Execution Models for Choreographies and Cryptoprotocols

A choreography describes a transaction in which several principals interact. Since choreographies frequently describe business processes affecting substantial assets, we need a security infrastructure in order to implement them safely. As part of a line of work devoted to generating cryptoprotocols from choreographies, we focus here on the execution models suited to the two levels. We give a strand-style semantics for choreographies, and propose a special execution model in which choreography-level messages are faithfully delivered exactly once. We adapt this model to handle multiparty protocols in which some participants may be compromised. At level of cryptoprotocols, we use the standard Dolev-Yao execution model, with one alteration. Since many implementations use a “nonce cache” to discard multiply delivered messages, we provide a semantics for at-most-once delivery.

💡 Research Summary

The paper addresses the gap between the high‑level description of business transactions as choreographies and the low‑level cryptographic protocols that must safely implement them. Choreographies describe interactions among several principals and typically assume an ideal communication model: every message is delivered exactly once, the sender and receiver are known a priori, and no adversary can intercept or modify messages. In contrast, cryptographic protocols are analyzed under the Dolev‑Yao model, where an attacker can read, alter, replay, or fabricate any message. The authors’ goal is to relate these two execution models so that a choreography can be automatically compiled into a secure protocol whose concrete executions correspond precisely to the abstract executions of the choreography.

The authors first define a minimal choreography language based on the Global Calculus. A choreography consists of a set of guarded interactions of the form Σ ρ₁→ρ₂:op⟨M⟩.C, where ρ₁ and ρ₂ are roles, op is an operation label, and M is either a plain value or a “box” ⟦M⟧ρ₁→ρ₂. A box represents a payload that can be created by role ρ₁ but opened only by role ρ₂; at the choreography level this is enforced by a type system. The language is equipped with a standard LTS semantics that records each interaction as a transition labelled with the four‑tuple (sender, receiver, operation, message).

To capture the idealised execution of a choreography, the authors introduce an abstract bundle semantics (ABS) built on the strand‑space formalism. In a strand space, each role is represented by a strand – a linear sequence of transmission (+M) and reception (‑M) events. A bundle is a finite acyclic directed graph whose nodes are strand events, whose edges consist of intra‑strand “next” edges and inter‑strand communication edges, and where each reception node has exactly one matching transmission node. The ABS defines a set of bundles for a given choreography: each bundle corresponds to one possible run of the choreography, respecting the exact‑once delivery guarantee. The construction proceeds inductively: the empty choreography yields a bundle consisting only of fresh “start” events for each role; an interaction Σ ρ₁→ρ₂:op⟨M⟩.C extends each bundle of C by prefixing the appropriate transmission on ρ₁’s strand and reception on ρ₂’s strand, updating the mapping “who” that records which strand belongs to which role.

Having formalised the ideal model, the paper turns to the concrete cryptographic level. The standard Dolev‑Yao model is adopted, but the authors add a single, practically motivated restriction: certain messages – typically those that start a session and contain a freshly generated nonce or session key – are delivered at most once. This reflects the common implementation technique of a nonce cache, where a receiver discards any incoming message whose nonce has already been seen (often combined with timestamps and digital signatures to prevent replay). The authors incorporate this “at‑most‑once” rule into the strand‑space semantics by declaring a class of messages that cannot appear on more than one communication edge.

The crucial contribution is a formal correspondence theorem: for any choreography C, the set of abstract bundles generated by ABS is exactly the set of concrete bundles that can be produced by the cryptographic protocol when the at‑most‑once delivery restriction is enforced. In other words, the abstract execution model is a faithful abstraction of the concrete one. The proof relies on the notion of a “box”: at the cryptographic level a box is realised by encrypting the payload with a key known only to the intended receiver (or by signing it). Because the box can only be opened by the designated role, the confidentiality and authenticity requirements of the choreography are satisfied even in the presence of a Dolev‑Yao attacker.

To illustrate the theory, the authors present a simple Buyer‑Seller protocol. The buyer (C) requests a quote from the seller (S); if the quote is accepted, the buyer sends a credit‑card number inside a box