Security Theorems via Model Theory

(1)

S. Fr¨oschle, D. Gorla (Eds.): Workshop on Expressiveness in Concurrency 2009 (EXPRESS’09).

EPTCS 8, 2009, pp. 51–65, doi:10.4204/EPTCS.8.5

Joshua D. Guttman

The MITRE Corporation Worcester Polytechnic Institute

A model-theoretic approach can establish security theorems, which are formulas expressing authen-tication and non-disclosure properties of protocols. Security theorems have a special form, namely quantified implications∀~x.(φ⊃ ∃~y.ψ).

Models (interpretations) for these formulas areskeletons, partially ordered structures consisting of a number of local protocol behaviors.Realizedskeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors.

We show two results. (1) Ifφ is the antecedent of a security goal, then there is a skeletonA_φ such that, for every skeletonB_,φ_{is satisfied in}B_{iff there is a homomorphism from}A_φ_toB_{. (2) A} protocol enforces∀~x.(φ⊃ ∃~y.ψ)iff every realized homomorphic image ofA_φ_satisfiesψ_.

Since the programCPSAfinds the minimal realized skeletons, or “shapes,” that are homomorphic images ofA_φ_{, if}ψ_{holds in each of these shapes, then the goal holds.}

1 Introduction

Much work has been done in recent years on cryptographic protocol analysis. A central problem is, given a protocol, to determine whether a formula, expressing a security goal about its behaviors in the presence of an adversary, is true. If the protocol achieves the goal, one would like some explanation why. If it does not achieve the goal, one would like a counterexample. A security goal is a quantified implication:

∀~x.(φ0⊃ ∃~y.ψ). (1)

The hypothesisφ0 is a conjunction of atomic formulas describing regular behavior. The conclusion ψ

is a disjunction of zero or more such conjunctions, i.e. ψ isW₁_≤_i_≤_kφi. When theφi describe desired

behaviors of other regular participants, who are intended to be peers in protocol runs, then this goal is an

authenticationgoal. It says that each protocol run contains at least one peer execution fromkdifferent possibilities among which the protocol may allow the participants to choose.

Whenk=0,ψ is the empty disjunctionfalse. Ifφ0mentions an unwanted disclosure, (1) says the

disclosure cannot occur. Hence, security goals withk=0 expresssecrecygoals.1

Our models are skeletons, partially ordered sets of regular strands, i.e. local behaviors of regular participants. A skeleton A _{defines a set of executions, namely executions in which images of these}

strands can be found. We useA,σ|=Φin the classical sense, to mean that the formulaΦis satisfied in the skeletonA_{, when the variable assignment}σ _{determines how variables free in}Φ_{are interpreted.}

A skeleton A_{is an} _execution _{if it is} _realized_{. This means that the message transmissions in} A_—

when combined with possible adversary behavior—suffice to explain every message received inA_{. A}

counterexampleto a goalGis a realized skeletonC_{such that, for some variable assignment}σ_,C_,σ_|₌φ_,

and for every extension σ′ ofσ, C_,σ′_|₌_¬ψ_. C_{is a counterexample to}_G_{only if}C_{is realized, even}

though|=is also well-defined for non-realized skeletons.

∗_{Supported by the MITRE-Sponsored Research program. Author’s address: guttman@}_{_{mitre.org,wpi.edu}_}_. 1_{We will use}_φ_,_φ

(2)

We focus on the homomorphisms among models. Ahomomorphismis a structure-preserving map, which may embed one skeleton into a larger one; may identify one strand with another strand that sends and receives similar messages; and may fill in more information about the parameters to the strands. As usual, homomorphisms preserve satisfaction for atomic formulas. SupposeH is a homomorphism

H:A_7→B_{. And suppose}A,σ |=φ, i.e. the skeleton A_{satisfies the atomic formula}φ _{under an}

assign-mentσ, which maps variables occurring inφto values that may appear inA_{. Then}B_,_H_◦σ_|₌φ_.

This holds for conjunctions of atomic formulas also. Thus, a security goal∀~x.(φ0⊃ ∃~y.ψ), concerns

the homomorphic images of skeletons satisfying φ0. If any homomorphic imageCis realized, thenC

should satisfy the disjunctionψ, i.e.C_{should satisfy at least one of the disjuncts}φ_i_{for 1}_≤_i_≤_k_.

We already have a method for constructing homomorphisms from a skeleton A_{to realized}

skele-tons [8]. The Cryptographic Protocol Shapes AnalyzerCPSAis a program that—given a protocolΠand a skeleton of interest A_{—generates all of the minimal, essentially different realized skeletons that are}

homomorphic images ofA_{. We call these minimal, essentially different skeletons}_shapes_{, and there are}

frequently very few of them.

Main Results. We show how a single run of the search for shapes checks the truth of a security goal. To determine whetherΠachieves a goalG=∀~x.(φ0⊃ ∃~y.ψ), we find the shapes for the single skeleton A_φ0_{. Two technical results are needed to justified this.}

• For any security hypothesisφ0, a single skeletonAφ0 characterizesφ0. I.e., for allB:

∃σ.B,σ|=φ0 iff ∃H.H:Aφ0 7→B.

• There exists a realized C_{that is a counterexample to}_G_{iff there exists some shape} _H_:A_φ _7→B

whereB_{provides a counterexample.}

Our main results suggest a recipe for evaluating a goalG=∀~x.(φ⊃ ∃~y.ψ)for a protocolΠ.

1. Construct the skeletonA_φ_.

2. AskCPSAwhat shapes are accessible inΠ, starting fromA_φ_.

3. AsCPSAdelivers shapes, check that each satisfies some disjunctφi.

4. If the answer is no, this shape is a counterexample toG.

5. IfCPSAterminates with no counterexample, thenGis achieved.

Since the problem is undecidable [9], it is also possible thatCPSAwill not terminate. Step3is easy, since eachφi is a conjunction of atomic formulas, and each shape is a finite (typically small) structure.

The Language of Goals. For each protocol, we define a first order language L₍Π₎_{, in which}

for-mulas (1) are security goals. L₍Π₎ _{expresses authentication and secrecy goals [}₁₇_{] for} Π_{, including}

“injective agreement”, as adapted to strand spaces [13].2 It talks only about the roles. One can say which roles executed, and how far they executed in partial executions, and with what parameters. Saying that different roles executed with the same values for certain parameters is important.

However, L₍Π₎_{is carefully designed to limit expressiveness.} L₍Π₎_{says nothing about the forms}

of messages, and there are no function symbols for encryption or pairing. The protocolΠdetermines the forms of messages, so to speak behindL₍Π₎_{’s back in the semantics. Thus,}L₍Π₎_{need only stipulate}

the underlying parameters, when describing what has happened.

(3)

A benefit of this approach is that related protocols Π,Π′ may have similar languages, or indeed identical languages, when corresponding roles use the same parameters to compose messages of different concrete forms. This makes the languagesL₍Π₎_{suited to analyze protocol transformations (as in [}₁₅_])

to determine when security goals are preserved. We used them (with inessential differences) in [14], where we gave a syntactic criterion that ensures the safety of combining pairs of protocols. WhenΠ1,Π2

meet the criterion, then any goal (1) inL₍Π₁₎ _thatΠ₁_{meets is still achieved by}Π₁_∪Π₂_{. Combining} Π1withΠ2to formΠ1∪Π2is a simple sort of transformation ofΠ1.

Some Related Work. To document a protocol meeting a security goal, one might like to provide a proof, e.g. in Paulson’s style [19], or in the Protocol Composition Logic [6]. One might also view a counterexample as a syntactic object much like a proof. Symbolic constraint solving techniques (start-ing with [11,18,20]) treat them in this way, using rules, including unification, to construct them. The “adversary-centered” approach of Selinger [21] also leads to a proof-like treatment of protocol coun-terexamples, and to a model-theoretic view of achieving goals. To show that a goal is met, one exhibits a model in which axioms are satisfied, but the adversary’s knowledge does not include any intended se-crets. These axioms describe the behavior of the regular (non-compromised) participants. The model is a set that is invariant under disclosures effected by the protocol, but in which the secrets do not appear.

We give another model-theoretic approach to achieving goals, but from a “protocol-centered” point of view rather than an “adversary-centered” one. In contrast to Selinger, who expresses authentication properties of a protocol Π by means of secrecy properties of an expanded protocol Π′, we represent secrecy properties as the special case of authentication properties wherek=0, as indicated above.

Chein and Mugnier also use homomorphisms to evaluate the truth of implications, e.g. [4,5], in the context of conceptual graphs. However, that context is quite different, since theirformulasare graph-like objects, whereas our interpretations are graph-like structures. Our framework is tuned to the specific case of cryptographic protocols; for instance, there is no analog of “realized” in their framework.

Structure of this Paper. We start with some examples of protocol goals in a simple protocol that does not achieve all of them, and a corrected protocol that does (Section 2). In Section 3, we define the first order classical languages L₍Π₎_{that express security goals for each protocol}Π_{. Section}₄_defines

skeletons and homomorphisms between them, and gives a semantics forL₍Π₎_{using skeletons. We show}

next in Section5that each conjunctionφof atomic formulas has a characteristic skeleton. In Section6, we show how to use the characteristic skeletons to check security goals.

Strand Spaces. A strand is a (linearly ordered) sequence of nodes n1 ⇒. . .⇒ nj, each of which

transmits or receives some message msg(ni). A strand may represent the behavior of a principal in a single local session of a protocol, in which case it is a regular strand of that protocol, or it may represent a basic adversary activity. Basic adversary activities include receiving a plaintext and a key and transmitting the result of the encryption, and receiving a ciphertext and its matching decryption key, and transmitting the resulting plaintext.

AprotocolΠis a finite set of strands, which are therolesof the protocol. A strandsis aninstance

of a roleρ ∈Π, ifs=α(ρ), i.e. ifsresults fromρ by applying a substitutionα to parameters inρ. Messaget1is aningredientoft2, writtent1⊑t2, ift1is used to constructt2other than as an encryption

key; i.e.⊑is the smallest reflexive, transitive relation such thatt1⊑t1ˆt2, andt2⊑t1ˆt2, andt1⊑ {|t1|}t2.

A messaget originates on a strand node nif (1)t⊑msg(n); (2)nis a transmission node; and (3)

(4)

A {|{|

k|}sk(A)|}pk(B)

//

{|{|k|}sk(A)|}pk(B)

//_B

•oo {|s|}k oo {|s|}k _•

Figure 1: Blanchet’s “Simple Example Protocol”

i.e. a freshly chosen value. A value that originates nowhere in an execution may nevertheless be used within regular strands to encrypt or decrypt. However, if the adversary uses a value to encrypt or decrypt, then the key must have been received, and must therefore have originated somewhere. Hence non-originatingvalues represent uncompromised long term keys. For more detail, see the Appendix.

2 Examples

Blanchet’s Example. We start from an example suggested by Blanchet [2], as shown in Fig. 1. A principalAwishes to have Btransmit a secret toAalone. A has a private signature keysk(A), with a public verification key known toB. Bhas a private decryption key with a public encryption keypk(B)

known toA.Atransmits a freshly chosen symmetric keyktoB, signed byAand encrypted forB.Bthen useskto encipher the secrets.

Authentication Goals ofA. Awants the protocol to ensure thatscame fromB.

To establish this, we attribute some assumptions toA, from which it may follow thatBhas transmit-teds.Ahas had a run of her side of the protocol, so the execution will contain the two nodes of the strand shown on the left of the figure. We must assume thatB’s private decryption keypk(B)−1 _is

uncompro-mised, in the sense that this private key never originates. It is thus used only by regular participants in accordance with the protocol, and never by an adversary. Moreover, we assume that the symmetric key

koriginates only once, namely, on A’s first node. In particular, the adversary can not send it until after receivingk. In a word, the adversary will notguess k.

A₀ _{summarizes these assumptions, as shown on the left in Fig.} ₂_{. Here} _nonA

0 is the set of long

term keys assumed uncompromised for the sake of this analysis, anduniqueA₀ is the set of fresh values assumed uniquely originating. We call a diagram of this kind askeleton.

We want now to “analyze” this assumption, by which we mean, to find all shapes accessible from

A₀_{. The shapes give all the minimal, essentially different executions (realized skeletons) accessible from} A₀_. _CPSA_{reports a single shape, shown on the right of Fig.}₂_asA₁_{. This is what}_A_{desired, as}_B_sent_s

on its transmission node at lower right.

The antecedent of the implication expressing this goal concerns the starting point; is itφA=

Init2(n₂,a,b,k,s)∧Unq(k)∧Non(sk(a))∧Non(inv(pk(a))).

The predicateInit2(n₂,a,b,k,s) says thatn₂ is the second node of an initiator strand with the given parameters. The remaining conjuncts express the supplementary assumptions about non-compromised long term keys and a fresh session key. The fact that the only shape we obtain is A₁_{, which has a}

responder’s second node with the desired parameters, validates:

(5)

A t0 //

•oo{|s|}k

A₀

7→ _A t0

//

≺ t0 //_B

•oo {|s|}k ≻ {|oos|}k _•

A₁

{pk(B)−1}=nonA₀ =nonA₁,{k}=uniqueA₀=uniqueA₁

Figure 2: SkeletonsA₀,A₁_{, input and output for}CPSA, witht0={|{|k|}sk(A)|}pk(B)

The conclusion of this implication describes some of the additional structure contained inA₁_.

Confidentiality ofs. The analysis for A’s confidentiality goal is similar. We again use the same as-sumptions, augmented by the pessimistic assumption thats is compromised. We represent this using a trick: We use alistener node •←s that “hears” the valuesshorn of any cryptographic protection. Here we must also assume that s∈uniqueA₂, since otherwise possibly the adversary will simply guess (re-originate)s. Thus, we start the analysis with the form shown in Fig.3. We now reach an impasse: CPSA

reports that no shape exists, starting fromA₂_{. Thus,}A₂_is_dead_{: No realized skeleton can result from it.}

We express this confidentiality goal in the form:

φA_∧_Unq₍_s₎_∧_Lsn₍_m,_s₎_⊃_false.

The conjunct Lsn(m,s) describes the listener node m that “hears” the value s. This listener node is incompatible with the other assumptionsφA. Thus,Aachieves her goals using this protocol.

Authentication Goal forB. Unfortunately, the situation is less favorable for B. We start the analysis with the skeletonA₃_{, shown on the left in Fig.}₄_{. It represents the hypothesis}φB_:

Resp2(m,a,b,k,s)∧Unq(k)∧Non(sk(a))∧Non(inv(pk(a)))

We obtain the formA₄ _{shown on the right in Fig.}₄_{. Unfortunately, we have learnt nothing about the}

A t0 //

•oo{|s|}k

•←s

67→ ·

{pk(B)−1_}₌_nonA

0 {k,s}=uniqueA0

(6)

{|{|k|}sk(A)|}pk(B)

//_B

•

{|s|}k

oo

A₃

7→ _A {|{|k|}sk(A)|}pk(C)

//_≺{|{|k|}sk(A)|}pk(B)//_B

•

{|s|}k

oo

A₄

{sk(A),pk(B)−1}=nonA₃=nonA₄ {k}=uniqueA₃ =uniqueA₄

Figure 4: A₃_,A₄_{, for}_B_{’s authentication goal}

recipientCfor whomAintended this key. Possiblypk(C)−1_{is compromised. Thus, the adversary can}

decrypt {|{|k|}sk(A)|}pk(C) and use B’s public key to construct {|{|k|}sk(A)|}pk(B). Thus, skeleton A4 is

realized, but validates only:

φB_{⊃ ∃n,}_c_._Init1₍_n,a,c,k₎_.

The expected initiator has got to step 1 of a run with somec, who—the protocol ensures—has originated the keyk. However, since possiblyC6=B, confidentiality forkandsmay fail.

The details of the CPSA run make clear how to fix the protocol. This requires us to replacet0with

{|{|kˆB|}sk(A)|}pk(B), which includesB’s identity underA’s signature. In fact, Blanchet [2] makes a more

complicated suggestion, using the component{|kˆAˆB|}sk(A). However, theCPSAanalysis is very precise,

and indicates that only the responder’s identity needs to be included inside the signature.

3 Language

We now consider the logical representation of our example authentication and confidentiality goals.

Role Predicates. We need to be able to describe the different kinds of nodes that are present in a skeleton, namely the initiator’s first and second nodes, and the responder’s first and second nodes, each of which has a number of parameters. We must be able to express these parameters, because we know (e.g.) that whether the initiator’s first node hasBorCas its responder identity parameter makes all the difference. On the other hand, the form of the messages is defined in the protocol, and is thus irrelevant to describing what goals are achieved. Thus, for Blanchet’s simple example protocol, we suggest four protocol-specific predicates:

Init1(m,a,b,k) Resp1(m,a,b,k)

Init2(m,a,b,k,s) Resp2(m,a,b,k,s)

Suppose that we are given a variable assignmentσthat associates valuesσ(m),σ(a), etc. to the variables

m,a, etc. Then we read Init1(m,a,b,k)as asserting thatσ(m)is a node, which is the first step of an initiator strand, and the initiator isσ(a), its intended responder isσ(b), and it has created the keyσ(k)

(7)

the intended secret isσ(s). Thus, ifInit2(m,a,b,k,s), then we know thatmis preceded by a node n

such thatInit1(n,a,b,k)is true under the sameσ. Analogous explanations hold for the responder role. These role predicates are similar to those used by Cervesato, Durgin et al. [3,10] in multiset rewriting. We also need a role predicateLsn(m,v), which says, under an assignmentσ, thatσ(m)is a listener node that receives that value σ(v). The language L₍Π₎_{, where} Π _{is Blanchet’s example protocol,}

contains these five role predicates.

Shared Vocabulary. All languagesL₍Π₎_{also contain some additional predicates.} _Preceq₍_m,n₎

ex-presses the causal partial ordering.Col(m,n)says thatσ(m)andσ(n)are collinear, i.e. they lie on the same strand. Non(v)andUnq(v)express the assumptions thatσ(v)∈nonandσ(v)∈unique, resp.

In Section 2, we also used the function symbols sk,pk, and invto talk about the long term keys signature keys of principals, their long term public encryption keys, and the inverses of those keys.

This is the full languageL₍Π₎_whereΠ_{is Blanchet’s example protocol. As it happens, the language} L₍Π′₎_{, for the corrected version of the protocol, is identical. The roles are the same, each with the same}

number of nodes, and with the same parameters. Thus, nothing in the language needs to change.

Apparently, for every goal G∈L₍Π₎_{, if}_G_{is achieved in Blanchet’s example protocol}Π_{, then}_G

is also achieved in its correctionΠ′. Moreover, additional formulas are achieved inΠ′. A satisfactory theory of protocol transformation should give ways to prove (or disprove) intuitions like this one.

The LanguagesL₍Π_). _{For each protocol}Π_,L₍Π₎_{is a language for talking about its executions. We}

use typewriter fontx,m, etc. for syntactic items such as variables or predicates within the language. Suppose that Πhasr protocol-specific roles{ρ1, . . . ,ρr}, where each roleρi is of length |ρi|, and

the listener role. We let {RP0,1, . . . ,RPr,|ρr|} be a collection of 1+∑i|ρi|predicate symbols. RP0,1 is

the listener role predicate, which we will write asLsn(m,v), indicating that node mreceives the value

v. Each remaining predicate RPi j takes parameters(m,v1, . . . ,vk)where the jthnode on roleρi, and its

predecessors, have involvedkparameters.

We writefv(Φ),bv(Φ)for the free and bound variables of any formulaΦ, defined in the usual way. The empty disjunctionW_i_∈_/0φiis identical withfalse; a one-element disjunction or conjunction is

iden-tical with its single disjunct or conjunct.

Definition 3.1 1. L₍Π₎_{is the classical first order quantified language with vocabulary:}

Variables (unsorted) ranging over messages and nodes;

Function symbols sk,pk,inv;3

Predicate symbols equalityu=v, falsehoodfalse(no arguments), and: • Non(v), andUnq(v);

• Col(m,n)andPreceq(m,n);

• One role predicateRPi jfor eachρi∈Πand j with1≤ j≤ |ρi|.

The predicate RPi j(m,v₁, . . . ,v_k)for the jth _{node on}ρ

i has as arguments: a variable m

for the node, and variablesvℓfor each of the k parameters that have appeared in any of ρi’s first j messages.

2. Asecurity claimφ is a conjunction of atomic formulas ofL₍Π₎_{such that two conditions hold:} (a) Any two role predicate conjuncts have different variables as their first argumentsn,n′. (b) If a conjunct is not a role predicate, then each variable or key term that appears as an

argument to it also appears as argument to some role predicateRPi j(n,t1, . . . ,ti).

(8)

3. A sentence ∀~x.(φ⊃ ∃~y.ψ)is asecurity goalif (1) the~xs and~ys are disjoint; (2)φ is a security claim; and (3)ψ is a disjunctionW_iφiof conjunctionsφiof atomic formulas.

The conditions in Clauses 2a–2b on security claims φ allow us to construct a single skeleton A_φ _to

characterize φ (Thm. 5.2). Without Clause 2a, we would have to be rather careful in our choice of message algebras and protocols to ensure that there is a single “most general” role that applies when two roles can have common instances. The role predicateRPi j in Clause 2b serves as an implicit sort

declaration for the variablesxappearing in it. The sorts of parameters within the roleρi determines the

set of values that may lead to true instances of this atomic formula.

We have already illustrated three security goals earlier, in Section 2; or, more precisely, we have shown three formulas whose universal closures are security goals. Another relevant example is the “missing” confidentiality goal that a responder would have wanted, but was actually not achieved byΠ but only by its correctionΠ′. It is the universal closure of:

Resp2(n₂,a,b,k,s)∧Unq(k)∧Non(sk(a))∧Non(inv(pk(a)))∧Lsn(m,s)⊃false.

Axiomatizing Protocols. L₍Π₎ _{is specifically intended to limit expressiveness, and there is no way}

to axiomatize the behavior of protocols within it. However, the slightly larger languageL+₍Π₎_appears

sufficient to axiomatize protocol behaviors, and derive security goals. It adds toL₍Π₎_:

Function symbols concat(v₁,v₂) and enc(v₁,v₂), representing the concatenation of two messages

v1,v2and the encryption of a messagev1using a second messagev2as key; and

msgAt(n₁)returning the message transmitted or received on the noden1;

Predicate symbols Xmit(n₁)andRcv(n₁), true ifn1is a transmission node or reception node, resp.

A few inductively defined notions such as “messaget0 is found only within the set of encryptionsSin

messaget1” [8, extended version, Def. 6] must be introduced using these primitives. The property of a

skeleton being realized can then be expressed as a closed sentence. With these notions, the reasoning encoded in CPSAcould be carried out axiomatically, at least in theory, withinL+(Π). The important

theorems would be the security goals, which lie within the sublanguageL₍Π₎_.

4 Skeletons, Homomorphisms, and Satisfaction

Before we define the satisfaction relationA_,σ_|₌φ_{, we must define the skeletons that we have already}

worked with in Section2. We start by summarizing our assumptions about the message algebra; more detail may be found in AppendixA.

Message Algebra. LetA₀ _{be an algebra equipped with some operators and a set of homomorphisms} η:A₀_→A₀_{. We call members of}A₀_atoms_.

For the sake of definiteness, we will assume here thatA₀_{is the disjoint union of infinite sets of}_nonces_, atomic keys,names, andtexts. The operatorsk(a)maps names to (atomic) signature keys, andK−1maps an asymmetric atomic key to its inverse, and a symmetric atomic key to itself. Homomorphismsη are maps that respect sorts, and act homomorphically onsk(a)andK−1_.

Let X is an infinite set disjoint from A₀_{; its members—called} _{indeterminates}_{—act like unsorted}

variables. A_{is freely generated from}A₀_∪_X _{by two operations: encryption}_{|t₀_|}_t

1 and tagged

(9)

nil t0ˆt1ast0ˆt1with no tag. In{|t0|}t1, a non-atomic keyt1is a symmetric key. Members ofAare called

messages.

A homomorphism α = (η,χ): A_→A _{consists of a homomorphism} η _{on atoms and a function} χ:X →A_{. It is defined for all}_t_∈A_{by the conditions:}

α(a) =η(a), ifa∈A₀ α₍_{|t₀_|}_t

1) ={|α(t0)|}α(t1)

α(x) =χ(x), ifx∈X α(tag t0ˆt1) =tagα(t0)ˆα(t1)

Thus, atoms serve as typed variables, replaceable only by other values of the same sort, while indetermi-natesxare untyped. Indeterminatesxserve as blank slots, to be filled by anyχ(x)∈A_{. Indeterminates}

and atoms are jointlyparameters.

ThisA_{has the most general unifier property, which we will rely on. That is, suppose that for}_v,w_∈A_,

there existα,β such thatα(v) =β(w). Then there areα0,β0, such that α0(v) =β0(w), and whenever

α(v) =β(w), thenαandβ are of the formsγ◦α0andγ◦β0.

Skeletons. A skeleton is a partially ordered set of nodes, together with assumptionsnonabout uncom-promised long term keys anduniqueabout freshly chosen values. We writes↓ifor theithnode alongs, using 1-based indexing.

AskeletonA_{consists of (possibly partially executed) role instances, i.e. a finite set of nodes,}_nodes₍A₎_,

with two additional kinds of information:

1. A partial orderingAonnodes(A);

2. SetsuniqueA,nonAof atomic values assumed uniquely originating and non-originating inA_.

nodes(A₎_and_A_{must respect the strand order, i.e. if}_n₁_∈_nodes₍A₎_and_n₀_⇒_n₁_{, then}_n₀_∈_nodes₍A₎

and n0 An1. Ifa∈uniqueA, then amust originate at most once in nodes(A). If a∈nonA, then a

must originate nowhere innodes(A₎_{, though} _a _or_a−1 _{may be the key encrypting some ingredient of}

n∈nodes(A₎_.

A_{is a}_preskeleton_{if it meets the conditions except that some values}_a_∈_uniqueA_{may originate more}

than once in nodes(A₎_{. If} A _{is a preskeleton, and it is possible to extract a skeleton by identifying}

nodes and atoms, then there is a canonical, most general way to do so [8, extended version, Prop. 6]. The canonical skeleton extracted fromA_{is called the}_hull_ofA_{. We write}_hullA_{for the homomorphism}

(Def.4.1) that maps a preskeletonA_{to its hull.}

A skeletonA_{is a}_{skeleton for}_{a protocol}Π_{if all of its strands are strands of}Π_.

A_is_realized_{if it can occur without additional activity of}_regular_{participants; i.e., for every reception}

noden, the adversary can constructmsg(n)via the Dolev-Yao adversary actions,4using as inputs: 1. the messagesmsg(m)wherem≺Anandmis a transmission node;

2. indeterminatesx; and

3. any atomic values a such thata6∈(nonA∪uniqueA), or such that a∈uniqueA but a originates nowhere inA_.

Definition 4.1 LetA₀_,A₁_{be preskeletons,}α _{a homomorphism on}A_{, and}ζ_:_nodesA

0→nodesA1. H=

[ζ,α]is a(skeleton) homomorphismif

1a. For all n∈A₀_,_msg₍ζ₍_n_{)) =}α₍_msg₍_n₎₎_{, with the same direction, either transmission or reception;}

1b. For all s,i, if s↓i∈A_{, then there is an s}′ _{s.t. for all j}_≤_i, ζ₍_s_↓ _j_{) =}_s′_↓ _j;

(10)

2. nA₀m impliesζ(n)A₁ζ(m);

3. α(nonA₀)⊆nonA₁;

4a. α(uniqueA₀)⊆uniqueA₁;

4b. If a∈uniqueA₀ and a originates at n∈nodesA0, thenα(a)originates atζ(n)∈nodesA1.

We write H:A₀_7→A₁_{when H is a homomorphism from}A₀_toA₁_{. When}α₍_a_{) =}α₍_a₎′_{for every a that}

is an ingredient or is used for encryption indom(ζ), then[ζ,α] = [ζ,α′]; i.e.,[ζ,α]is the equivalence class of pairs under this relation.

The condition for [ζ,α] = [ζ,α′]implies that the action of α on atoms not mentioned in the A₀ _is

irrelevant. We writeH(n) forζ(n) orH(a) for α(a), when H= [ζ,α]. Evidently, preskeletons and homomorphisms form a category, of which skeletons and homomorphisms are subcategory.

In Section 2, we have already given examples of homomorphisms. Each of the shapes we have considered is a homomorphic image of its starting point. Thus, for instance, we have homomorphisms

A₀_7→A₁_andA₃_7→A₄_.A₂_{is dead in the sense that there is no realized}B_{such that}A₂_7→B_.

Our firstCPSArun in Section2tells us that every homomorphism fromA0to a realized skeleton goes

“by way of”A₁ _[₈_{]. That is, if} B_{is realized and}_H_:A₀_7→B_{, then} _H₌_H₁_◦_H₀ _where_H₀_:A₀_7→A₁_.

Thus, any realized skeleton accessible fromA₀_{has at least the structure contained in}A₁_{, homomorphisms}

being structure-preserving maps.

In Figs.2and4, the homomorphism simply adds nodes. I.e.ζ is an embedding andαis the identity. However, in other homomorphisms,ζ may be a bijection andα does the work, mapping distinct values to the same result. In other casesζ is non-injective, mapping two distinct strands in source to the same strand in the target. For instance, suppose that A _{is a preskeleton but not a skeleton, because some}

a∈uniqueA originates on two strands. If the map hullA is well defined, then hullA must map both

strands on whichaoriginates to the same strand in the target skeleton. Hence, non-trivialhullAmaps are examples of non-injective homomorphisms.

Semantics forL₍Π_). _{The semantics for} L₍Π₎ _{are classical, with each structure a skeleton for the}

protocolΠ. This requirement builds the permissible behaviors ofΠdirectly into the semantics without requiring an explicit axiomatization.

AnassignmentσforA_{is a partial function from variables of}L₍Π₎_toA_∪_nodes₍Π₎_{. By convention,}

ifσ is undefined for any variablexinfv(Ψ), thenA_,σ _6|₌Ψ_{. We write}σ₁_⊕σ₂_{for the partial function}

that—forσ1andσ2with disjoint domains—acts as eitherσion the domain of thatσi.

Definition 4.2 LetA_{be a skeleton for}Π. Extend any assignmentσ _{to key terms of}L₍Π₎_{via the rules:} σ(sk(t)) =sk(σ(t)),σ(inv(t)) = (σ(t))−1_.

Satisfaction.A_,σ_|₌Φ_{is defined via the standard Tarski inductive clauses for the classical first order}

logical constants, and the base clauses:

A_,σ_|₌_u₌_v _iff σ₍_u_{) =}σ₍_v₎_; A_,σ_|₌_Non₍_v₎ _iff σ₍_v₎_∈_nonA_;

A,σ|=Unq(v) iff σ(v)∈uniqueA;

A_,σ_|₌_Col₍_m,n₎ _iff σ₍_m₎_,σ₍_n₎_∈_nodes₍A₎_{, and either}σ₍_m₎_⇒∗σ₍_n₎_orσ₍_n₎_⇒∗σ₍_m₎_; A_,σ_|₌_Preceq₍_m,n₎ _iff σ₍_m₎_Aσ₍_n₎_;

and, for each roleρi∈Πand index j onρi, the predicateRPi j(m,v1, . . . ,vk)obeys the clause

(11)

σ(m)is an instance of the jth_{node on role}ρ i,

with the parametersσ(v₁), . . . ,σ(v_k).

We writeA_|₌Φ_whenA_,σ_|₌Φ_{for all}σ_{, e.g. when}Φ_{is a sentence satisfied by}A_.

In protocols where there are two different rolesρi,ρhthat differ only after their first jnodes—typically,

because they represent different choices at a branch point after the jth _{node [}₁₆_,₁₂_{]—the two predicates}

RPi j andRPh jare equivalent, as Def.A.1makes precise.

Lemma 4.3 Supposeφis an atomic formula, and H:A_7→B_{. If}A_,σ _|₌φ, thenB_,_H_◦σ _|₌φ.

5 Characteristic Skeletons

We writeσ|`fv(Φ)for the partial functionσrestricted in domain to the free variables ofΦ.

Definition 5.1 A pairA_,σ∗_is_{characteristic}_{for a formula}Φ_iffA_,σ∗_|₌Φ_{and, for all}B_,σ_,

B_,σ_|₌Φ _implies _∃_!_H_._H_:A_7→B _and σ_|_`_fv₍Φ_{) =}_H_◦σ∗_. ₍₂₎

If there is such aσ∗, thenA_{is a}_{characteristic skeleton}_forΦ.

Being a homomorphic image of thisA_{characterizes satisfiability of}Φ_.A_{has minimal structure needed}

to makeΦtrue, in the sense thatΦis satisfiable in anyA′ _{just in case}A′ _{results from}A_{by a}

structure-preserving map (a homomorphism). From the form of the definition,A_,σ∗_{is universal among}

interpre-tations satisfyingΦ, and such aA,σ∗_{will be unique to within isomorphism.}

Constructing a Characteristic Skeleton. In order to construct a characteristic skeleton cs(φ) for a security claim φ =V₁_≤_i_≤_ℓφi, we treat the successive atomic formulas φj in turn. As we do so, we

maintain two data structures. One is an assignmentσ which summarizes what atomic value or node we have associated to each variable we have seen so far. Initially σ is the empty function. The other is the characteristic skeletoncs(V₁_≤_i_≤_j₋₁φi)constructed from the part of the formula seen so far. This is

initially the empty skeleton. Ifφ is unsatisfiable, then instead of returningcs(φ),σ we must fail. We assume that the conjuncts of φ have been reordered if necessary so that atomic formulas con-taining role predicates precede atomic formulas of the other forms. For convenience, we also eliminate equations by replacing the left hand side by the right hand side throughout the remainder of the formula.

Base Case. Ifℓ=0, so that φ=V₁_≤_i_≤₀φi=true, then letcs(φ)be the empty skeleton, and letσ0 be

the empty (nowhere defined) substitution.

Recursive Step. Letφ=V₁_≤_i_≤_ℓ₊₁φi, and letAℓ=cs(V1≤i≤ℓφi)be a characteristic skeleton for all but

the last conjunct, relative toσℓ. We take cases on the form of the last conjunct,φℓ+1:

RPi j(m,t1, . . . ,tk): By clause 2a in Defn. 3.1, the variable mis not in the domain of σℓ. If

variables appearing in t₁, . . . ,t_k, are not in the domain ofσℓ, select atoms of appropriate

sorts, not yet appearing inA_ℓ_{, letting}σ′_{be the result of extending}σ_ℓ_{with these choices.}

Letn1⇒. . .⇒njbe the first jnodes of the roleρi, instantiated with the valuesσ′(t1), . . . , σ′₍_t

k). If anynλ(with 1≤λ ≤ j) originates any valuea∈nonσℓ, then we must fail.

Otherwise, let the preskeletonA′ _{be the result of adding}_n₁_⇒_{. . .}_⇒_n_j _toA_ℓ_{, and let}A_ℓ₊₁

be its hull. If the hull is undefined, fail. Otherwise, defineσℓ+1= (hullA′◦σ′)⊕(m7→n_j).

(12)

Non(t): By clause2bin Defn.3.1,σℓ(t) =vis well defined. If the result of addingvtononAℓ

is a skeleton, then this skeleton isA_ℓ₊₁_{. Otherwise, we fail. Let}σ_ℓ₊₁₌σ_ℓ_.

Unq(t): By clause 2b in Defn. 3.1, σℓ(t) =v is well defined. If the result of adding v to

uniqueA_ℓis a preskeletonA′_{whose hull is a well-defined skeleton, then this skeleton is}A_ℓ₊₁_.

Otherwise, we fail. Letσℓ+1=hullA′◦σ_ℓ.

Preceq(m,n): By clause2b in Defn. 3.1, σℓ(m)and σℓ(n) are well defined. Let Aℓ+1 be Aℓ

with the ordering enriched so thatσℓ(m)A_ℓ₊₁ σℓ(n), failing if the latter introduces a cycle

because in factσℓ(n)A_ℓσℓ(m). Letσℓ+1=σℓ.

Col(m,n): By clause 2b in Defn. 3.1, σℓ(m) =s↓k and σℓ(n) =s′ ↓k′ are well defined. If

one strand, e.g.s, is at least as long as the other, we would like to map the successive nodes ofs′ to nodes ofs. However, their messages and directions in A_ℓ_{may not be the same. If}

the directions (transmit vs. receive) conflict, then we must fail. Otherwise, if the successive messages are unequal, we may succeed by unifying them.

Letβ be the most general unifier such that, for eachiwhere boths↓iands′↓iare defined,

β(msg(s↓i)) =β(msg(s′↓i)).

LetA′_{be the preskeleton resulting from applying}β _throughoutA_{, failing if this is impossible}

because any value innonA′ would originate somewhere. LetA′′be the preskeleton resulting

from omittingβ(s′), and identifying its nodes with those ofβ(s), failing if this identification introduces any cycle into the ordering. If A′′ _{does not have a well defined hull, then fail.}

Otherwise, let that hull beA_ℓ₊₁_{. Let}σ_ℓ₊₁₌_hullA′′◦β◦σ_ℓ.

Theorem 5.2 If a security claimφ=V₁_≤_i_≤ℓφiis unsatisfiable, the procedure above fails. Ifφ is

satisfi-able, then the procedure returns a pairA_,σ _{that is characteristic for}φ_.

Proof: We follow the inductive definition ofcs(φ).

Base Case. Letℓ=0, andφ=true. Thencs(true)is the empty skeletonA₀_{. In fact, every}B_satisfies

truevia the empty substitution, and there exists exactly one homomorphismH:A₀_7→B_.

Recursive Step. Letφ =V₁_≤_i_≤_ℓ₊₁φi, and let φ− =V1≤i≤ℓφi be its predecessor, with all but the last

conjunct ofφ. LetA_ℓ₌_cs₍φ−₎_{be a characteristic skeleton for all but the last conjunct, relative to}

σℓ. In particular, φ− is satisfiable. Ifφ is unsatisfiable, then we need to check we will fail at this

step. If this step succeeds, then we need to show thatA_ℓ₊₁_,σ_ℓ₊₁_{are characteristic for}_cs₍φ₎_.

Suppose that, for anyB_,τ_{, we have}B_,τ_|₌φ_{. Then}B_{also satisfies}φ−_{, so by the induction}

hypoth-esis, there is a unique homomorphismHℓ= [ζℓ,αℓ]:Aℓ7→Bto within isomorphism. Moreover, τ|`fv(φ−) =αℓ◦σℓ. We take cases on the form of the last conjunct,φℓ+1. In each case,Hℓcan be

adjusted to form a unique homomorphismHℓ+1:Aℓ+17→B, to within isomorphism.

We use the same notation as in the corresponding cases of the definition ofcs.

RPi j(m,t1, . . . ,tk): This is not jointly satisfiable withφ−iff the new nodesn1⇒. . .⇒njoriginate

a valuea∈nonA_ℓ, or if the hull is not defined. In these cases,csfails.

B_,τ_|₌φ_{, and, since}_RP_{i j}₍_m,t

1, . . . ,tk)is its last conjunctB,τ|=RPi j(m,t1, . . . ,tk).

Thus,τ(m)is an instance ofρi↓ jwith parametersτ(t1), . . . ,τ(tk). Namingτ(m) =n′j, we

haven′₁⇒. . .⇒n′_j, and by the construction ofcs(φ), we haven1⇒. . .⇒njincs(φ). Thus,

we can extend the node mapζℓtoζℓ+1by mapping eachnλ ton′_λ. This is the only extension

(13)

Moreover, for each new variablevappearing int₁, . . . ,t_k, we extendαℓby sendingσℓ+1(v)

toτ(v). By the construction ofσℓ+1(v), this is a new value, not equal to any value mentioned

inA_ℓ_{. So}σ_ℓ₊₁_{is a partial function. Moreover, there is no other way to extend}σ_ℓ_compatible

with τ. The resulting αℓ+1, together withζℓ+1, forms a homomorphism Aℓ1 7→B, and is

uniquely determined.

Non(t): If not jointly satisfiable withφ−, thenσℓ+1(t)originates inAℓ, andcsfails.

SinceB_,τ _|₌φ_ℓ₊₁_,τ₍_t₎_∈_nonB_{, so}_H_ℓ_{is also a homomorphism from}A_ℓ₊₁_toB_.

Unq(t): The universality of thehullA′ homomorphism among homomorphisms to realized

skele-tons ensures thatHℓfactors throughhullA′.

Preceq(m,n): SinceB_,τ_|₌φ_ℓ₊₁_,τ₍_m₎_Bτ₍_n₎_{, so}_H_ℓ_{is also a homomorphism from}A_ℓ₊₁_toB_.

Col(m,n): In the non-failing case, ζℓ mapsσℓ(m)and σℓ(n) to nodes on the same strand. Thus, Hℓfactors through the homomorphism fromAℓtoAℓ+1.

⊓ ⊔

6 Security Goals

We turn now to our second result, which puts the pieces together.

Theorem 6.1 Suppose that G=∀~x.(φ⊃ ∃~y.ψ)is a security goal inL₍Π₎_whereφ_{is satisfiable.} Πachieves G iff, whenever H:cs(φ)7→B_{is a shape, there is a}σ_{such that}B_,σ_|₌ψ_.

Proof: 1. Suppose thatΠachievesG. By Thm.5.2,cs(φ)is well-defined. By Lemma4.3,H:cs(φ)7→

B_{implies that}B_satisfiesφ_{. If}B_{is a shape, it is realized. Since}Π_achieves_G_,B_satisfiesψ_.

2. Suppose thatΠdoes not achievesG, so that there is a realized C_{which satisfies}_¬G_{. Let}ψ₌

W

1≤i≤ℓφi. Using the Tarski satisfaction clauses and the disjointness of~x,~y, we obtain aσC such that

C_,σ_C_|₌φ_∧V₁

≤i≤ℓ¬φi.

SinceC_,σ_C_|₌φ_{, there is a}_J_{such that}_J_:_cs₍φ₎_7→C_{, and}σ_C_|_`_fv₍φ_{) =}_J_◦σ∗_{. Using Prop. 8 of the}

extended version of [8],J=K◦HwhereH:cs(φ)7→B_{is a shape.}

If thisB_{satisfies any}φ_i_{, then so would}C_{by Lemma}_4.3_. _⊓_⊔

Conclusion. We have explained a way to ensure that a protocol achieves a security goal G. We use the antecedentφ to choose a skeleton, namelycs(φ). We then obtain the shapes accessible fromcs(φ), e.g. by using CPSA. If any shape does not satisfy any disjunct of the conclusion of G, then we have a counterexample. If no counterexample is found, thenGis achieved.

In future work, we will apply this method to protocol transformation. It suggests a criterion to ensure that the resultΠ2of a protocol transformation preserves all goals achieved by its source protocolΠ1.

Acknowledgments. I am grateful to my colleagues, Leonard Monk, John Ramsdell, and Javier Thayer, for many relevant discussions. Marco Carbone gave valuable comments. John Ramsdell is the author of theCPSAimplementation.

References

(14)

[2] Bruno Blanchet (2008):Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model. Mémoire d’habilitation à diriger des recherches, Université Paris-Dauphine.

[3] I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C. Mitchell & A. Scedrov (2000): Relating Strands and Mul-tiset Rewriting for Security Protocol Analysis. In: Proceedings, 13th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press.

[4] Michel Chein & Marie-Laure Mugnier (1992): Conceptual Graphs: fundamental notions. Revue d’Intelligence Artificielle6, pp. 365–406.

[5] Michel Chein & Marie-Laure Mugnier (2004):Concept Types and Coreference in Simple Conceptual Graphs. In: Conceptual Structures at Work: 12th International Conference on Conceptual Structures, ICCS 2004, Huntsville, AL, USA, July 19-23, 2004. Proceedings, number 3127 in LNCS. pp. 303–318.

[6] Anupam Datta, Ante Derek, John C. Mitchell & Dusko Pavlovic (2005):A Derivation System and Composi-tional Logic for Security Protocols.Journal of Computer Security13(3), pp. 423–482.

[7] Shaddin F. Doghmi, Joshua D. Guttman & F. Javier Thayer (2007):Completeness of the Authentication Tests. In: J. Biskup & J. Lopez, editors: European Symposium on Research in Computer Security (ESORICS), number 4734 in LNCS. Springer-Verlag, pp. 106–121.

[8] Shaddin F. Doghmi, Joshua D. Guttman & F. Javier Thayer (2007): Searching for Shapes in Cryptographic Protocols. In: Tools and Algorithms for Construction and Analysis of Systems (TACAS), number 4424 in LNCS. Springer, pp. 523–538. Extended version at URL:http://eprint.iacr.org/2006/435.

[9] Nancy Durgin, Patrick Lincoln, John Mitchell & Andre Scedrov (2004): Multiset Rewriting and the Com-plexity of Bounded Security Protocols. Journal of Computer Security12(2), pp. 247–311. Initial version appeared inWorkshop on Formal Methods and Security Protocols, 1999.

[10] Nancy Durgin, Patrick Lincoln, John Mitchell & Andre Scedrov (2004): Multiset Rewriting and the Com-plexity of Bounded Security Protocols. Journal of Computer Security12(2), pp. 247–311. Initial version appeared inWorkshop on Formal Methods and Security Protocols, 1999.

[11] Marcelo Fiore & Mart´ın Abadi (2001):Computing Symbolic Models for Verifying Cryptographic Protocols. In:Computer Security Foundations Workshop.

[12] Sibylle Fr¨oschle (2008):Adding Branching to the Strand Space Model. In: Proceedings of EXPRESS’08, ENTCS. Elsevier.

[13] Joshua D. Guttman (2001):Security Goals: Packet Trajectories and Strand Spaces. In: Roberto Gorrieri & Riccardo Focardi, editors: Foundations of Security Analysis and Design,LNCS2171. Springer Verlag, pp. 197–261.

[14] Joshua D. Guttman (2009): Cryptographic Protocol Composition via the Authentication Tests. In: Luca de Alfaro, editor: Foundations of Software Science and Computation Structures (FOSSACS), number 5504 in LNCS. Springer, pp. 303–317.

[15] Joshua D. Guttman (2009):Transformations between Cryptographic Protocols. In: P. Degano & L. Vigan`o, editors: Automated Reasoning in Security Protocol Analysis, and Workshop on Issues in the Theory of Security (ARSPA-WITS), number 5511 in LNCS. Springer, pp. 107–123.

[16] Joshua D. Guttman, Jonathan C. Herzog, John D. Ramsdell & Brian T. Sniffen (2005):Programming Cryp-tographic Protocols. In: Rocco De Nicola & Davide Sangiorgi, editors:Trust in Global Computing, number 3705 in LNCS. Springer, pp. 116–145.

[17] Gavin Lowe (1997):A Hierarchy of Authentication Specifications. In:10th Computer Security Foundations Workshop Proceedings. IEEE Computer Society Press, pp. 31–43.

[18] Jonathan K. Millen & Vitaly Shmatikov (2001): Constraint Solving for Bounded-Process Cryptographic Protocol Analysis. In:8th ACM Conference on Computer and Communications Security (CCS ’01). ACM, pp. 166–175.

[19] Lawrence C. Paulson (1998): The Inductive Approach to Verifying Cryptographic Protocols. Journal of Computer SecurityAlso Report 443, Cambridge University Computer Lab.

(15)

NP-Complete. In:Computer Security Foundations Workshop. pp. 174–. Available athttp://csdl.computer. org/comp/proceedings/csfw/2001/1146/00/11460174abs.htm.

[21] Peter Selinger (2001): Models for an adversary-centric protocol logic. Electr. Notes Theor. Comput. Sci. 55(1). Available at http://www.elsevier.com/gej-ng/31/29/23/83/27/show/Products/notes/ index.htt#007.

A

Messages and Protocols

Messages are abstract syntax trees in the usual way:

1. Letℓandrbe the partial functions such that fort={|t1|}t2 ort=tag t1ˆt2,ℓ(t) =t1andr(t) =t2;

and fort∈A₀_,_ℓ_and_r_{are undefined.}

2. Apath pis a sequence in{ℓ,r}∗. We regardpas a partial function, wherehi=Idandcons(f,p) =

p◦ f. When the rhs is defined, we have: 1. hi(t) =t; 2. cons(ℓ,p)(t) = p(ℓ(t)); and 3.

cons(r,p)(t) =p(r(t)).

3. p traverses a key edgeintif p1(t)is an encryption, wherep=p1⌢hri⌢p2.

4. t0is an ingredient of t, writtent0⊑t, ift0=p(t)for somepthat does not traverse a key edge int.

5. t0appears in t, writtent0≪t, ift0=p(t)for some p.

A messaget0originatesat a noden1if (1)n1is a transmission node; (2)t0⊑msg(n1); and (3) whenever

n0⇒+n1,t06⊑msg(n0).

In the tree model of messages, to apply a homomorphism, we walk through, copying the tree, but insertingα(a)every time an atomais encountered, and insertingα(x)every time that an indeterminate

xis encountered.

Protocols. Aprotocol Πis a finite set of strands which includesLsn[k], representing the roles of the protocol.

A principal executing a role such as the initiator’s role in Fig. 1 may be partway through its run; for instance, it may have executed the first transmission node without “yet” having executed its second event, the reception node.

Definition A.1 Node n is arole nodeofΠif n lies on someρ∈Π.

Let nj be a role node ofΠof the form n1⇒. . .⇒nj⇒. . .. Node mjis aninstanceof njif, for some

homomorphismα, the strand of mj, up to mj, takes the form:α(n1)⇒. . .⇒α(nj) =mj.