Interpreting Strands in Linear Logic

Abstract : The adoption of the Dolev-Yao model, an abstraction of security protocols that supports symbolic reasoning, is responsible for many successes in protocol analysis. In particular, it has enabled using logic effectively to reason about protocols. One recent framework for expressing the basic assumptions of the Dolev-Yao model is given by strand spaces, certain directed graphs whose structure reflects causal inter- actions among protocol participants. We represent strand constructions as relatively simple formulas in first-order linear logic, a refinement of traditional logic known for an intrinsic and natural accounting of process states, events, and resources. The proposed encoding is shown to be sound and complete. Interestingly, this encoding differs from the multiset rewriting definition of the Dolev-Yao model, which is also based on linear logic. This raises the possibility that the multiset rewriting framework may differ from strand spaces in some subtle way, although the two settings are known to agree on the basic secrecy property.


Introduction
In recent y ears, a variety of methods have been developed for analyzing and reasoning about protocols based on cryptographic primitives.Although there are many di erences among these proposals, most current formal approaches use the so-called Dolev-Yao" model of adversary capabilities, which appears to be drawn from positions taken in 34 and from a simpli ed model presented in 11 .In this idealized setting, a protocol adversary is allowed to nondeterministically choose among possible actions.Messages are composed of indivisible abstract values, not sequences of bits, and encryption is modeled in an idealized way.The adversary may only send messages comprised of data it knows" as the result of overhearing past transmissions.
The Dolev-Yao abstraction makes symbolic reasoning about crypto-protocols a viable approach.This observation has materialized in a number of successful analyses that use model checking 29,33,38 and on several proposals based on logic, the quintessential tool of symbolic reasoning 4, 35 .
One recent setting for stating the basic assumptions of the Dolev-Yao model is given by strand spaces 13, 14, 39 .Roughly, a strand is a linearly ordered sequence of events that represents the actions of a protocol participant.A strand space is a collection of strands, equipped with a graph structure generated by causal interaction among participants.This is closely related to Lamport's notion of causality in distributed systems 21 , and a clear instance of Mazurkiewicz's de nition of trace within concurrency theory 31 .Prior to a run of the protocol, each principal chooses certain data to be used in the protocol, such as keys or nonces.
In contrast, a formal de nition of the Dolev-Yao model in terms of multiset rewriting with existential quanti cation, MSR 6, 7, 12 , allows new values such a s k eys and nonces to bechosen at any time during the protocol run, as the need for new choices arises.In this formalism, a w ay o f choosing new values is provided by the proof rules of existential quanti cation.The MSR formalism has been incorporated into a high-level speci cation language for authentication protocols, CAPSL 10 .
In 7 , we established a substantial equivalence of the MSR and strand space formalisms.We i n troduced a suitable abstraction of strand con gurations that corresponds to MSR states, and showed that related pairs of states and con gurations are equi-reachable.This is relevant for security analysis because several basic properties of security protocols e.g.secrecy can be phrased as reachability problems.However, it is not clear that all relevant properties of security protocols can be phrased in terms of reachability.Thus a more re ned analysis of the MSR and strand space formalisms might reveal the di erences between the two formalisms in regard to some subtle properties of protocols.In this paper, which may b e seen as a companion to 7 , we provide some preliminary steps in this direction.
The MSR and strand space formalisms are analyzed here in the formal setting of linear logic 16 , a re nement of modal logic with an intrinsic and natural accounting of process states and events.The choice of linear logic is natural because of the very close connection between multiset rewriting and simple fragments of linear logic, which has been studied extensively 3, 30, 15, 19, 5 .We extend this standard correspondence to include rst-order parameters and existentially quanti ed variables.
On the other hand, we also formally represent strand constructions as relatively simple formulas in rst-order linear logic.This encoding is also shown to be sound and complete.As in our previous work on multiset rewriting speci cations of security protocols 6, 7, 12 , the proof rules of existential quanti cation provided a way o f c hoosing new values, such as nonces or keys.However, the linear logic interpretation introduced here maintains the strand space intuition that nonces are chosen before the protocol is run.Let us note that this encoding di ers from the standard linear logic representation of multiset rewriting.This raises the possibility that the multiset rewriting framework may di er from strand spaces in some subtle way.
Linear logic has found applications in numerous areas of Computer Science, and it has concrete prospects of inuencing the eld of security protocol analysis in a similar way.As a speci cation language, linear logic has been used to provide elegant and e ective representations of many systems that share characteristics with cryptoprotocols 8, 9, 17, 18 .The natural embedding of concurrent systems in linear logic 15, 20 , in particular in its graphbased presentations 16 , is also likely to be relevant, given the interpretation of security protocols as concurrent systems 1, 40 .Work on meta-reasoning in linear logic 32 promises to address protocol correctness 4, 35 e ectively and e ciently.Finally, some of the theoretical results linear logic has brought about e.g.complexity issues 23 are expected to yield a better understanding of the most fundamental aspects of security protocols 12 .
This paper is organized as follows: Section 2 recalls the notion of strand and reachability b e t ween strand con gurations; Section 3 provides some background on linear logic; Section 4 describes the translation of strand constructions into linear logic, while in Section 5 we prove soundness and completeness theorems that relate strand reachability and linear logic derivability for their translation.In Section 6, we compare these results with the translation of the multiset rewriting speci cations of a security protocol in linear logic.

Parametric Strands
In this section, we recall rst the notions of strand spaces and bundles 13, 39 , and then recent extensions aimed at capturing protocol execution at the level of strands 7 .
An event is a pair consisting of a message m and an indication of whether it has been sent +m or received ,m 13 .A strand is a nite sequence of events.We indicate strands with the letter s, the length of a strand as jsj, and its i-th event a s si for i = 1 : : : jsj.A strand s is therefore a chain graph S; =, where S = fsi : i = 1 : : : jsjg, moreover si = sj i j = i + 1, and nally the nodes si are labeled with events.
A strand space is a set of strands with an additional relation ,! on the nodes, such that if 1 ,! 2, then 1 = +m and 2 = ,m; ,! represents the transmission of the message m from the sender 1 to the receiver 2. A strand space is therefore a graph with two t ypes of arrows, a bi-graph using the terminology in 7 , = S; =; ,! with the above restriction on ,!.Given such , we will sometimes write S , = , and ,! for S, =, and ,! respectively.Let S + and S , indicate the set of positively-and negatively-labeled nodes in S respectively.A bundle 13, 7 see also 21 is a strand space = S; =; ,! such that the bipartite graph S + ; S , ; ,! is functional a positive node has at most one outgoing ,!-edge, injective a negative node has at most one incoming ,!-edge, and surjective a negative node has at least one incoming ,!-edge, and = , ! is acyclic 7 .In terms of protocols, the rst three constraints imply that a message is sent to at most one recipient at a time, no message is received from more than one sender, and every received message has been sent, respectively.Dangling positive nodes correspond to messages in transit.Therefore, a bundle represents a snapshot of the execution of a protocol.We n o w build on these accepted de nitions and present a strand-based language for the speci cation of protocols and of their execution.The interested reader may consult 7 for further details.
Data such as the identity of principals and their longterm keys often constitute the stage on which the execution of a protocol takes place, and does not change as it unfolds.We represent and access this persistent information through a xed multiset of ground atomic formulas with distinguished persistent predicates e.g.PubK and PrvK 7 .
A role is modeled as a parametric strand: a strand where the messages may contain variables.An actual strand is obtained by instantiating all the variables in a parametric strand or an initial segment of one with persistent information and actual message pieces.A parametric strand for the role may look as in Figure 1.The freshness of ñ, i.e. the fact that the variables ñ should be instantiated with new" constants that have not been used before, is expressed as a side condition.Using the terminology in 13, 39 , the values ñ are uniquely originated.The relationship between variables are expressed in 39 using intuitive notation, e.g.k ,1 for the inverse key of k, o r kA for the public key of A. We formalize these relations by equipping with constraints x, that, without loss of generality, will be a set of persistent atomic formulas parameterized over x.In this paper, it is convenient to equip each parametric strand with an initial node labeled with and an ending node labeled ?.This addition is discussed at length in 7 .
A protocol is given as a set of roles.The model of the intruder in the style of Dolev and Yao 11, 34 is also speci ed as a set of parametric strands PP0 called penetrator strands, where P0 is the intruder's initial knowledge 7, 39 .As an example, Figure 2 shows how the Needham-Schroeder public key protocol is modeled using parametric strands, where we h a ve used incoming and outgoing arrows instead of the tags + and , for readability.We ask the reader to  These de nitions allow us to specialize the bundles we are looking at: given a set of parametric strands S, e v ery strand in a bundle should be an initial pre x of an instantiated protocol or penetrator strand.We are interested in initial pre xes since a bundle is a snapshot of the execution of a protocol, and a particular role instance may be halfway through its execution.We then say that is a bundle over S.
We will now give a few de nitions needed to emulate the execution of a protocol with parametric strands.First, observe that the network tra c in a bundle is expressed in terms of events and of the ,! relation.The edges of ,! represent past tra c: messages that have been sent and successfully received.The dangling positive nodes correspond to current tra c: messages in transit that have been sent, but not yet received.We will call these nodes the fringe of the bundle or strand space.More formally, given a strand space = S; =; ,!, its fringe is the set Fr = f : 2 S; = + m; and 6 9 0 : ,! 0 g: Another component of the execution state of a protocol is a description of the actions that can legally take places in order to continue the execution.First, some technicalities.
Let be a bundle over a set of parametric strands S, a completion of is any strand space ~ that embeds as a subgraph, and that extends each incomplete strand in it with the omitted nodes and the relative = -edges.If s is a strand in and s is its extension in ~ , the sequence obtained by removing every event i n s from s is itself a possibly empty strand.We call it a residual strand and indicate it as s n s.We then write ~ n for the set of all residual strands of ~ with respect to .
Given these preliminary de nitions, a con guration over S is a structure ; where is a bundle over S, and is an extension of whose only additional ,!-edges originate in Fr , cover all of Fr , and point t o n , and nally the signature lists all the symbols that appear in and .
We de ne the notion of one-step transition between two con gurations 1; 1 1 and 2; 2 2 , written 1; 1 1 o 7 ,!S 2; 2 2 , by means of four rules that we call C f , C i , S and R. For the sake of conciseness, we limit ourselves to an intuitive presentation based on the following sketches.A formal de nition can be found in 7 .The move o that labels the transition arrow 7 ,!S records the necessary information to reconstruct the transition uniquely.
Rule C f describes the instantiation of a parametric strand x; ñ with a substitution for all its variables that are marked fresh" ñ.The substituted constants must be distinct from each other and from any other value appearing in 1 .Rule C i realizes the second stage of instantiation: it applies a substitution to the remaining variables x of a partially instantiated strand , checks that the atomic formulas resulting from instantiating the constraints x o f with satisfy , and install its initial node in 1 to produce 2 .We m ust perform instantiation in two stages to handle protocols where two parties exchange newly produced nonces as in the Needham-Schroeder protocol in Figure 2.
The remaining rules deal with message transmission and reception once a strand has been installed in the con guration.In particular, , 0 and 00 are nodes on fully instantiated strands.Rule S models the action of sending a message: if the con guration at hand embeds a strand that is not fully contained in the bundle part 1 and the rst missing node is positive, we add an ,!-arrow to a matching negative node 00 and include in 2. Receiving a message is modeled by rule R: if 1; 1 1 mentions a strand that is not fully contained in its bundle part and its rst missing node has an incoming ,!-edge, we add it to the bundle.
A multistep transition amounts to chaining zero or more one-step transitions.This relation is obtained by taking the re exive and transitive closure õ 7 ,! S of o 7 ,!S, where õ is the sequence of the component m o ves " if empty.õ is a trace of the computation.
These properties extend to multistep transitions.

Elements of Linear Logic
The target of our interpretation of strand constructions will be a sublanguage of linear logic 16 .We c hoose this formalism over more traditional logics because of its interpretation of formulas as consumable resources.This provides, for example, a simple way of modeling the fact that receiving a message makes it unavailable to other recipients unless further actions are taken.
This language, a fragment of rst-order multiplicative exponential linear logic to be precise, is given by the following grammar: A ::= P

Role completion
We use messages and their constituents as the basis of the term language of our formulas, as described in 7 .We rely on the unary predicate symbol N to hold messages being exchanged, and we maintain the syntax we glimpsed at in the previous section for persistent information.Atoms of the form Qq identify uniquely the intermediate =-edges in a con guration see Section 4. Finally, the atomic constant stop will indicate the completion of a strand.
The connectives we will need are , known as multiplicative conjunction, the constant 1 multiplicative unit, , or linear implication, and the usual quanti ers.A resource A1 A2 consists of the sum of parts A1 and A2, while A1 , A2 realizes resource A2 subject to the availability of A1 while consuming A1 itself this implements therefore the notion of transition.When instantiating quanti ers, we write t=x A for the capture-free substitution of term t for variable x in formula A. We abbreviate t1=x1 t2=x2 : : : tn=xn A as t1=x1; : : : ; t n=xn A.
Contexts are nite multisets of comma-separated formulas.The empty context is denoted ".We will use the letter , and , possibly subscripted, to indicate contexts.A signature is a list of constants.
The derivability judgments we will rely upon are sequents of the form 17 : ,; ` A where the formulas in , and are the resources available to produce the formula A. While the elements in shall be used exactly once, the resources in , can be exploited arbitrarily many times, possibly zero.This convenient t wocontext formulation 17 is rewritten as a more common single-context sequent b y augmenting with the result of pre xing every formula in , with the exponential modality !" 16 .The signature lists all the constants mentioned in the sequent.Although usually omitted in presentations of linear logic, it simpli es our treatment of nonces.
The relevant inference rules for this language are displayed in Figure 3.The rules on the left-hand side are called multiplicative.Rule id will be used at the leaves of a derivation: it speci es that an object A can be trivially produced from A itself the formulas in , are ignored.Notice that no excess resources are admitted.Rule , l speci es how to use a resource A1 , A2 to build an object C: if A1 can be produced using part of the context 1, then A2 and what remains of the context 2 are available to produce C. Rule l states that a composite resource can be broken to make its components individually available, while r speci es that A1 A2 is produced by building its parts independently.The constant 1 is the non-resource: it does not contribute to a goal rule 1l and does require any resource to be established rule 1r.Rule cut permits constructing an object in stages: in order to obtain C, one can rst build A with some of the available resources, and then use A to achieve C. Since C can always be produced directly from the original resources, this rule is e ectively redundant, which we emphasize by displaying it in a shaded font.
The right-hand side of Figure 3 shows rule dl dereliction, which makes a copy of a formula A i n , a vailable in , and the rules concerning the quanti ers.Observe that the existential quanti ers in the context are instantiated with new constants rule 9l, which we record in the signature .In the right-hand side of the turnstile rule 9r, these quanti ers have instead the function of hiding the use of these newly introduced constants.Notice that they are instantiated with constants from rather than with arbitrary terms: this is su cient for our purposes.Instead, we allow universally quanti ed variables to be instantiated with arbitrary terms rule 8l.

Strands in Linear Logic
We will now describe the translation of parametric strands and con gurations into the fragment of linear logic we just discussed.We shall emphasize that this encoding does not treat penetrator strands di erently from regular protocol strands in any w ay.This adheres to the strand philosophy,  Let ñ; x; ỹ be a parametric strand with constraints ñ fresh, x".Let s0; s 1; : : : ; s n; s n+1 be the nodes of , with s0 = , sn+1 = ?, and for i = 0 ::n, si = si+1.We de ne the encoding of node si for i = 0 ::n + 1, written psiq, a s follows: where, give n a m ultiset of formulas , is the formula obtained by taking the multiplicative conjunction of very element o f .For i = 1 ::n, psiq expresses the action in si by placing the sent received message m in the consequent resp.antecedent of the implication.Rule , l will have the e ect of inserting resp.removing Nm i n to resp.from the context .Notice that its application will also insert psiq into , enabling in this way the next action.This technique is known as continuation-passing style in the programming language community.The arguments of the conjuncts Qq0; : : : ; Qqn,1 are distinct variables.It is convenient t o i n terpret them as labels for the =-edges of , a s s h o wn in Figure 2. The last arrow, leading to sn+1 = ?, is instead labeled with the propositional letter stop.These atoms serve multiple purposes: rst they provide a way to preserve the order of consecutive message transmissions or receptions, which m a y prove important for some applications; second their presence greatly simpli es our proofs as they implement the locks and keys" technique 23 , which has yielded faithful representations of various computational paradigms in linear logic 22, 23, 24 ; third, they are a crucial device for bridging the gap with the multiset rewriting speci cation of a protocol 7 .Were these reasons, in particular the rst one, to fall, a simpler encoding can be achieved by replacing the Qqi's and stop with the linear logic constant 1.
The encoding of is achieved by appropriately quantifying the free variables in ps0q: p q = 9qo; : : : ; q n,1: 9ñ: 8x; ỹ:ps0q Existentially quantifying the qi's, as well as ñ, guarantees that they will be instantiated with constants distinct from any other value in use.Applying this encoding to the Needham-Schroeder protocol speci ed in Figure 2 yields the linear logic formulas in Figure 4.
In order to de ne the encoding of a con guration, we need to extend this notation to partially and fully instantiated strands.Let be a substitution for the fresh" variables ñ of .Then p q = ;u0=q0; : : : ; u n,1=qn,1 8x;ỹ:ps0q; where u0; : : : ; u n,1 are distinct constants.If furthermore is a substitution for the remaining variables x; ỹ of , we de ne p ; q = ;u0=q0; : : : ; u n,1=qn,1 ps0q: Observe that can mention some of the constants newly introduced by .W e extend the notation psiq, for i = 0 ::n+ 1, to the case where si is a node in a fully instantiated strand clearly, the qi's will have been replaced with ui's.
We shall now encode con gurations.A con guration ; comprises three types of information: 1 an account of how this situation has been reached as and the strands in that have been instantiated, but not yet used; 2 a description of the current situation in Fr ; and 3 a summary of the future actions that can be performed in n .
We will ignore the rst aspect since it will be partially captured through the notion of derivation.The representation of Fr will simply be the conjunction of the messages in it or 1 if none is present: pFr q = N HNm : m 2 Fr I: where we write H: : : I for the multiset equivalent of the usual set notation f: : : g.As for n , w e take the conjunction of the representation of each fully instantiated residual strand in it, plus the representation of the strands that are only partially instantiated: p n q = N Hpsi+1q : s = ; i n ; si 2 S; and si+1 2 S n SI N Hp q : i n I: For the sake of conciseness, we de ne the representation of a con guration ; as p ; q = pFr ; q p n q: 9q0; q 1; q 2: 9nA: 8kA; k We will make the encoding we h a ve just presented more concrete by means of an example.The upper part of Figure 5 shows a con guration ; representing an initial stage of Lowe's attack 26 on the Needham-Schroeder protocol in Figure 2. It contains six strands: an initiator, a responder, and one instance of each of the four penetrator strands M 0 access to the intruder's initial knowledge, D decryption, M access to public information and E encryption.A detailed discussion of penetrator strands can be found in 7 .Constants are indicated using a di erent font than variables e.g.n A as opposed to nA.In this conguration, the initiator has executed its rst action, strands M 0 and D have been completed, strands M and E are fully instantiated but still have to execute their rst action, while the responder strand has been only partially instantiated.The only message in transit the fringe is n A ; k A .The second box in gure 5 shows the encoding of ; in linear logic.Observe that, whenever the border between and n crosses an active strand, the atomic formula Qu i corresponding to the intersected =-edge appears as a conjunct in p n q.Similarly, each terminated strand contributes an occurrence of stop.The residual of every active strand yields a formula with implications.Finally, notice that the representation of the partially instantiated responder strand accounts for the only quanti ers appearing in p ; q.

Soundness and Completeness
We will now show that, given the above encoding, reachability among con gurations is mapped to the derivability of their representation in linear logic, and vice versa.Constructing a derivation that mimics a sequence of moves in the strand world, formally stated in the following theorem, is fairly simple.

Theorem 5.1 Soundness
Let S be a set of parametric strands and 1; 1 , 2; 2 ;ñ two con gurations over S. If there is a move sequence õ such that 1; 1 õ 7 ,! S; 0 =ñ 2; 2 ; 0 for some instantiation of variables ñ with fresh distinct constants 0 , then there exists a linear logic derivation D of the sequent pSq; ; p 1; 1 q ` 9ñ: p 2; 2 ;ñ q : Proof: By induction on the structure of õ.If the move sequence is processed right-to-left, we obtain a cut-free derivation.Operating forward left-to-right requires the use of the cut rule which can subsequentially be eliminated.2 In the above proof, each m o ve is simulated by the application of a number of linear logic rules.This ner granularity is a hindrance when considering a derivation that relates the encoding of two con gurations, and trying to read o the move sequences that have actually been applied: these micro-steps can be intermingled in arbitrary ways.This forces us to break our completeness proof int o a n umberof stages aimed at disentangling the given linear logic derivation.First we reduce ourselves to a purely multiplicative setting by pushing dl and the quanti er rules at the bottom of the given derivation.Lemma 5.2 Let S be a set of parametric strands and 1; 1 , 2; 2 ;ñ two con gurations over S. If there is a cut-free derivation D of the sequent pSq; ; p 1; 1 q ` 9ñ: p 2; 2 ;ñ q then there exists an instantiation of variables ñ with fresh distinct constants 0 , a c on guration 0; 0 ; 0 , and a cutfree derivation D of the sequent pSq; `; 0 p 0 =ñ 2; 2 ; 0 q where = ; p 1; 1 q; p 0; 0 ; 0 q, that does use neither dl nor any of the quanti er rules 8l, 9l, 9r.Proof: We exploit the relative permutability of these inference rules, as described in 25 .More precisely, w e apply the following four steps: 1. We permute rule dl below every other rule.The resulting derivation consists then of a sequence of applications of dl followed by a subderivation D 0 that does not use this rule.The applications of dl correspond to committing to the parametric strands that will be used to produce 2; 2 ;ñ once instantiated, they will correspond to 0; 0 ; 0 .
2. We permute rule 9l to the bottom of D 0 , which enables us to consider a subderivation D 00 that does not contain these rules.These uses of 9l correspond to picking the new constants that appear in 0 beforehand.
The applications of 9r correspond to hiding 0 in the overall derivation.
4. Finally, we permute every use of 8r down past every other rule, making explicit a subderivation D with the required characteristics.The applications of 8l complete the instantiation of 0; 0 ; 0 . 2 When interpreted at the strand level, Lemma 5.2 speci es that a move sequence can be rearranged so that parametric strands are chosen and instantiated before any message is exchanged.More speci cally, all uses of C f happen rst, followed by all applications of C i .Only then, can Sand R-moves take place.
The next step consists in grouping together the rule applications that correspond to each m o ve in the multiplicative part of the given derivation.This provides a simple way o f identifying moves S and R. Lemma 5.3 Let S be a set of parametric strands and 1; 1 , 2; 2 two con gurations over S. If there is a cut-free derivation D of the sequent pSq; ; p 1; 1 q ` p 2; 2 q that uses only rules from the left half of Figure 3, then there exists a cut-free derivation D of this sequent such that Every use of r appear just below id, 1r or r; Rules 1l and l are applied e agerly.Proof: Again, we take advantage of the permutability results in 25 .Rule r can be pushed up past any other rule except id and 1r.On the other hand, l and 1l can always be permuted down, as long as the nesting of subformulas is respected clearly if the left-hand side contains a formula A B , C, a proof fragment that dismantles this formula must apply l above , l.
2 At this point, we h a ve the means to extract a sequence of moves from a linear logic derivation that relates the encoding of two con gurations.

Theorem 5.4 Completeness
Let S be a set of parametric strands and 1; 1 , 2; 2 ;ñ two con gurations over S. If there is a linear logic derivation D of the sequent pSq; ; p 1; 1 q ` 9ñ: p 2; 2 ;ñ q then there exists an instantiation of variables ñ with fresh distinct constants 0 and a move sequence õ such that 1; 1 õ 7 ,! S; 0 =ñ 2; 2 ; 0 : Proof: The use of Lemma 5.2 followed by Lemma 5.3 to D yields a derivation structured as in Figure 6, from which moves over con guration can easily be read o shown on the right of the schematic derivation.A ne analysis of this proof reveals that linear logic derivations enable a form of abstraction that move sequences do not achieve.Indeed, the tree structure of a derivation does not always impose a total order on independent transitions.This is a very mild form of non-determinism compared with the explicit concurrency present in bundles 7 .We expect to get a model closer to bundles by considering graphbased formulations of linear logic such as proof nets 16 .Furthermore, game-theoretic investigations of linear logic 2 have produced methods for obtaining very strong forms of completeness which could be relevant in this setting.

Interpreting Multiset Rewriting in Linear Logic
In this section, we brie y describe how multiset rewriting techniques can be conveniently used to express security protocols Section 6.1.We then show h o w the resulting specication is translated into linear logic and state the expected correctness results Section 6.2.Finally, we compare the linear logic expressions we derive from the strand and multiset rewriting speci cations of a protocol Section 6.3.

Multiset Rewriting for Cryptoprotocols
A multiset M is an unordered collection of objects or elements, possibly with repetitions.The empty multiset does not contain any object and will be written ".We accumulate the elements of two m ultisets M and N by taking their multiset union, denoted M;N".The elements we will consider here will be rst-order atomic formulas A t o ver some signature.
In its simplest form, a multiset rewrite rule r is a pair of multisets F and G, respectively called its antecedent and consequent.We will consider a slightly more elaborate notion in which F and G are multisets of rst-order atomic formulas with variables among x.We emphasize this aspect by writing them as Fx and Gx.Furthermore, we shall be able to mark variables in the consequent so that they are instantiated to fresh" constants, that have not previously been encountered, even if the rule is used repeatedly.A rule assumes then the form r : Fx ,! 9 ñ: Gx; ñ Initiator r A0 :  where r is a label and 9ñ indicates that the constants that instantiate ñ ought to be fresh.A multiset rewriting system R is a set of rewrite rules.
Rewrite rules allow transforming a multiset into another multiset by making localized changes to the elements that appear in it.Given a multiset of ground facts M over a signature , a rule r : Fx ,! 9 ñ: Gx;ñ i s applicable if M = F t; M 0 , for terms t.Then, applying r to M yields the multiset N = G t;c; M 0 where the constants c are fresh in particular, they do not appear in M, x and ñ have been instantiated with t and c respectively, and the facts F t i n M have been replaced with G t;c to produce N.The new signature is ; c.We denote the application of a single rule and of zero or more rewrite rules by means of the one-step and multistep transition judgments: M r ,!RN 0 M r ,! R N 0 respectively, where and 0 are the signatures over which M and N are respectively de ned.The labels r and r identify which rules have been applied and the terms t used to instantiate x.Thus, r acts as a complete trace of the execution.
We model protocols by means of speci cally tailored multiset rewriting systems.We call this approach MSR.Without loss of generality, w e consider here a slightly simpli ed version of the model introduced in 6, 12 .We rely upon the following atomic formulas: Network messages: Network messages are modeled by the predicate Nm, where m is a message being transmitted.
Role states: We rst choose a set of role identi ers 1; : : : ; n for the di erent roles constituting the protocol.Then, for each role , w e h a ve a nite family of role state predicates fA im j i = 0 : : : l g.They are intended to hold the internal state of a principal in role during the successive steps of the protocol.
Intruder knowledge: The adversary's knowledge is held in a distributed way in facts of the form Im, where m is some piece of information captured or fabricated by the intruder.
Persistent information: We express persistent information exactly as we did in the case of strands in Section 2, i.e. by means of a multiset of ground facts.We represent each role in a protocol by means of a single role generation rule and a nite number of protocol execution rules.The purpose of the former is to prepare for the execution of an instance of role .It has the form r 0 : x ,!A 0x; x: where, as in previous sections, x denotes a multiset of persistent atomic formulas that may mention variables among x.Notice how persistent information is preserved.The execution rules describe the messages sent and expected by the principal acting in this role.For i = 0 : : : l , 1, we have a rule r i+1 of either of the following two forms: send: A ix; x; z ,! 9ñ: A i+1x; z;ñ; Nmx; z;ñ; x; z receive: A ix; Nmx; ỹ; x; ỹ;z ,!A i+1x; ỹ;z; x; ỹ;z where mṽ stands for a message pattern with variables among ṽ.In the rst type of rules, we rely on the existential operator 9ñ to model the ability of a principal to create nonces when sending a message.This principal can also include some persistent data z e.g. the name and public key of an interlocutor, possibly related to information it already possesses x.In the second rule template, the principal should be able to access persistent information z related to data in the received message ỹ e.g. the sender's public key or previously known information x.Situations where a principal both sends and receive a message, or sends multiple messages, can easily be expressed by these rules.
A protocol is speci ed as a set R of such roles.As an example, Figure 7 shows the encoding of our running example in the MLR notation.
The behavior of the intruder according to the Dolev-Yao model 11, 34 is similarly speci ed as a set of rewrite rules 6 .We will refer to them as I.A state is then a multiset of ground facts S = ; A ; N ; I , where A i s a m ultiset of role states A i t, N is multiset of messages Nm currently in transit, and I summarizes the intruder's knowledge Im.In particular the initial state is just ; I 0, where I0 contains the information e.g.keys initially known to the intruder.

Mapping to Linear Logic
The close a nity between multiset rewriting and simple fragments of linear logic has been known for a long time 3, 30, 15, 19, 5 .We extend this standard correspondence to take parameters and existentially quanti ed variables into consideration.A generic multiset M is mapped to the tensor product N M of its constituents, or 1 if M is empty.A m ultiset rewrite rule r : Fx ,! 9 ñ: Gx; ñ is translated into the following linear logic formula, that we call prq: 8x: N Fx , 9 ñ: N Gx; ñ: The encoding pRq of a set R of multiset rewriting rules is the union of the translation of its elements.
Given this simple encoding, multiset rewriting transitions correspond to linear logic derivations and reachability is mapped to derivability.

Theorem 6.1 Soundness and Completeness
Let R be a set of multiset rewriting rules, let S be a state over signature , and let S 0 be a state over and variables ñ = n1:::n k .If there i s a t r ansition sequence r such that S r ,! R c=ñ S 0 ;c for some instantiation with distinct fresh constants c = c1:::c k , there exist a linear logic derivation D of the sequent pRq; N S ` 9ñ: N S 0 ; and vice versa.
2 The proof of this result follows the pattern of theorems 5.1 and 5.4.In particular, the soundness part relies on a simple induction on the structure of the transition sequence r.The completeness direction requires transforming the derivation D to a suitable normal form before extracting multiset rewriting rule applications.

Comparison
Strands were originally aimed at analyzing completed protocol runs in term of the observed causal interactions among the participants.Parametric strands, brie y described in Section 2 and fully investigated in 7 , extend this framework with the possibility of giving executable speci cations of security protocols.This same objective guided the design of MSR.
In 7 , we established a substantial equivalence of these two formalisms: we devised a suitable abstraction of strand con gurations that corresponds to MSR states, and showed that related pairs of states and con gurations are equireachable.Indeed, strand and MSR transitions induce an approximate bisimulation upon them.Were we to collapse the predicate symbols N and I and eliminate the MSR intruder rules that relate them, we would obtain an exact bisimulation.This is relevant for security analysis because several properties of security protocols e.g.secrecy can be phrased as reachability problems.
Our results in Sections 5 and 6.2 show that both strand constructions and MSR can be expressed in linear logic in such a w ay that reachability corresponds to derivability.A close inspection of our translations reveals however substantial di erences in the resulting formulas.First, a parametric strand is mapped to a single reusable linear logic formula, while the corresponding notion of role in MSR yields a separate multi-use clause for each message transmission or reception, plus one to account for role generation.Second, all quanti ers appear at the head of the translation of a parametric strand, while they are distributed among several clauses and possibly nested within connectives in the case of MSR.Standard linear logic equalities are insucient t o p r o ve the equivalences of these mappings.In fact, these translations, although faithfully capturing corresponding behaviors, are not logically equivalent.This leaves us with following partially completed diagram: -?Although MSR and strands agree on basic secrecy, they might possibly di er on more re ned security properties such as perhaps Lowe's notion of agreement 27, 28 or Schneider's de nition of precedence 37, 36 .We suspect that a ne analysis of the relationship between MSR and strands in the framework of linear logic may expose such di erences.

Conclusions
This paper may b e seen as a companion to 7 , where we showed that as far as the basic secrecy property is concerned more precisely, reachability, strand spaces 13 and multiset rewriting with existential quanti cation, MSR 6, 12 are equivalent settings for the Dolev-Yao model of security protocol analysis Multiset rewriting is known to be closely related to certain fragments of linear logic 3, 30, 15, 19, 5 .Another, direct representation of strand spaces in linear logic is introduced in this paper and shown to be sound and complete.Linear logic theories obtained by this encoding are not to logically equivalent to the linear logic theories related to MSR, in general.This raises the possibility that strand spaces and MSR might di er on complex properties of protocols beyond basic secrecy.We propose linear logic as an appropriate logical setting for expressing properties of protocols, motivated by a natural way in which linear logic deals with computational state.
Figure 1: A P arametric Strand

Figure 3 :
Figure 3: Relevant Rules of Linear Logic Figure 6: Completeness Argument

Figure 7 :
Figure 7: Multiset Rewriting Speci cation of the Needham-Schroeder Protocol