Closing the Idealization Gap with Theory Generation

Cryptographic protocol design demands careful verification during all phases of development. Belief logics, in the tradition of the Burrows, Abadi, and Needham (BAN) logic of authentication [BAN90], provide a simple, intuitive model, and allow natural expressions of a protocol and its goals. Since manual deduction is error-prone, protocol designers need automated tools to make effective use of these logics. Such tools often require excessive human intervention or supply inadequate feedback during the verification process. We take a new approach, “theory generation,” which allows highly automated reasoning with these logics, and which supports new forms of protocol analysis. In this approach, given a logic, L, we generate a finite representation, T , of the full theory, corresponding to a protocol, P . Given this representation, determining whether the protocol satisfies some property, , requires only a simple membership test, T ? (Figure 1). Furthermore, since the theory is represented by a finite set of formulas, we can analyze differences between protocols by comparing the generated theories, and we can easily answer questions such as, “What beliefs does this principal hold after receiving message 2?” In earlier work described in our USENIX paper, we applied theory generation to three different belief logics (BAN, AUTLOG [KW94], and Kailar’s accountability logic [Kai96]), and seven protocols for authentication and electronic commerce [KW96]. BAN-style belief logics enable the designer to think about a protocol at a convenient level of abstraction; however, the gap between the “idealized” protocol