , →f , GAct, lf ) where
• Ef = {[e]∼ | e ∈ E},
• ∀f1 , f2 ∈ Ef , f1 ⇒f f2 if and only if e1 ⇒B e2 for some e1 ∈ f1 , e2 ∈ f2 ,
• ∀f1 , f2 ∈ Ef , f1 →f f2 if and only if e1 →B e2 for some e1 ∈ f1 , e2 ∈ f2 ,
• ∀f ∈ Ef , l(f ) = a if and only if l(e) = a for some (or equivalently all) e ∈ f .
Proposition 5.4 Let B be a b-bundle of P .
(i) fold (B) is a symbolic b-bundle of P .
(ii) If B is a bundle then fold (B) is a symbolic bundle.
(iii) fold is a surjective homomorphism from B to fold (B).

On the other hand, every symbolic b-bundle can be transformed into a b-bundle
by disentangling non-conflicting strands that are glued together. In particular,
every symbolic bundle can be transformed into a bundle. (These connections will
be formalized in the full version of the paper.)
The transformations give rise to the following observation, which shows how
reachability problems on bundles can be reduced to reachability problems on sym-
bolic bundles.
Proposition 5.5 Assume a protocol P and a finite set of strands S of P . There
is a bundle B of P with S ⊆ strands(B) if and only if the events of S are conflict-
free and there is a symbolic bundle B " of P with traces(S) ⊆ traces(B " ). (We use
strands(B), traces(S), and traces(B " ) with the obvious meaning.)

This shows that it should be adequate to work with symbolic bundles in most
situations. Most verification problems for security protocols can be expressed as
reachability problems: check whether a situation that represents an attack can be
reached. In the strand space model this can be formalized as follows:
Given: A protocol P , and a finite set of strands S.
Decide: Is there a finite bundle B such that S ⊆ strands(B)?

6 A Theory of Symbolic Branching Bundles

It is straightforward to carry over all concepts and positive results of Section 4 to
symbolic b-bundles. In particular, we have a partial order ≤ on ISBB (P ), the set
of isomorphism classes of symbolic b-bundles of P . However, now we indeed obtain:
Theorem 6.1 (ISBB (P ), ≤) is a complete lattice.

Due to Axiom (SBB) the theorem can be proved analogously to Engelfriet’s

15
 Fröschle

result on Petri net branching processes [4]. The proof will be provided in the full
version of the paper.
Theorem 6.1 guarantees the existence of a unique maximal element in ISBB (P ),
which captures all possible behaviour of P in a symbolic fashion. We call it the
symbolic unfolding of P . Thus, every protocol has a strand space semantics in terms
of its symbolic unfolding. Further, by the results of Section 4.2 this semantics comes
with a notion of computation state in terms of symbolic sub-bundles, a transition
relation, and close relations to event structures.
It remains to be investigated whether restricting our attention to the symbolic
unfolding is indeed suitable in most situations of security protocol analysis. We
will also examine whether it can help with the state space explosion problem in
model-checking tools. On the theoretical side, the relationship between symbolic
b-bundles and b-bundles can be further formalized using category theory.

Acknowledgement: I thank the anonymous referees for their valuable comments.

References
[1] Federico Crazzolara and Glynn Winskel. Events in security protocols. In ACM Conference on Computer
and Communications Security, pages 96–105, 2001.

[2] Federico Crazzolara and Glynn Winskel. Petri nets in cryptographic protocols. In IEEE IPDPS-01,
page 149, 2001.

[3] Federico Crazzolara and Glynn Winskel. Composing strand spaces. In FST TCS 2002, volume 2556 of
Lecture Notes in Computer Science, pages 97–108, 2002.

[4] Joost Engelfriet. Branching processes of Petri nets. Acta Inf., 28(6):575–591, 1991.

[5] F. Javier Thayer Fábrega, Jonathan C. Herzog, and Joshua D. Guttman. Strand spaces: Why is a
security protocol correct? In Symposium on Security and Privacy. IEEE Computer Society, 1998.

[6] Sibylle Fröschle. The insecurity problem: Tackling unbounded data. In CSF 2007, pages 370–384. IEEE,
2007.

[7] MITRE. The strand space method web page. http://www.mitre.org/tech/strands/.

16