Proving Correctness of the Basic TESLA Multicast Stream Authentication Protocol with TAME

Abstract : The TESLA multicast stream authentication protocol is distinguished from other types of cryptographic protocols in both its key management scheme and its use of timing. It takes advantage of the stream being broadcast to periodically commit to and later reveal keys used by a receiver to verify that packets are authentic, and it uses both inductive reasoning and time arithmetic to allow the receiver to determine that an adversary cannot have prior knowledge of a key that has just been revealed. While an informal argument for the correctness of TESLA has been published, no mechanized proof appears to have previously been done for TESLA or any other protocol of the same variety. This paper reports on a mechanized correctness proof of the basic TESLA protocol based on establishing a sequence of invariants for the protocol using the tool TAME, an interface to PVS specialized for proving properties of automata. It discusses the organization and process used in the proof, and the possibilities for reusing these techniques in correctness proofs of similar protocols, starting with more sophisticated versions of TESLA.

[1]  Nancy A. Lynch,et al.  Specifications and Proofs for Ensemble Layers , 1999, TACAS.

[2]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[3]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Nancy A. Lynch,et al.  Specifying and using a partitionable group communication service , 1997, PODC '97.

[5]  Myla Archer,et al.  TAME: Using PVS strategies for special-purpose theorem proving , 2001, Annals of Mathematics and Artificial Intelligence.

[6]  Stephen H. Brackin Using checkable types in automatic protocol analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[7]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[8]  Nancy A. Lynch,et al.  Forward and backward simulations, part II: timing-based systems , 1993 .

[9]  Nancy A. Lynch,et al.  The generalized railroad crossing: a case study in formal verification of real-time systems , 1994, 1994 Proceedings Real-Time Systems Symposium.

[10]  Elvinia Riccobene,et al.  Using TAME to prove invariants of automata models: Two case studies , 2000, FMSP '00.