F. Javier Thayer

IMPS: an interactive mathematical proof system

IMPS is an interactive mathematical proof system intended as a general-purpose tool for formulating and applying mathematics in a familiar fashion. The logic of IMPS is based on a version of simple type theory with partial functions and subtypes. Mathematical specification and inference are performed relative to axiomatic theories, which can be related to one another via inclusion and theory interpretation. IMPS provides relatively large primitive inference steps to facilitate human control of the deductive process and human comprehension of the resulting proofs. An initial theory library containing over a thousand repeatable proofs covers significant portions of logic, algebra, and analysis and provides some support for modeling applications in computer science.

Authentication tests and the structure of bundles

Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can be concluded that some principal possessing the relevant key has received and transformed the message in which v was emitted. In some circumstances, this principal must be a regular participant of the protocol, not the penetrator. An inference of this kind is an authentication test. We introduce two main kinds of authentication test. An outgoing test is one in which the new value v is transmitted in encrypted form, and only a regular participant can extract it from that form. An incoming test is one in which v is received back in encrypted form, and only a regular participant can put it in that form. We combine these two tests with a supplementary idea, the unsolicited test, and a related method for checking that keys remain secret. Together, these techniques determine what authentication properties are achieved by a wide range of cryptographic protocols. In this paper we introduce authentication tests and prove their soundness. We illustrate their power by giving new and straightforward proofs of security goals for several protocols. We also illustrate how to use the authentication tests as a heuristic for finding attacks against incorrect protocols. Finally, we suggest a protocol design process. We express these ideas in the strand space formalism (Thayer et al. J. Comput. Security 7 (1999) 191-230), which provides a convenient context to prove them correct.

Searching for shapes in cryptographic protocols

We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks. cpsa, our Cryptographic Protocol Shape Analyzer, implements the method. In searching for shapes, cpsa starts with some initial behavior, and discovers what shapes are compatible with it. Normally, the initial behavior is the point of view of one participant. The analysis reveals what the other principals must have done, given this participants view.

Trust Management in Strand Spaces: A Rely-Guarantee Method

We show how to combine trust management theories with nonce-based cryptographic protocols. The strand space framework for protocol analysis is extended by associating formulas from a trust management logic with the transmit and receive actions of the protocol principals. The formula on a transmission is a guarantee; the sender must ensure that this formula is true before sending the message. The formula on a receive event is an assumption that the recipient may rely on in deducing future guarantee formulas. The strand space framework allows us to prove that a protocol is sound, in the sense that when a principal relies on a formula, another principal has previously guaranteed it. We explain the ideas in reference to a simple new electronic commerce protocol, in which a customer obtains a money order from a bank to pay a merchant to ship some goods.

The faithfulness of abstract protocol analysis: message authentication

Dolev and Yao initiated an approach to studying cryptographic protocols which abstracts from possible problems with the cryptography so as to focus on the structural aspects of the protocol. Recent work in this framework has developed easily applicable methods to determine many security properties of protocols. A separate line of work, initiated by Bellare and Rogaway, analyzes the way specific cryptographic primitives are used in protocols. It gives asymptotic bounds on the risk of failures of secrecy or authentication.In this paper we show how the Dolev-Yao model may be used for protocol analysis, while a further analysis gives a quantitative bound on the extent to which real cryptographic primitives may diverge from the idealized model. We develop this method where the cryptographic primitives are based on Carter-Wegman universal classes of hash functions. This choice allows us to give specific quantitative bounds rather than simply asymptotic bounds.

IMPS: An Interactive Mathematical Proof System

imps is an Interactive Mathematical Proof System intended as a general purpose tool for formulating and applying mathematics in a familiar fashion. The logic of imps is based on a version of simple type theory with partial functions and subtypes. Mathematical specication and inference are performed relative to axiomatic theories, which can be related to one another via inclusion and theory interpretation. imps provides relatively large primitive inference steps to facilitate human control of the deductive process and human comprehension of the resulting proofs. An initial theory library containing almost a thousand repeatable proofs covers signicant portions of logic, algebra and analysis, and provides some support for modeling applications in computer science.

IMPS: An Updated System Description

imps, an Interactive Mathematical Proof System, is intended to provide mechanical support for traditional mathematical techniques and styles of practice. The system consists of a library of axiomatic theories and a collection of tools for exploring and extending the mathematics embodied in the theory library. One of the chief tools is a facility for developing formal proofs. imps is equally well-suited for applications in mathematics education and in the development of high assurance hardware and software. The imps system is available without fee (under the terms of a public license) at the ftp site math.harvard.edu and at the following Web pages:

IMPS: System Description

Support for the Axiomatic Method. imps supports the “little theories” version of the axiomatic method, as opposed to the “big theory” version. In the big theory approach, all reasoning is carried out within one theory—usually some highly expressive theory, such as the Zermelo-Fraenkel set theory. In the little theories approach, reasoning is distributed over a network of theories. Results are typically proved in compact, abstract theories, and then transported as needed to more concrete theories, or indeed to ∗Supported by the MITRE-Sponsored Research Program. Published in: D. Kapur, ed., Automated Deduction—CADE-11 , Lecture Notes in Computer Science, vol. 607, SpringerVerlag, 1992, pp. 701–705.

Skeletons, Homomorphisms, and Shapes: Characterizing Protocol Executions

In this paper we develop a framework, based on strand spaces, for reasoning about cryptographic protocols and characterizing their executions. We define skeletons, homomorphisms, and shapes. Skeletons model partial information about regular (honest) behavior in an execution of a cryptographic protocol. A homomorphism between skeletons is an information-preserving map. Much protocol analysis may be regarded as an exploration of the properties of the category of skeletons and homomorphisms. A set of skeletons can characterize all runs of the protocol; the smallest such set is the set of shapes. This approach is a foundation for mechanizing protocol analysis.

Contexts in mathematical reasoning and computation

Abstract Contexts are sets of formulas used to manage the assumptions that arise in the course of a mathematical deduction or calculation. Although context-dependent reasoning is commonplace in informal mathematics, most contemporary symbolic computation systems do not utilize contexts in sophisticated ways. This paper describes some context-based techniques for symbolic computation, including techniques for reasoning about definedness, simplifying abstract algebraic expressions, and computing with theorems. All of these techniques are implemented in the IMPS Interactive Mathematical Proof System. The paper also proposes a general mathematics laboratory that combines the functionality of current symbolic computation systems with the facilities of a theorem proving system like IMPS.