Inductive verification of cryptographic protocols based on message algebras - trace and indistinguishability properties

Since 1981, a large variety of formal methods for the analysis of cryptographic protocols has evolved. In particular, the tool-supported inductive method has been applied to many protocols. Despite several improvements, the scope of these and other approaches is basically restricted to the simple enc-dec scenario (decryption reverts encryption) and to standard properties (confidentiality and authentication). In this thesis, we broaden the scope of the inductive method to protocols with algebraically specified cryptographic primitives beyond the simple enc-dec scenario and to indistinguishability properties like resistance against offline testing. We describe an axiomatization of message structures, justified by a rewriting-based model of algebraic equations, to provide complete case distinctions and partial orders thereby allowing for the definition of recursive functions and inductive reasoning. We develop a new proof technique for confidentiality properties based on tests of regular messages. The corresponding recursive functions are provably correct wrt. to an inductively defined attacker model. We introduce generic derivations to express indistinguishability properties. A central theorem then provides necessary and sufficient conditions that can be shown by standard trace properties. The general aspects of our techniques are thoroughly discussed and emphasized, along with two fully worked out real world case studies: PACE and TC-AMP are (to be) used for the German ID cards. To the best of our knowledge TC-AMP is among the most complex algebraically specified protocols that have been formally verified. In particular, we do not know of any approaches that apply formal analysis techniques to comparable cases.Seit 1981 wurden zahlreiche formale Methoden zur Analyse kryptographischer Protokolle entwickelt und erfolgreich angewendet. Trotz vieler Verbesserungen, beschränkt sich der Anwendungsbereich gerade induktiver Verfahren auf das einfache enc-dec Szenario (Entschlüsseln hebt Verschlüsseln ab) und auf Standardeigenschaften (Vertraulichkeit und Authentifizierung). In dieser Arbeit erweitern wir den Anwendungsbereich der werkzeug-unterstützten induktiven Methode auf Protokolle mit algebraisch spezifizierten kryptografischen Primitiven und auf Ununterscheidbarkeitseigenschaften wie die Resistenz gegen Offline-Testen. Eine Axiomatisierung von Nachrichtenstrukturen, abgeleitet aus einem konstruktiven Modell (Termersetzung), liefert die Basis für die Definition rekursiver Funktionen und induktives Schließen (partielle Ordnungen, Fallunterscheidungen). Eine neue Beweistechnik für Vertraulichkeitseigenschaften verwendet rekursive Testfunktionen, die beweisbar korrekt bzgl. eines induktiv definierten Angreifermodells sind. Die Formalisierung von Ununterscheidbarkeitseigenschaften durch generische Ableitungen und ein zentrales Theorem erlauben eine Reduktion auf Trace-Eigenschaften. Die allgemeinen Aspekte unserer Techniken werden zusammen mit zwei vollständig ausgearbeiteten realen Fallstudien, PACE und TC-AMP, diskutiert, die für den deutschen Personalausweis entwickelt wurden. TC-AMP gehört sicher zu den komplexesten algebraisch spezifizierten Protokollen, die formal verifiziert wurden. Insbesondere, sind uns keine Ansätze bekannt, die vergleichbare Fälle behandeln

Towards an Intelligent Tutor for Mathematical Proofs

Computer-supported learning is an increasingly important form of study since it allows for independent learning and individualized instruction. In this paper, we discuss a novel approach to developing an intelligent tutoring system for teaching textbook-style mathematical proofs. We characterize the particularities of the domain and discuss common ITS design models. Our approach is motivated by phenomena found in a corpus of tutorial dialogs that were collected in a Wizard-of-Oz experiment. We show how an intelligent tutor for textbook-style mathematical proofs can be built on top of an adapted assertion-level proof assistant by reusing representations and proof search strategies originally developed for automated and interactive theorem proving. The resulting prototype was successfully evaluated on a corpus of tutorial dialogs and yields good results.Comment: In Proceedings THedu'11, arXiv:1202.453

Planning Diagonalization Proofs

This report is a first attempt of formalizing the diagonalization proof technique. We give a strategy how to systematically construct diagonalization proofs: (i) finding an indexing relation, (ii) constructing a diagonal element, and (iii) making the implicit contradiction of the diagonal element explicit. We suggest a declarative representation of the strategy and describe how it can be realized in a proof planning environment. 1 Introduction In classical (automated) theorem proving the reasoning process is carried out at the object level, i.e. the level of the (first order) logic representation of the mathematical objects under study. Searching for a proof means applying calculus inference rules to manipulate the initial problem situation which at the beginning consists of the negated theorem to be proven and the given assertions (definitions, axioms, and other theorems) in order to find a final situation, for instance ? in a resolution theorem prover. This guarantees that the theor..

Planning Diagonalization Proofs

This report is a first attempt of formalizing the diagonalization proof technique.We give a strategy how to systematically construct diagonalization proofs: (i) findingan indexing relation, (ii) constructing a diagonal element, and (iii) making the implicitcontradiction of the diagonal element explicit. We suggest a declarative representationof the strategy and describe how it can be realized in a proof planning environment

The Mechanization of the Diagonalization Proof Strategy

We present an empirical study of mathematical proofs by diagonalization, the aim istheir mechanization based on proof planning techniques. We show that these proofs canbe constructed according to a strategy that (i) finds an indexing relation, (ii) constructsa diagonal element, and (iii) makes the implicit contradiction of the diagonal elementexplicit. Moreover we suggest how diagonal elements can be represented

Planning Diagonalization Proofs

This report is a first attempt of formalizing the diagonalization proof technique.We give a strategy how to systematically construct diagonalization proofs: (i) findingan indexing relation, (ii) constructing a diagonal element, and (iii) making the implicitcontradiction of the diagonal element explicit. We suggest a declarative representationof the strategy and describe how it can be realized in a proof planning environment

The Mechanization of the Diagonalization Proof Strategy

We present an empirical study of mathematical proofs by diagonalization, the aim istheir mechanization based on proof planning techniques. We show that these proofs canbe constructed according to a strategy that (i) finds an indexing relation, (ii) constructsa diagonal element, and (iii) makes the implicit contradiction of the diagonal elementexplicit. Moreover we suggest how diagonal elements can be represented

A multi-modi Proof Planner

Proof planning is a novel knowledge-based approach for proof construction, which supports the incorporation of mathematical knowledge and the common mathematical proof techniques of a particular mathematical field. This paradigm is adopted in the\Omega mega proof development system, to provide support for the user. A considerable part of the proof construction and even sometimes the whole work can be undertaken by a proof planner. In the \Omega mega project we are investigating the aspect of computation under bounded resources in mathematical theorem proving. The relevant resources are, in addition to time and memory space, user availability as well as the frequency of user interaction. At this issue, the proof planner of\Omega mega is conceived in such a way that it has a resource-adaptive behaviour. This property of the planner is achieved by a planner modus which defines the planner behaviour depending on which and how many resources are available. In this paper, we describe the..

The Mechanization of the Diagonalization Proof Strategy

We present an empirical study of mathematical proofs by diagonalization, the aim is their mechanization based on proof planning techniques. We show that these proofs can be constructed according to a strategy that (i) finds an indexing relation, (ii) constructs a diagonal element, and (iii) makes the implicit contradiction of the diagonal element explicit. Moreover we suggest how diagonal elements can be represented

Planning Diagonalization Proofs

. Proof planning is a novel knowledge-based approach for proof construction, which supports the incorporation of mathematical knowledge and the common mathematical proof techniques of a particular mathematical field. The diagonalization proof technique is a well-known method in theoretical computer science and in mathematics that originated with Cantor, who used it to show his seminal uncountability results. It is now widely used as a proof technique for unsolvability results and metamathematical arguments. In this paper we give an account on how to systematically construct and plan diagonalization proofs: (i) by finding an indexing relation, (ii) by constructing a diagonal element, and (iii) by making the implicit contradiction of the diagonal element explicit. We suggest a declarative representation of the strategy and describe how it is realized in the proof planning environment of the\Omega mega-System. 1 Introduction The essential reasoning process of classical automated theorem..