The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

  • Gerhard Schellhorn
  • Holger Grandy
  • Dominik Haneberg
  • Wolfgang Reif
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4085)


The Mondex case study about the specification and refinement of an electronic purse as defined in [SCJ00] has recently been proposed as a challenge for formal system-supported verification. This paper reports on the successful verification of the major part of the case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail, we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study.

We also provide an alternative formalisation of the communication protocol using abstract state machines.

Finally the Mondex case study verifies functional correctness assuming a suitable security protocol. Therefore we propose to extend the case study to include the verification of a suitable security protocol.


Smart Card Security Protocol Proof Obligation Cryptographic Protocol Card Reader 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BGJY98]
    Bellare, M., Garay, J., Jutla, C., Yung, M.: VarietyCash: a Multi-purpose Electronic Payment System. In: Proceedings of the 3rd USENIX Workshop on Electronic Commerce, USENIX (September 1998),
  2. [BMV03]
    Basin, D., Mödersheim, S., Viganò, L.: An On-the-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. [Bör03]
    Börger, E.: The ASM Refinement Method. Formal Aspects of Computing 15(1–2), 237–257 (2003)zbMATHCrossRefGoogle Scholar
  4. [BR95]
    Börger, E., Rosenzweig, D.: The WAM—definition and compiler correctness. In: Beierle, C., Plümer, L. (eds.) Logic Programming: Formal Methods and Practical Applications. Studies in Computer Science and Artificial Intelligence, vol. 11, pp. 20–90. North-Holland, Amsterdam (1995)Google Scholar
  5. [BS03]
    Börger, E., Stärk, R.F.: Abstract State Machines—A Method for High-Level System Design and Analysis. Springer, Heidelberg (2003)Google Scholar
  6. [CB99]
    UK ITSEC Certification Body. UK ITSEC SCHEME CERTIFICATION REPORT No. P129 MONDEX Purse. Technical report, UK IT Security Evaluation and Certification Scheme (1999), URL:
  7. [CCW96]
    Clemons, E.K., Croson, D.C., Weber, B.W.: Reengineering Money: The Mondex Stored Value Card and Beyond. In: Proceedings of the 29th Annual Hawaii International Conference on Systems Sciences 1996. IEEE, Los Alamitos (1996), URL: Google Scholar
  8. [CoF04]
    CoFI (The Common Framework Initiative). In: CASL Reference Manual. LNCS, vol. 2960 (IFIP Series). Springer, Heidelberg (2004)Google Scholar
  9. [CSW02]
    Cooper, D., Stepney, S., Woodcock, J.: Derivation of Z Refinement Proof Rules: forwards and backwards rules incorporating input/output refinement. Technical Report YCS-2002-347, University of York (2002), URL:
  10. [DB01]
    Derrick, J., Boiten, E.: Refinement in Z and in Object-Z: Foundations and Advanced Applications. In: FACIT. Springer, Heidelberg (2001)Google Scholar
  11. [Gur95]
    Gurevich, Y.: Evolving algebras 1993: Lipari guide. In: Börger, E. (ed.) Specification and Validation Methods, pp. 9–36. Oxford Univ. Press, Oxford (1995)Google Scholar
  12. [HGRS05]
    Haneberg, D., Grandy, H., Reif, W., Schellhorn, G.: Verifying Security Protocols: An ASM Approach. In: Beauquier, D., Börger, E., Slissenko, A. (eds.) 12th Int. Workshop on Abstract State Machines, ASM 2005, University Paris 12 – Val de Marne, Créteil, France (March 2005)Google Scholar
  13. [HHS86]
    Jifeng, H., Hoare, C.A.R., Sanders, J.W.: Data refinement refined. In: Robinet, B., Wilhelm, R. (eds.) ESOP 1986. LNCS, vol. 213, pp. 187–196. Springer, Heidelberg (1986)Google Scholar
  14. [HKT00]
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  15. [KIV]
    Web presentation of the mondex case study in KIV, URL:
  16. [Low96]
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: TACAS 1996, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  17. [MCI]
    MasterCard International Inc. Mondex. URL:
  18. [Pau98]
    Paulson, L.C.: The Inductive Approach to Verifying Cryptographic Protocols. J. Computer Security 6, 85–128 (1998)Google Scholar
  19. [Pau01]
    Paulson, L.C.: Verifying the SET Protocol. In: Goré, R.P., Leitsch, A., Nipkow, T. (eds.) IJCAR 2001. LNCS, vol. 2083. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. [RE03]
    Rankl, W., Effing, W.: Smart Card Handbook, 3rd edn. John Wiley & Sons, Chichester (2003)CrossRefGoogle Scholar
  21. [RSSB98]
    Reif, W., Schellhorn, G., Stenzel, K., Balser, M.: Structured specifications and interactive proofs with KIV. In: Bibel, W., Schmitt, P. (eds.) Automated Deduction—A Basis for Applications: Systems and Implementation Techniques, chapter 1: Interactive Theorem Proving, pp. 13–39. Kluwer Academic Publishers, Dordrecht (1998)Google Scholar
  22. [SA97]
    Schellhorn, G., Ahrendt, W.: Reasoning about Abstract State Machines: The WAM Case Study. Journal of Universal Computer Science (J.UCS) 3(4), 377–413 (1997), URL: zbMATHMathSciNetGoogle Scholar
  23. [SA98]
    Schellhorn, G., Ahrendt, W.: The WAM Case Study: Verifying Compiler Correctness for Prolog with KIV. In: Bibel, W., Schmitt, P. (eds.) Automated Deduction—A Basis for Applications, pp. 165–194. Kluwer Academic Publishers, Dordrecht (1998)Google Scholar
  24. [Sch99]
    Schellhorn, G.: Verification of Abstract State Machines. PhD thesis, Universität Ulm, Fakultät für Informatik (1999), URL:
  25. [Sch01]
    Schellhorn, G.: Verification of ASM Refinements Using Generalized Forward Simulation. Journal of Universal Computer Science (J.UCS) 7(11), 952–979 (2001), URL: MathSciNetGoogle Scholar
  26. [Sch05]
    Schellhorn, G.: ASM Refinement and Generalizations of Forward Simulation in Data Refinement: A Comparison. Journal of Theoretical Computer Science 336(2-3), 403–435 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  27. [SCJ00]
    Stepney, S., Cooper, D., Woodcock, J.: An Electronic Purse Specification, Refinement, and Proof. Technical monograph PRG-126, Oxford University Computing Laboratory (July 2000), URL:
  28. [SGHR06]
    Schellhorn, G., Grandy, H., Haneberg, D., Reif, W.: The Mondex Challenge: Machine Checked Proofs for an Electronic Purse. Technical Report 2006-2, Universität Augsburg (2006)Google Scholar
  29. [Spi92]
    Spivey, J.M.: The Z Notation: A Reference Manual. Prentice Hall International Series in Computer Science, 2nd edn. (1992)Google Scholar
  30. [WD96]
    Woodcock, J.C.P., Davies, J.: Using Z: Specification, Proof and Refinement. Prentice Hall International Series in Computer Science (1996)Google Scholar
  31. [Woo06]
    Woodcock, J.: Mondex case study (2006), URL:

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Gerhard Schellhorn
    • 1
  • Holger Grandy
    • 1
  • Dominik Haneberg
    • 1
  • Wolfgang Reif
    • 1
  1. 1.Lehrstuhl für Softwaretechnik und ProgrammiersprachenUniversität AugsburgAugsburgGermany

Personalised recommendations