7,354 research outputs found
A mechanized proof of loop freedom of the (untimed) AODV routing protocol
The Ad hoc On-demand Distance Vector (AODV) routing protocol allows the nodes
in a Mobile Ad hoc Network (MANET) or a Wireless Mesh Network (WMN) to know
where to forward data packets. Such a protocol is 'loop free' if it never leads
to routing decisions that forward packets in circles. This paper describes the
mechanization of an existing pen-and-paper proof of loop freedom of AODV in the
interactive theorem prover Isabelle/HOL. The mechanization relies on a novel
compositional approach for lifting invariants to networks of nodes. We exploit
the mechanization to analyse several improvements of AODV and show that
Isabelle/HOL can re-establish most proof obligations automatically and identify
exactly the steps that are no longer valid.Comment: The Isabelle/HOL source files, and a full proof document, are
available in the Archive of Formal Proofs, at
http://afp.sourceforge.net/entries/AODV.shtm
EasyUC: using EasyCrypt to mechanize proofs of universally composable security
We present a methodology for using the EasyCrypt proof assistant (originally designed for mechanizing the generation of proofs of game-based security of cryptographic schemes and protocols) to mechanize proofs of security of cryptographic protocols within the universally composable (UC) security framework. This allows, for the first time, the mechanization and formal verification of the entire sequence of steps needed for proving simulation-based security in a modular way: Specifying a protocol and the desired ideal functionality; Constructing a simulator and demonstrating its validity, via reduction to hard computational problems; Invoking the universal composition operation and demonstrating that it indeed preserves security. We demonstrate our methodology on a simple example: stating and proving the security of secure message communication via a one-time pad, where the key comes from a Diffie-Hellman key-exchange, assuming ideally authenticated communication. We first put together EasyCrypt-verified proofs that: (a) the Diffie-Hellman protocol UC-realizes an ideal key-exchange functionality, assuming hardness of the Decisional Diffie-Hellman problem, and (b) one-time-pad encryption, with a key obtained using ideal key-exchange, UC-realizes an ideal secure-communication functionality. We then mechanically combine the two proofs into an EasyCrypt-verified proof that the composed protocol realizes the same ideal secure-communication functionality. Although formulating a methodology that is both sound and workable has proven to be a complex task, we are hopeful that it will prove to be the basis for mechanized UC security analyses for significantly more complex protocols and tasks.Accepted manuscrip
Isabelle/PIDE as Platform for Educational Tools
The Isabelle/PIDE platform addresses the question whether proof assistants of
the LCF family are suitable as technological basis for educational tools. The
traditionally strong logical foundations of systems like HOL, Coq, or Isabelle
have so far been counter-balanced by somewhat inaccessible interaction via the
TTY (or minor variations like the well-known Proof General / Emacs interface).
Thus the fundamental question of math education tools with fully-formal
background theories has often been answered negatively due to accidental
weaknesses of existing proof engines.
The idea of "PIDE" (which means "Prover IDE") is to integrate existing
provers like Isabelle into a larger environment, that facilitates access by
end-users and other tools. We use Scala to expose the proof engine in ML to the
JVM world, where many user-interfaces, editor frameworks, and educational tools
already exist. This shall ultimately lead to combined mathematical assistants,
where the logical engine is in the background, without obstructing the view on
applications of formal methods, formalized mathematics, and math education in
particular.Comment: In Proceedings THedu'11, arXiv:1202.453
Crypto-Verifying Protocol Implementations in ML
We intend to narrow the gap between concrete
implementations and verified models of cryptographic protocols.
We consider protocols implemented in F#, a variant of ML, and
verified using CryptoVerif, Blanchet's protocol verifier for
computational cryptography.
We experiment with compilers from F# code to CryptoVerif processes,
and from CryptoVerif declarations to F# code.
We present two case studies: an implementation of the Otway-Rees
protocol, and an implementation of a simplified password-based
authentication protocol. In both cases, we obtain concrete security
guarantees for a computational model closely related to
executable code
Computational Soundness of Formal Encryption in Coq
We formalize Abadi and Rogaway's computational soundness result in the
Coq interactive theorem prover. This requires to model notions of provable
cryptography like indistinguishability between ensembles of
probability distributions, PPT reductions, and security notions for
encryption schemes.
Our formalization is the first computational soundness result to be
mechanized, and it shows the feasibility of rigorous reasoning of
computational cryptography inside a generic interactive theorem prover
An Introduction to Mechanized Reasoning
Mechanized reasoning uses computers to verify proofs and to help discover new
theorems. Computer scientists have applied mechanized reasoning to economic
problems but -- to date -- this work has not yet been properly presented in
economics journals. We introduce mechanized reasoning to economists in three
ways. First, we introduce mechanized reasoning in general, describing both the
techniques and their successful applications. Second, we explain how mechanized
reasoning has been applied to economic problems, concentrating on the two
domains that have attracted the most attention: social choice theory and
auction theory. Finally, we present a detailed example of mechanized reasoning
in practice by means of a proof of Vickrey's familiar theorem on second-price
auctions
Verifying privacy by little interaction and no process equivalence
While machine-assisted verification of classical security goals such as confidentiality and authentication is
well-established, it is less mature for recent ones. Electronic voting protocols claim properties such as voter
privacy. The most common modelling involves indistinguishability, and is specified via trace equivalence in cryptographic extensions of process calculi. However, it has shown restrictions. We describe a novel model, based on unlinkability between two pieces of information. Specifying it as an extension to the Inductive Method allows us to establish voter privacy without the need for approximation or session bounding. The two
models and their latest specifications are contrasted
A Computationally Sound Mechanized Prover for Security Protocols
We present a new mechanized prover for secrecy properties of
cryptographic protocols. In contrast to most previous provers, our
tool does not rely on the Dolev-Yao model, but on the computational
model. It produces proofs presented as sequences of games; these
games are formalized in a probabilistic polynomial-time process
calculus. Our tool provides a generic method for specifying security
properties of the cryptographic primitives, which can handle shared-
and public-key encryption, signatures, message authentication codes,
and hash functions. Our tool produces proofs valid for a number of
sessions polynomial in the security parameter, in the presence of an
active adversary. We have implemented our tool and tested it on a
number of examples of protocols from the literature
- …