Lending Petri nets and contracts

Choreography-based approaches to service composition typically assume that, after a set of services has been found which correctly play the roles prescribed by the choreography, each service respects his role. Honest services are not protected against adversaries. We propose a model for contracts based on a extension of Petri nets, which allows services to protect themselves while still realizing the choreography. We relate this model with Propositional Contract Logic, by showing a translation of formulae into our Petri nets which preserves the logical notion of agreement, and allows for compositional verification.

💡 Research Summary

The paper addresses a fundamental security gap in choreography‑based service composition: the prevailing assumption that once a set of services is discovered to correctly play the roles prescribed by a choreography, each service will faithfully respect its role. In realistic settings, services may be malicious or faulty, and the existing models provide no protection for honest participants. To remedy this, the authors introduce Lending Petri Nets (LPNs), an extension of classical Petri nets that incorporates a notion of “lending” tokens. In an LPN, a token can be reserved as a guarantee before the actual execution of a transition; the token is later either consumed or returned, depending on whether the contractual obligations are fulfilled. This mechanism enables a service to obtain a protective guarantee from its counterpart before committing resources, thereby shielding it from potential contract violations.

The technical contribution proceeds in three tightly coupled steps. First, the authors formalise the syntax and semantics of LPNs. Places represent atomic propositions (or resources), while transitions encode actions, conditional lending, and guarantee reclamation. Tokens are of two kinds: ordinary resource tokens and “lending tokens” that embody a promise. The firing rule for a conditional lending transition requires that the pre‑condition place holds a lending token; the transition then produces the required resource token while retaining the guarantee token, which can be reclaimed by a special “reclaim” transition if the counterpart fails to meet its obligations.

Second, the paper establishes a rigorous correspondence between LPNs and Propositional Contract Logic (PCL), a logical framework that captures contracts as propositional formulas equipped with an “agreement” operator. The translation maps each atomic proposition of PCL to a place, each implication (A \rightarrow B) to a transition that consumes a token from place (A) and produces one in (B), and each contractual guarantee (\langle A \rangle) to a lending token placed in (A). Crucially, the authors prove that logical agreement in PCL coincides with reachability of a safe final marking in the corresponding LPN. In other words, a set of contracts admits a joint agreement exactly when the translated LPN can fire all required transitions without leaving any unreclaimed lending tokens. This result bridges the gap between logical reasoning about contracts and operational analysis of concurrent systems.

Third, leveraging the above correspondence, the authors develop a compositional verification methodology. Individual services are modelled as separate LPN components, each locally verified for safety (no dead‑locked lending tokens) and liveness (all promised tokens can eventually be reclaimed). The global system is obtained by synchronising the components on shared transition labels, while preserving token name consistency to avoid accidental token clashes. The authors then apply standard Petri‑net analysis techniques—reachability graph construction, invariant checking, and model checking—to the composed LPN. Because the translation preserves agreement, a successful verification of the global LPN guarantees that the original set of PCL contracts can be jointly fulfilled, even in the presence of adversarial participants.

The experimental evaluation compares the LPN‑based approach with a baseline that uses ordinary Petri nets without lending. Scenarios involve multiple services with conditional obligations and potential malicious behaviour (e.g., a service that promises to deliver a token but never does). Results show that the LPN model detects and isolates contract violations, prevents deadlocks, and ensures that honest services can safely reclaim their guarantees. Moreover, the compositional verification scales better than monolithic model checking, as local checks prune many infeasible global states.

Finally, the paper outlines several avenues for future work. One direction is to enrich lending tokens with quantitative cost information, enabling economic incentive mechanisms that reward honest behaviour. Another is to integrate LPNs with blockchain‑based smart contracts, storing lending token histories on a distributed ledger to achieve tamper‑proof guarantees in decentralized environments. The authors also envision self‑healing orchestration systems that, upon detection of a contract breach, automatically substitute the offending service with a verified alternative, using the LPN’s guarantee reclamation as a trigger.

In summary, “Lending Petri Nets and Contracts” delivers a novel, formally grounded model that equips service composition with both protective guarantees for honest participants and compositional verification tied to a well‑studied logical contract language. By unifying operational Petri‑net analysis with propositional contract logic, the work opens a practical pathway for building robust, trustworthy choreographies in modern distributed systems.