In cryptography, a key memorandum of understanding is a protocol in which two or more parties can agree on a key so that both influence the outcome. If this is done correctly, it prevents undesirable third parties from imposing an important decision on the appropriate parties. Protocols that are useful in practice also do not reveal to a listening party the key that has been agreed upon. To avoid the use of additional off-band authentication factors, Davies and Price proposed the use of Ron Rivest and Adi Shamir`s Interlock protocol, which has come under subsequent attack and refinement. The aim is to automate the analysis of the ABBA protocol using the methodology established in our previous paper [KNS01a] on the basis of [MQS00]. In [KNS01a], we used Cadence SMV and probabilistic model tester PRISM to test the simpler randomised MOU for Aspnes and Herlihy [AH90] which only tolerates benign shutdown errors. We achieved this through a combination of mechanical inductive proofs (for all n for non-probabilistic properties) and tests (on finished configurations with probabilistic properties) and high-quality manual proof. However, the ABBA protocol told us of a number of difficulties that did not arise earlier: the exponential key exchange itself does not give prior agreement or subsequent authentication between participants. It has therefore been described as an anonymous key memorandum of understanding.
There are a number of solutions to the Byzantine Memorandum of Understanding. Unfortunately, the fundamental impossibility of [FLP85] shows that there is no deterministic algorithm to reach agreement in asynchronous setting even against benign errors. One solution to overcome this problem, first introduced by Rabin [Rab83] and Ben-Or [Ben83], is the application of randomization. The cryptographic primitives used in the protocol are thresholds for koin-tossing diagrams for overly random access and non-interactive threshold signature schemes, which we believe are safe for this case study. In particular, we assume that koin-tossing threshold schemes for overly random access are robust and unpredictable, and that threshold signature schemes are robust and unforging (for more information, see [CKS00]. It should be stressed that we cannot automate the last inductive argument, because it is likely: Cadence SMV cannot process likely probabilities, while PRISM can only process finite configurations and does not support data reduction. Instead, we validate the probabilistic analysis as follows. By observing that the problem can be reduced for a modeling test of a finite state analysis of the protocol, we manually construct an abstraction and model test with PRISM, which allows to validate the probabilities for No. 20 parts.