Logical Analysis and Verification of Cryptographic Protocols - Loria

50 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING
And the role receiver (or B) is given by a tuple constructed by the follow:
• KB = {B, S, A, NB, KBS},
• and the set of rules is:
B1 : v4 ⇒ encs (NB, π1(decs ?
(v4, KBS))); v4 = encs (〈X3, Y3〉, KBS)
B2 :
?
v5 ⇒ ∅; v5 = encs (NB − 1, π1(decs (v4, KBS)))
Before describing the execution of a protocol, we need to describe the execution
of a role. In the high level specification of a protocol, a role represents an abstract
participant in the protocol, while a concrete participant of the protocol, denoted an
agent (or instance of role), is as represented below:
Definition 31 (Instance of role) An instance of role R is obtained from the role R by
instantiating its parameters, that is its initial knowledge, KR, and its fresh values. If R
is a role, and σ is a substitution instantiating the parameters of R, Rσ is an instance of
that role.
Let an instance of role defined by ({vi ⇒ Si; Ui} i∈I , K), by definition of role (Definition
30), and by definition of instance of role (Definition 31), it is easy to see
that V ar(Si) ⊆ {v1, . . . , vi} for i ∈ {1, . . . , ♮I}.
An agent, also called a concrete participant in the protocol, should play a role
in that protocol. To this end, he should instantiate that role. An agent could
instantiate many roles, or instantiate the same role many time.
Definition 32 (Instance of protocol) An instance of a protocol P is defined by a
union of instances of P roles and by a set of ground terms representing the initial
knowledge of the intruder I. We denote an instance of the protocol P as follows:
({vi ⇒ Si; Ui}i∈I,