Network Protocol Verification Using Linear Temporal Logic

�� !�

"�#��$ �� % "�&�'$ (� ) �*$+�� ,� � - �.��/�+�0��

$ 1/ ,� � 23- 465 �37 �8� % ��&9��:�

;=<?>A@CBEDGFEHI>JDK<,@L>MHNJO?PRQ&S HTHUDGV SXW <,YL>MH S Y[ZL\ O Z ]^Z Q D W H^@_\

HX`!Da>JDGb O"S >GD Q D W H N \c@L>dHX`!D.YLefYL>AV0@_\#HX`!D.V�DKgh>JDiD.@_\j kmlLnmoqpsr"t�rvuxwyozlhn|{}r~psr!�~�

S�W�/�?�:�I�~�J��G�(�f�L��?��#�~�|��f�L��(��

PR�� X�h�� |¡£¢¥¤

¦/�¨§�§[©£¢��fª« �¨§�§R¬M��®�(¯°��±°²�³´�,�

µ¶§q·¸�,�E©£³�§q¹º©y�|»½¼d�?³¾·�²°©E§��®¿6¹¸À?�Á¹¸§�§��h�Á¹¸ÀÂ+ÃIÄ!Å�ÆfÇ6Ã�ÈÊÉ�Ç½Ë�Ä!Å�Ä,ÌÍÄ"Î ÆfÏ Ð�Î�Ñ?Ò½Ç6Æ}È�ÆfÓ^Ô�Õ/Ö¾Ã×ÈCÅCÑØÌÍÄ

ÙfÚiÛ�ÜÞÝßÜáàãâ¨äæåÞâMçhèé çMçÞâ

��

�� "!#�$� %#&'��()�*��+�-,.!/�10�� "�*!/��,+�2!"�3�"4+�$��65��87:9<;>= �2?@ +A*B��2�� =.CD=FE�G � =IH

J �� IKMLN�6��BO�6��PQ +AN��R�2�SPT��VU = PQ�� C JXW � = � = � = AYPTZ�� C J�[�W]\_^a` =>b ��A��LQ��2cF��>d ��

(fe"�24.(hgi7��-!/� � �2!h7j�1%-��+�k,.! �10�� "�.,.! � ��"4+��87le_& ` �6�2�R nmpo = Z�LrqMs W ��S��LN�MtNs [ ��"u_

UX SvQ�Rc>PN?@ I�xw 4.7��"!y� w !n� w ,+�"!"z��"�{�24|()4.7@} w �67S()4Y� �_~��+�f,.!/�10�� "��!/��,+�2!"��(2��e"� �"4

� w e_��$��87O��X��+�� KN I��?@� C � =FE � = ?@KMP>�� C J � C ��2� C J �1% ^ �� =.C +A \ C Z�� H

��P>�� =FE�� 2L CQ= A = J qF�� +A$�6�SP>� �4�,�()!#�6�6()5S% w 5 g�5��"4+�V�1%��+�l()�k()!h7n�1%]�R�+�]��{})!/� ��1%

� +�2LN��A = � =FE3� ��L CN= A = J q �4 � = ?yKMP>�� [ �S�6� C �� CNb � C J � C ��2� C J ~

� �� ` � W � [ ��N +Z��R C�i!/�1%�� 2!]()4.7�]�8(S7��,.�{~6�1%l�i�2�-, w �1�"!��i4�})�4Y� �"!#�4�}�*��()5��{� w �

` ��BO� CQ=>b W�i!/�10�� "�� w �67��Q� �"� w !/�"!��,.�{~6�1%l�i�2�-, w �1�"!-�i4�})�4Y� �"!#�4�}�*�� ()5��{� w �

��

mX�MZ"�� +�)�

�� "!#��"�� $��%��&��'��)(*�+��, � ��-�./��0 �1�23��4��5(76��8��+��9�:�&!��1;��-+� =<?>��@A "��B+.C��"D�� E�F��G!�� H �&�I� � ��$��D6��#J��A��K�:��L23��1DG��M��91;�+��9� � -+� ��H �&�#�0��<*N"OQPSRUTV�A ��W>��"��X,��. � �K�� V��23��+��#�L��1;�+��Y�Z;� � ��;�� [1;�+�\�Y( � "��B$ �� ^] � ��Y_`�1;6a��*]b�+- � �+cd]A_e]gf1;�8 ��X��X, � ��-��\B8�\��1D��<Q_K� � �Q(*�+��,� ��N"OQPSRh�F��C��e!+�� H �&�#� � �+��a��e23��:�&! � �+ "��i��"Yjk��-+��6"� � �Ll � �\�� :�#�b> � �� eme�+ "� � ��-�6��A��+� � �%�� ?�"�8�on � ��eR��)(*�+��,A��<_K��!+�� H �&�#� � �+�p��5!+&�#��q��"�+��+1 � ��- � �p��Dsr � �� -?6��A��+�/�#�� p(*t�� -+-+��Y�!+�� H ��2��9��I� � ��F�+� � 1;6��u! � �"-Y��9�� 2 � � � �)B��#�g��96��8��+�v<

oO��qMw = � b Z�x N"OQPSRyTV�A ��`>��"��X,��.a] � ��K_g�1D63�+��b]b�+- � ��.zjk��+-��6�� {l � �\J�� `> � �� emL�� "� � ��-�OQ��8��+�v.�� V�"�8�o( � ��L�"��)(*�+��,0�

� !

m'��c CN= wjA6� b J ��?@� C ��Z

n$%5r86��;�+ ��Y� � �"��%-+��I� � �� t��pTV��<pl � ��8 Og�#�� F�� !#�� :�#2��-+ � :�� 6�63�+��{��+ �-+�� "�{��1 ��Q��Y6�� <9n$�(*�+ �� ,�4��,�� #�GR�� " :�� - � �X��`] � 2"��\B+.iR�P)_L> �F�+�o��" � �{��6 � � 6��u! � � ��-%��"��\B?��+ �� q� �� <

!

� =rC �� C ��Z

��LN �KN��

� P)��A � ��5� � �+� �

�+<�� TV�� !#�#� � �+� <4<G<G<4<9<G<4<G<4<G<G<4<G<4<G<9<4<G<G<4<G<4<G<G<4<G<9<4<G<4<G< �

� ] � ��K_g�1D63�+��b]b�+- � � �

� N"OQPSR �

� j9��+-+��6�� ol � �\�� :�#�i> � �� emL�� "� � ��-�OQ��8��+�

TV�A ��H � jk��-+��6"� � �{l � �\�� :��b> � �� Lme�+ "� � ��-�6"��8��+� ��

� P)1D6"��1;��#� � �+�q�� ?_g�� - ��

� <�� P)1D6"��1;��#� � �+� <4<9<G<4<G<4<G<G<4<G<4<G<9<4<G<G<4<G<4<G<G<4<G<9<4<G<4<G< ��

� <�� _g�� -V<4<G<4<G<G<4<9<G<4<G<4<G<G<4<G<4<G<9<4<G<G<4<G<4<G<G<4<G<9<4<G<4<G< ��

� >��+�� +� ��

� �R�MA6� = J �� IKTLrq ��

��LQ IKN��

\ C �� =�b PN�)�� =rC

TV�A ��6��A��: �� -+�%� � 1;�/�#��23�� 1;6�� ! � ��-k��@A �� )B��M��{�� 6��8 8J ��5�;�� [1 � � � 1 �� "-? "�� -+� � � 1D#< �o�� - ��+- � ��/��+��&�#��BE��63�+�� 2�� z�F�+�*��&�� -k��"��9� � 1;��<W��'�Y�� ."�Y��+�� 2��{�#1D�+ "�0��b��X�q�:�#�23��? �5!+�� V��D6"��8��+�M!#�� :�#� � �+� � �q��LB+��<

_K��4!+�� H ��#� � �+� 6��8��o6��A�� k2�BV6��u! � � ��-t�t1D�A ��g��W��6"��8��+�W�#�� L��W2a��:�&! � �+ ��=��@0 � ��1;��Ycd�#��1;� ?��63�� H ��#� � �+��f*��G6��#��A��+�=��+ �� 1D6��B ( � ��=<q_K��1;�8 ��/��+1;�� $��D�F��1 ��e� H � � ��5J ��X�I��#�� $��5�)(��,z.( � ��$��t��5�)(��,0��A ��4��+��63�+�� -��?��;6��A��+��4��+1;6� "�X�I� � ��$�\�X�#��#�� "D�#��G��63�+�� -q��%�� +��k23��)(*��E��#��<t_K�"D6��A��C��sJ@0 � ��1;��W�� 63�� H � � ��K�F��1;�(*�+��,k�#� A6� C �� I�V��?@K = �� +A�A = J �6�� <&� 1;�A ��X��X,��.M2:�#�� V�+� �#�V5ZD� � ��0�L!+�� H �&�#� � �+�?��-+�+� � ��"17J [YW�\�^ J*��+��"��41;�A ��( � ��V��Y��6a�� H �&�#� � �+��.z-+��#� � ��-t�D63�+� � � � !+G��\(��{(e��V��41D�A ��i��#� � � H ��"��@0 � ��1;��L�� %6��u! � � �"-��+ "�0��5r"��1;6��k��\( � ��<Q_K��k1;�8 "�� 6�� -�� 5��L�� W � = ?@��AR H W � = ��Z�Z ` �S�� k C J PN J � <

_K��k6"��8��+�M�X��q�F�+��!�� H ��#� � �+� � �*��Gjk��+-��6�� l � �\�� :��=> � �� Kme�+ "��J� �"-DOQ��A��+�=�F��# V��A�9( � ��e��)(*�+��,A��<K_K� � � � ��A�&�#� �� q��6"6��#�X�5r86�� --+��+-+��#6�� "�F�+��1t�I� � ��V(e��;��8 "��91t�#,��F�+�\('�� "-? "�� +��k2:�� p �63�+� ��A�&��6a�+��+-�B � �"�F��1D�#� � �+�=.A��+�� -�sr"6"� � � � �K��9��+6?�� -+�02a�+ "�K��8 "G��8��#� � �+��<

�

� � � ` = ��vI �� =.C

_`��\� � �"- � �W��"K6��5� � �&��d.+�1;6 � � � ��81;��A ��3�� -k��"K6��8��+��#�� X��X,+J� �"-q(e�"��"�� 96a��F�+��1D�G��9sr"63��5�� =<%_K�:�#� � ��. � � � �9�� "�$( � ��E�q��#��-+��' � �a�� `��+�� +��.`�� #�9�� ;��91D��B 6a�� C��+ ��4��'��4�#�63�+�� 2��<�� .g� � ��;�A "1�2a��9��63�+�� 2"�� 6" "��k�F�+�9�q��BA��1 � �k-��B!��\B� �#��-+ � ��4 ��02a�� =. � � � �4��#��4��B �F�+�G��$��+�9��V�� 6p�� -+�$��\� � ��-6��8��<E_K��%��X,E�#�e�� 2 � � � �)B ��A� � �I�� ( � �� - ��2a��[��"%1D�� !#�#� � �+�23�� D��{ �5!+��+6�1;��b�G1D�+��L� � -+�� 1;��"�8 ;�F�+�/��BA��17!��#� � ��#� � �+�YJC "� � �"-4��1�J63�+��i��+- � �k��t�F�+��1Y �� #��k��4��63�� H �&�I� � ��{��W��6"��8��+�`�� ;1D�A ��`�X��X,��o��!+�� B�(e��e��"G1;�A ��=��#� � � H ��K��9��63�� H ��#� � �+��<

��LQ IKN��

�k� C �� I� � � ?yK = �� +A � = J �6�

] � �"&��'_`�1;63�+��=]i��- � ��c ]8_e]`f*��&�#��K��k��+ ��4�#�`� � 1;k��K� � ��<��/��X�q� � 1D63� � ��Q�:�#�C�+��K �� @0 �'�F "�� #.��K�F�8�� -o�+��"K6��+63��\� � ��C��a� Z�� C J AR� 5r8�� "� � �+��@0 �� d<oP � � �{�;6:�#��2:�� F��1D5(��,�(e� � �X� 1D��e��:�I�o� � ��&�#�'� � 1;k�F�+��1Y �� 1D��,�k�#�� +��'��2a�� "�K�Y6��#��q��" q��K�Y�� "��K��b�� ."�#��{�� o��*� ��( � ��%��63��5�� K6:�#�� '6:�I��=<

_K��4]8_e]p-+��#1D1D�� e��K- � !��?2a��u( xE�� K

� ��2PQ�

� E +A6Z_�

� � E �

� E �M� CN= K E

� P CN= K E

P CN= K �� h +A w� SqQZ �

�� h�Sv.� C ��PQ +A$Aq �

�� hA = J �$�� IA C � J �� =rC �

�T� CQ= K �� 8Z�� =.C J P C ��$A �

�� hA = J �$�� IAk CNb �

�� 8A = J �$�� +A = � �

� H � �8�$?yKMA6�$�� =.C �

�� ! YPT�vI +AR� C ��

� �CJ +A w� SqQZ = ��LQ� C �� E = ��L x � ��6 � �k�� D�#�4�?1;�+1;�� . � � 6 � �k�� F��+11;�+1D�� +��('�#�� <

�� J �Sv.� C ��PQ +A$Aq x �� 6 � �'�� 4�#�e1;�+1;�� . � � 6?( � ��a�!+�� :��Bq23k�� "4�I�1;�+1D�� +�K� �I��<

� J Z�� =.C J P C ��6A\x 6 � @ � �o�� #�91;�+1D�� . � � @ 23��+1D��k�� "��!+�� :��B�.�� ? �� M��"��=.:6 � �'�� #<

��LQ IKN��

[�W]\�^

N"OQPSR � �*�4��A�+�: �� Y��:��B � ��{��+- � �&��+�� 5Bt�#�b��+�"�� K�\BA��1D��.��63�� H ��BD��:�#�e��` :�I�X��+1;1� �� &�I� � ��t6��A��+�� d<C_K��9� ��"-+ :��-+{ �� ?��;1;�A ��"K��+�� ;6��#��A��+� � �C�� OQ��+1D�� c OQ��A��*TV��k]`�#��-+ :��-�uf5<Cj � !+��D�o1;�A ��BA�\��1 ��6a�� H � � �?OQ��+1;��".zN"OQPSR �&��? � ��e6a��F�+��1 � � 1� �� I� � ��`��"G�\BA��1�� 5r8�� "� � �+�D�+� � � �&��;-+��#��Y>^6��+-��1U��:�#�*6a��F�+��1D�/�#�t�Z;� � ��*�+�� '!�� H �&� J� � �+�%��`��9�\B8�\��1�� +��5��{6"��+63��\� � ��.:sr"6"�� ?]8_e] �F�+��1Y �� #<C� ��+�"�� SJ��{6��8�� VOQ��+1;��+�� \��L��C�+�"G��1;�+��k "��SJ) � H �� 6��A��e��1;6��#��L��6��8�5�)B863Y " H � � � � �+��.z�#�� #�L��&��\�{�+�"46��8�� I� � ��=<*_K�"4��1D6"� �#��e � H ��"23��:�&! � �+ "�D��o � �a��D�)BA63��#�o6��8��< �{��B^�� "�� "-E6��8��D�&�� \�X��8J� � �#��F ��\��Y��\BA��X��+ ��6��8��.Q �� -V��t6"��A��Y��1D6"� �#��< �/��X�[6"��A��1D6"� �#�� K�� #�� ;� H � � ��9�� 8��+1D�#��=<

� OQ��+1D�� {6"��+-+��1 � �Q�L��5rA�� :��6��X�#� � �+��3�{�F�+��1t�#�8��2a�� 4��"� � � � �+��BA�\��1?< � �#�X� ��+�� "��t��+1D63�+��D��;� (*��K � H �� +��+�K��#��#.��#�� X�6�� 1 � � � !+'�\�X�#��1;��/��:�I� � �/5r8�� "�� &��;�X�:��"-+L�� /��+��3�\�X�#�� ;�9(*��z � H �"� (��uB�<��/��X��\�X�#��1;��W��A "�W��63�+�� `��{�L�� +�G�� 9��* �� B � ��-L� ��23�� +�%��BA�\��1?<

_K��o�)BA6 � �&��31;�8 ��b(*�+��, � �"- � �*��( � ��D��o��6a�� H �&�#� � �+�t��`�� -��t��5!+��1;�8 ��{��Y�[��+�"�� ?��BA�\��1?.o�+�t � �\�� 2� "�� -��+� � ��1?.��)BA6 � ��B "� � �"- N8O/PSRL�-+��6�� &��M�F��+��J �� 9N8O/PSRG< �� - � �d<

�

N"OQPSR ��68��i��+��"��g6��6a�� bsr"6"�� G]A_e] � �d<g_`�e6a��F�+��1 !�� H �&� J� � �+�=.zN8O/PSR ��,��{��+��"��L�� 1 ��:�I� � �K��63�� H � ��L��1D63�+��=��- � �{�F��1� ��".��0!��\��%��:�I��F�+��1Y �� [��* ��X� � �� 8��+1D�#��=.e�� h��1D6� 8��D�� \B8�"�X��+�"�+ ��6��8 � "��e��i�� K�� 1 ��" q��9�� "��+1D�#��+�t��6"�� -��k-+��+2:��a��#��k��6:��#</_K�� e��-�� q�� X� � �� "��+1D�#��+�M<CP �W��9� ��-� :��-+9��6"�� 2�B%�� e�� "��+1t�I��+� � ��1;6"�)B�.#�� i1D��b��#�i�� +� � - � �� 1 � �i��#�g��#� � � H � 4�F�+�b��/- � !��Y�\BA��1V<gP ��"� �#��-+ :��-� � �*��1;6"�)B+. � �*��+�� *6�� B��+��{23��:�&! � �� :�#��#� � �\� B;��{�� - � J

�

�:��3��1D63�+��#�a��+- � �e�F�+��1� �� 8<WP)�?N"OQPSR4.8(�k ��o��{��+��5��e�� 1;�{cd�� 1;6a��- � �K�F�+��1� �� #ufC��4�F��1D�� e��+��+ ��'�\BA��1 23��:�&! � �� . � < �<�."23��u! � �+ �� :�I�K�� "�� 2"��<�_K��Y!�� H �&�I� � ��6��8��o�� 6��u!��o��#�o�� X� 2a��:�&! � �+ ��k�� 1;63�+�� 2��{�+� � �'6��u! � ��e �� q5r"��1;6��K��C23��u! � �+ ��K��:�#�e1D�#��X�=<

N"OQPSR ��{��6:��\� � ��M�+�� L�� 5� � ��?1;��A ?��;�� "��4��9�0 �1�23��e��C��&��X�AJ��2��\�X�#�� :�#�*1� ��\�'23�sr86��+�� t��Y��+1D6"��L�G!+�� H �&�#� � �+�M<CP)��&�� %�#�b-+��"��I� � �"-��V5r8�:�� \� � !+��\�X�#��Y��6��G��:�#� � �"�� " ��isr"�� "� � �+�V��@A "��G��L6:�#��"��.a��9!+��SJ��H ��;�&�� -+��#�� p�� " �� X�I��6:��.'( � �� +�"��B ��6��0��#� � !+��k�� D��5r8�� "� � �+�?��@A "��{��:�#�L�� -+ � ��:�#2��L�F�+�e��- � !��?��+��5��6��+63��\�)B+<

��LQ IKN��

G � = J �2 �KMLN�$��BO�6��PQ +A ��6�2�SPN�R��U = P>�� C J W � = � = � = A

n � ��9��W�� "!#��1;�� 9��X��"�+��+-#B+. 1D��2 � ��C��)(*�+��,A�g�� 23��+1 � ��-K1;�+�� t1D�+��63�+6� "� ��.8�#�� #."�� !#��"�� D��"�(*�+�� t��A :�&B;�&��"��'23{ ��" ��SJ1 � �� =<g_K�" � �W "BA�:��1 � ��#�� :��:sr � 2 � � � �)BG��" ��6 � � ��6��uBA1;��&<��L�u(�5!+��.�4�0 �1Y2a��M�X�:��-��'�#��e� �� ;��6��u! � � � �+�;��b��+1;��5�)(��,;��\! � ��. � �� 8J� �"-��+ 8� � �"-�<CP � � ��F�+�*�� &�#��+��:�#�K�0 �1;��+ ��K�� "� � ��-�6��A��+��'��o6��+6a�� F��Z;� � ��L��1D1� "� � ��#� � �+�% �� -�1D��2 � ��o�� ?��A�k��)(*�+��,0� � � �d<

_K��k6"��8��+�M�X��q�F�+��!�� H ��#� � �+� � �*��Gjk��+-��6�� l � �\�� :��=> � �� Kme�+ "��J� �"- OQ��#��A��+�DcvjG>'mLO*fs<ojG>'mLO 1t�&Bh23E��1D6:�#�� -+��+-��6�� + 8� � �"-�.o(e��6:��X,#��q��V��+ "�� 6a�� B ��t-+��+-+��1D��.�( � ��+ "�t��B 6�� +�D��+ "��X�M.��qsr��#��B �+�� -+�023�+ �� -%��A ��< �:�+�\('�� "-? "�� +��G��2:�#�� p�+�$�? � ��1 � � � 1 �� #� � �+� �� +�=<pP)�"�F�+��1t�#� � �+�E��-+�� - ��"%��A�&�#� � �+� �#�L��q ��\� � �:�#� � �+� � ��+2"�� "� q�F��+1 ��G��6a�� !+46:��X,#�� M�� <�_K��Y6��A��b�:��L2a��2�� sr"� � 2 � �e��A�+6��F�� +1 � �?�;�\�X�#� � �o( � ��K��! � ��1D�� v<

RL�8 ��Y1D� � �� pR� � -+�023�+ ��9_g��2��4��+�� $��t��8��#� � �+��k��'�� 9�+��t�"�+6�� -+�023�+ ��< �/��X�4��A �/��+1;1� �� &�#��=�� 8�F�+��1D�#� � �+�{2�B91;&��"�`�#��K1D��#-+(e� � �X� � �L2�� <K_K� � � � �"�F��1D�#� � �+� � ��;6 � -+-#B82��X,�� (e��"�!+��k�D ��#�X��6:��X,#�� F�+�\('�� M< � 6�� H �"� 6:��1;��D " H ��t��"� � �F�� 1;%��o��"�� "R� � -+�023�+ ��Q_g��2��.A�� M�k��A �e ��8��/�� &�#�C�F��+1 � � � �Q�� -+�02a�� C�F�+�C��#� � ��I� � ��`� � 1D#. � �L�#�� "1D��L��:�#�K��"G� � ��, � �K2"��+,#��=.3�� ?��G ��K��9��0��B�<

jG>'m�O � �e��A�&�#� �� %�#6�6��+��X��#�L�"�8 ��e1t��,#o�F�+��(�� -� �� K2:�� ?�+�

�

��A�&�#�/��+63�+��+-#B � �"�F�+��1t�#� � �+� ��+�� - 5r86�� 4��8 "��A�&�#� � �+�"��<P)� ��6��8��. ��A �k(e� � �X� � �e�+6"� � 1D��M( � ��q��63��D�� e�� -+�023�+ �� -��A ��L1D�uB�2a9��X�� =<N8 ��X�V��A � � �K,0��u(e�V��e� 5��8()5��4+�� w � �+�e� � �24Y�8()z)��4Y�_7�� .��" ?23�+ ��" �� o�6"�� 'N8��X�pc � �QN�f � � �� u!+��+1D{�� X�q�Y� � �� :�#� � �+�=<��k�"��o��8��:1 � � � 1Y �1� �K��+��!�� =.�� !+��G��`��9�� 2�6:�#��V "�� !+� � �� -��k��A�&��M1 � � � 1� "1 �� !��\B� �Q�F�+��u(*� =.A�� t�G! � �\�� :�#�:� � �� /��5�' �6=< �� "�!/� w ��R� ��&�I�� ;��4�&��X��+ 8� � �"-� �8�F�+��1D�#� � �+�%��0 ��osr86�� -;��&�� "B? � �� !�� 6:�#��{��&!+� � ��6a��#�� u!+�� F��1 ��";��1;��A�&��`1 � � � 1Y �1D��<��o��u!+��\B � �k ��.i-+��+-+��#6�� 4�F�+��(�� - � �� 1;� M<

_K��jG> J)�0 �1�23��{��+��63�+�� -t��&�#�X� -+��A� � �� eJK�+��G�F�+�{��X� � � ��,�+� ��6:�#��=< � jG> J)�0 �1�23��4��#��#� � �+�$��2�� cvjG> J ��2��&f � �Y1D� � �� E2�B ��X��A ��.Q��u! � ��- ��[��BE�F��&��X�[-��A� � �� Y(e� � �X� ��u!�� < �C!+��B[��0��BE1t��6"�� 023�+ �� \� ��?�� + "��23�+ ��" � ��\� ��#<Y� 6�� H �� E� � �F�� 1;4 �5��1 � ��(e��5��4�qjG> _W�#2��0��B � �o�� 2��Y�+�o�"��&< �Q�0�� o��#�k�:�&!+��#�k2a��p "� � � �� F�+�'��9��63�� H � ?63�� 8 q��`� � 1Do��9�� =<

_K��G6��A��+�M�� -+-��{��+1�2 � �:�#� � �+�%�� o�6"�� \��N8&�#��X�V�� j9��+-+��#6�� :�+��(�� -4�� 1;6"� � �+�D�F��*��8��z1 � � � 1� "1U��u!+��B�<*� 2a�+ "�� QN � ��1;6�� B�� =.�F�+�\('�� "-� :�#��Y6:��X,#��e � ��B+< _K��o�� -+�023�+ �� -4��8 "��e��{�+�� %�#�� - � ��X�#��%�F��1 ��"? "�� :�I� � �� #�� [��q��A ��D��! � � � �� < P)� �� ?�� ;��D�u!��"&�� #��";��8��C1 � � � 1� �1 ��u!+��BE�� $�u!�� p��X� � ��-?�F�+�9��+�"5r � �\��k6��#��=.3�t6"�� " H �� 6:��1D5�� 5��1 � ��L��Y1D�Ir � 1� "1 ��68��C��&��X�=<{P)� �# � � � � �+�q��D�� .z(��\( � ��X� 2:��X,q��-��+-+��6�� G�F��(�� -D(e�"��A �k��:�#�e� � ��K��'��;��9 ��\� � �:�#� � �+��?��9��+�"�&�&!+G��A � � �K��X�� =<

P)�^��?��23�u!+ H -+ ��.�� V�"�8 �?R � �;��^�+6"� � 1D��"�8 �#.�( � �� 6a��D�� -+�023�+ ��.��A�&��A1 � � � 1� �1 ��u!+��B�� Q��k23K�&�#�� + 8�&<C� �o�6"�� \� N8&�#��X�� #�� t( � ��?��1t�Ir � 1� �1 ��6"��=.�� +6��<

��

_K�� 0 �1Y2a�� "-[��k�� "�8 �� %�� (e� � �X� ��5B ��! � � � �� - ��q��&�#��X�=< _K��V��8��1 � � � 1� �1 � �� !�� #�;��A � � (e� � �X� � ��8��#�� +��k��q��; ��\� � �:�#� � �+� ��:�#�$��A �DR4< �o��t�q2a5��9��A �D��92a��$�F�� =.i��:�I�� .{�+�"�� A�&�#�o1 � � � 1Y �1 �:��?2a�� +��!�� =.o�� 6:��X,#�� %��( � ��X�� 2:��X, ��-+��+-+��#6�� o�F��(�� -�1D�A �#<

��LQ IKN��

` =>b �M� b G � = J �� IKMLN�6��BO�R��PN IA*��R��SPN��U = PQ�� C J KN� = � = � = A

_K�� - � �:��b6"��8��+�g "�� -+� �1;6�� BA�{��2a�+ "�� "�6"�� H ��o��&�#��X� � � �� %�� !��k�F��1 ��8��`1 � � � 1� "1 �� 6��5J) " H �� 6:��#1D5�� 5��1 � ��"41D�Ir � 1� "1 ��6"��V��W��G��&�#��X�V�F��L��X��#�g��4�"�8 �� %��G��+�"�� V��)(*�+��, ��6��uBA1D��{�#��&�8<

_K��G��5�)(��+��,��+63�+��+-�B;(�9 �� ?��!�� H ��#� � �+�q�� ?��CN"OQPSR � �e��K�F�+�� (e� x

�:�+�;�� 6�� "� ��5�)(��+��, �� H -+ ��#� � �+� ��:�#�D(� ��+�� D( � �� - � !+��!#�� "L�#� ��[��6��X,�5� � � "��+6�63� � �D��+�� e( � ��;��L6��8��+�v. � �3��L ��68��H ��'��&��X�%� � � ��/�� H �" q�4��A�&�I� � ��D��+��*��4��o �� :�#� � �+�;��:��D��+��&!+k��A ��<�:��+1 �4!�� H ��#� � �+�� "�%��gN"OQPSR4.A(�k�+2"��\!+� q��:�#� � �%�Y��6:��k��5�)(��+��,t�� X�?��"�+��(*;��+�� =.i2�B � �� -��!#�� k2a��+1;��91;�+�� ZD�� {�� H �� p��+ "�0��95r"��1;6��<�_K� � � � 1;6�� L��:�I�k��A�&�#�W1 � � � 1� �1;��u!��

� �

� ��\��{�+� � �� -�� !#�� "�<k_K��F�+��u( � �"-t-+��6�� (��k6��#�� -��"�� /�+2"�� "� ��F��+1 !+�� H ��#� � �+�� "� ��;�"��)(*�+��,0��#� � . � �� G�"�8 ��/��6a�� !+��B�<

_K�0 ��.C(�� -+-+��#� ��:�#� � !+;1;��"�8 p�� p��23�+ ��" �� "�6"�� H ��\��X��9��u!��/�F��+1 ��A�&��81 � � � 1� "1D�`2� "�/��/�� [!��#�� K�#�/�k!#�� 2"�� )B� �4�+�� "��g��o�� '��*�A "1�2a��C��:6��X,�5�/��+��<W� �"�8 � (e� � �X� � �C�I�Q��8��01 � � � 1Y �1�&�#�p�� q��!��#�� Y(e� � �X� � �o6"��+63�+�� +��g��0 �1�23��k�#��6:�#�X,��4��+�� k�� "��o��`��"G�� !��\BV�\��#��-�B+<

_K��G1;�8 ��H � q�#��-+�+� � ��1 � �K- � !+��?23��u( xO _K�� E6��sJ) �5��1 � �� !��#�� V��G�A "1�2a��G6:��X,#��q��:�#�%�� 23

��+6�63� t(e� � �X� � � �5��1 � �� D2�BD��#Z;�{�X��5�� \� � ��*�� @0 :�� )B��=��\! � ��"G�"��)(*�+��, � � �v<

�:�+�K��X�V�"�8 � � �q��9��)(*�+��, xT� � ��X� � �q��!#�� D��

� �'cF��A � � �K��A�&�#�=1 � � � 1Y �1�f��e!#�� "o��

��A �9�&�#��2a�+ "�� QN�� "� � ��

��

� �'cF��A �9 ��8��e��L��u!+��L�F��+1 ��8��=1 � � � 1� �17��+�" � � � �+�zf�� _K��#� � ��.��#� ��'2:�#�X,0��X, � ��-�. � � � ��F�� %��:�I�K��+6"� � 1D��3��8 "��'(*��k�F�+ "�� #� �� 6"��#�L��B%2��X�V��g��9- � !��?��A �

��e!#�� "o��

� �'cW!#�� +f�

�0 �1DOW�#�X,�� c �0 �1DOW��X,#�� O _K��"�+�� zf

��

�

��LQ IKN��

\ ?@KTAR� ?y� C �� =.C CNb � ��Z�� C J

� � � \ ?@KTA6��?@� C �� =rC

OQ��1D�� '��9� ��"-+ :��-+k "�� VN"OQPSR �� 239��+�� BA��1;��<�yOQ��+1;��1D�A ��=��+�"� � �\��e�� x�+<Q_/BA6aG �� #��#� � �+��J �-�<Q1Y�)BA63�.:�)BA6a� ��S.z��8< >��` "��I� � ��J �X�:��?�X� � � ��6 �i�� )BA6a#.�<�<�< �

��BA��X��+��+ "� x ��6 � �

��" � � !+�+ �� x ��6 � �

�"< jk��2:��a!#�� 2"��o ��#� � �+�"��J � � 1;6��{!#�� 2��.8�� V!#�� 2�� <hOQ��8��t �� #� � �+��J�23��u! � �+ ��;��o��"6��8�� x ��8��'!#�� 2��6�� "�

��#��1D��8<QP)� � �e6��8��KJ � � � � � �� !#�� 2��K�#�� V�\�X��\��e6��8��

� 6��8�5�)B863G � H � � � � �+�q�+��B� �� #��L6��8��L23��:�&! � �+��. � �e ��A��e��#��sr8�� 8�� &<P)� � � � �#��B�. � ��"eO/��+1;�� 1D�A ��d. � ��\�Q�+��K6"��A��C( � ��"23'5r8�� "�� x �o6��8��Q�#�3�)BA63� � � �&. ��#�W1Y ��W2a �� sr86�� B � �45!+��B�OQ��+1D�� e��63�� H ��#� � �+�=<`_K��'��1t�#�0� � ��LOQ��1D�� Y2:�� +� ��6"��e5r8�� "��2 � � � �)B�< �z��Y&�#�X� �)BA63%��e6�� 1 � � � !+��#��1D��&.9� � ��-� :��-+ �� "�� 1 � ��q(e��?��p��#��1D�� ?sr8�� 8�X��2��$��2��8�X,#� � �?��- � !��?��BA��1 ��#��#<

�2P C � �k �� $��G�q "�:��B �+6a��#��+�o��#�k�X��,#��k��";��1D��#�'�%6��8��9�)BA6a#<�P �

� �

� ��5r8�� "�X�#2��+�"��B � � �t6"��A��k��Q��"Y�)BA6a��6a�� H � �&�#� 2a � �� #�� =<o_K�� #��1D��Q�&��Y6:��Q6��1;��i!#�� C��z�#��A2:�� :�I�X��)BA63��W��{��(^6��8��< me ��#��1D��`�&��G2a/ �� G��Bk6��8��i��e��6:�&(e�Y��5([6��A��.�� \� � �9�� 6��8��<

�*BD6�� H r � �"-��Y��@A "��G�#�i��X�I��1;��K��+�� t�� B;2��#��'( � ��t��o,#�B�J(*�+�� = ? �6� ��V "��;�&�#� � �" � ��#��:�#�;��q��@0 �� p23?sr8�� 8�� h�#�D�+�"� �" � ! � � � 2��t �� &. ��+�AJ � ��&�&!+� ^( � ��^��B ��6��8��< P �;�&�� "��D� �� AJ � � 1D��+� � �9��B ��#��1D��0��.��#��t��:�#� �� H ��X�I��1;��.L2"��A�X,A� � � ��h�I��+1 � �?��sJ@0 ��"��<V�'��+1 � ��@0 ��"�� 23t�� 1;6a��X�#�0�9��8�+� � �$�� -V��D��+1;6��sr � �)B��*!+�� H ��#� � �+�E1;�A ��9��G��Bp�� G��D��1;�+ ��G�� 0��&�&! � �"-?��:�#� � �4��u(�� \�� 2� "�� %��BA�\��1?<QnEk��u!�k �� ?�#��+1 � ��@A "�� + "� � 1;6��1D��X�#� � �+�;��jG>'m�O`<

TV��-+o�X�:�#��K�� 1D�A ��z��"��F��*��b :�I�X�G�F��+17�+��L6��A��#��< �:�+�'5r"��1;6��. � �� 1;6��1D��X�#� � �+��#�QjG>'m�O`.

�X�:�#�V6:�I��A �� R� � � N�� 9TV� � �`��W2�B0��

� �o �� p��q1D�A ��`��;jG> �� 6p6:��X,�5�4(e� � �X� � �o "�� q��G �6 �� 2�6:�I��(e� � �X� � �K �� !+� � "� � �"-��9��A�&��a1 � � � 1Y �17��u!+��\B+<

_K�� 6?@� = PQ� �\�X�#��1;��L1D�A ��K��63�� b��+�� +��:�I�L�� (e�'�;6��8��e��23�+��K��k('� � � � ��-��F�+�K�� +��:�#�e1D�&B��5!+��L23��1Do�� #.:�< -�< �� 6� 8�K�F��+1��q�1;6"�)Bq�X�:�#��d<

P)� �� OQ��1D�� 1;6��1D��0��#� � �+�[��4jG>'m�O`.Q(� �#�� "1D�� "�8�?��)(*�+��,�� H -+ ��#� � �+�=<C� �� o1t�&B��+28�X� � �t��A�&�I� � �� "�F�+��1t�#� � �+��#�=�� \� � �:�#� � �+�=.A "� � � �� J� �"-4�#�t �� "��B � ��-G1D��2 � � � �)BG1t�#�:��-+�1D��0� ��X��1;{� � ,��j9O Na<��/��X� � ��1;� � �#��K��8 "c � �� -%��D��+ ��"�8 �&f9��4��t��srA��+6$2:�� B �+�$��t "�� :�I� � ��A ��g��A�&�#� � �+�4�� G��*��A�&��! � 5( ��5�)(��, � �g1t� � ��X� � ��<i_K��*��A�&��+! � 5( ��:��"��5�)(��+��, � ��\��+�� 2�BV�D��A � � � � ��L��+��63�+�� -�� -+�023�+ ��e�X��2��<e_K��4�� -+�02a�+ "�

� �

�X�#2�� K��63�� H � ? �� -D��)B863� "��Q � H � � � � �� q�+ ��e1;�8 ��b��'�F�+��u(e� x�)BA63� �5�Q�� -+�02a��_g��2��

2�B0�� H �� R� � � N��

�:�+��&��X� ��A � � ��"��)(*�+��,z. � � � �� H �� ". � � � �� &�#��:�#�o��A � �� K�"�� K�" � -��A23�+ �� H �� &�#��'��:�#�K��"G�"�8 � �b� �e��" � -��A23�+ ��<

� 1D5�� 1D6"��uB+� ��D�!#�� #��4�&!�� #2��k�F�+�\('�� "-D�X�� k�� +6"� � 1 �� "{ �� +�t��+�� -9��G��{�u!#� � � ��2"�� 8�F�+��1D�#� � �+�=<i_K��L�F�+��(�� -4 �� +�t�� 5J� � �+� � ��Q �� \�X��"��K1 � � � 1 �� #� � �+� � < '��X��8 "K1D�u!+��C�� C�� -+�023�+ ��W(e� � �X��:��K��9��&�#�� Q �� q � �\�X��"��k�F��+1 ��9 �� :�#� � �+�=<

_K�� H ��\��6:��X,#�� "� �F�+�G��+1;t "�� :�I� � ��E�1;6�� BA�4-+��+-��1 ��+ "� � ��- �#�� \�X��2"� � ��o�t-+��A� � �� o�� + 8�� M<G>��+�� "� � !�;6��X,�5��G��Y��+ "�� +�� "-��pjG> J)�0 �1Y2a��1t�#6�6 � �"-+��< �/��X� ��8 "%1t� � ��X� � ��Y��2��t��:�I��+�� [��BE�F��&�#�X� ��\�X��2�� V-+��A� � �� e��u!�� "- � ��.z�:��1;� V��Yj4> J �A "1�2a��L��"�� I� � ��?��2��cvjG> J ��2��uf5< �/��X� ��B � � ��X�#2��?1t�#6�� 02a�� 0��\� �� 0 �1Y2a��D�� + "��2a�� 0 �1�23��. �F�+�� 63�� H �%-+��8� � �� < _K��Vj4>�_g��2�� 1;�A �� -��"9�F��u( � ��-�� 5�� x

�)BA63� �5� j4>�_g��2��

2�B0�� =."�+ "�&. ��. ��\�&.:� � 1D� �

(e�� %J �"�8 �k�F��+1 (e� � �X�?��96:��X,#�� '�F�+�\('�� + 8�'J��"�8 �o��(e� � �X�?��96:��X,#�� '�F�+�\('�#�� . ��*J`��+��#��:�#� � �+�;��M��#. ��- � !��*�9 "� � @0 �L�0 �1�23��Q�F�+�/&��X�;-+��8� � �� 1;KJ`� � 1;K��X�#1D6t��8� � �#�� ( � ��D&��X�t-+��A� � �� /��B�(e� � �X� � �/��5��(e��8J

� �

�!�� e "� � � �� =<P)�^��?-+��-+��6"� � �%�F�+�\('�� "-p1;�A ��.*&��X� � ��1;� � �#��q��A ��c � �� - ��"

�� 4��A �&f�5r8�� "��o��K�F�+��u(e� x� �

x�x � �� \�eJ �

� �x�x 1 � �� GJ �1 � �� \� �o � ��X�#�� srA��A � �o6 � � !#�� g� ��-�� {��A � � �

��&�&!+-+��< �� o��+ �� -+��< "��o ��\� �-+��< � � �o�� -+��< �+ 8� �o��5rA��8 " �-+�� -+�5� � �� V��B%��-+��2��6 �� x�x � �\�X��"�� 1 � �� *J �1 � �� \� �o � ��X�#�� !#��

��5rA��"�8 � �o6 �-+�� u-�� _g�;��6�� #��o��"G�� q��\B�( � ��V��B��W1 � �q � ��-+��< �� o��+ �� -+��< ��k "�� -+��< � � �o�� -+��< �+ 8� �o��5rA��8 " �:-+� � �� -+��6 ��x�x ��oJ � 6 ��

H �H �(e�� 7)��"�{()4Y� � � �9��D � �\�X��"��t�#�K&��X�E�� -+�02a�+ "�G�F��+1 ��D ��\� � �:�#� � �+� �#��

��

�"!/�87)��"� � �*��{ � ��o��=��o��A ��(e� � �X��:�#��6:��X,#�� D�:�� M.8�F��17��{ "�� :� J� � �+�=<

P �Q� !#�� {�� 8. � 4��"Y��A � � �{�+68� � 1D��=( � �� 63��5�o�� {��A�&�#�i! � �(�� ;��5�)(��+��,z.g��"��p2a�+ "�� QN � �9�&�#�� + "�9( � �� ;6�� H �� $6:��1D5�� cF1t�Ir � 1� �1 ��6"��V�#�g��9��&�#��X�zfK��5�L�� F�+�K��X�?��8 "�<

�/��X� ��A �Y�� "�G�"��t1;��-+��{�� -+�02a�+ "� � �"-t��A �� +�� +1�J1� �� &�I�� H ��K�� %63�+� � � � �+�=<CP �g��A �o ��A��K�"��K��F��1 �� -+�023�+��F�+��6:��\� � �� {6�� 5��1 � �� p� � 1; � ��!#��d. � �9�#�� "1D��9��:�#�k��+��63�+�� -q� � �", � �2��+,�� 5��9��";��B�F��+1 � ��k�� -+�023�+ ��o��2��#<�nE� "�6 � ��9�� k�+63��I� � �� -q��D6��A�� \�X�� #� � �+� ! w 4 �+�"55�� (e�� 6a�� H ��4�� 0� ��H ��9��'��"��A �k(e� � �X�?�� e��9��1D��#-+�<

� � � � � Z"�� C J

� � � �"-t��N"OQPSR TV�A ��C>��X,#��k�F�+�o�D��)(*�+��,?( � �� 5!+�� A ��k�� 5�'�� ".��Y��+ ��K5r"��1;6��e(��'�F�+ �� M.8(e��o��"{6:��X,#��e(��' � ��&�#�� =."��&�� -4��?��\� � �+�?! � �+� �#� � �+�M<

�:�+��q��1;%��)(*�+��, ( � �� &�� ^�� .*� ��+ ��Dsr"��1D6"��(��F�+ ��" ��-�� =< ��u(*�!+��.e��V ��68�� o�� \�X�#��6�� #�o��V��BA��1 �#�t(e� � �X� � �(��%�F�+ �� h('�#�?��-��. � �" � ��#� � ��-E��#�%( � �� #� � ��&�� !��#�� #. � �23��1D��;1;�+��% � Z;�� "�� H �" � ��+ "�0��5r"��1;6��< _K��?�F��u( � ��- ��6��"��;��u(e��"9!�� H ��#� � �+�q�� q�F�+� � �"�� !��#�� x

� �

��LQ IKN��

� =.C �SA$PNZ�� =.C

�o�$!�� H ��#� � �+�$�#�'��;6��A��+�/ �� -+�E��Kj9��+-+��6�� l � �\�� :�� > � �� 4me�+ "��J� �"-E6��A��+�e �� -p�� N"OQPSR TV�A ��{>��X,��.L(* ��1DV��+��t�� t5r"��1;6��(e� � �X�E2��+ �-+��G�� -+��G�?6a�� Q23��"��X,z<%_K� � �G23��"��X, (*�+ �� $�:�&!+D2a��u!+��A�+,#� � � � 1;6��1D��0��#� � �+�;�� X��e��:�#�'��+��!+��0� � �+��a�� -Y��+ �� 2�� - � �� -+��&<

n � ��E��6��;��:��B8� � �G�� :�� M.W(�%6"��+63�+��t� 1D�A ��H �&�#� � �+� �� F&�I�� ?�#�{��"?sr � �� -p6��A��+�*(e� � �X� 1 � -+��6��u!�?��$23q �a�� !� � � �#��5! � �#� � ��-6:��X,#��L�� %�� %�� +�K2�B%��5�� -�� 6:��1D5��K�Y!#�� 2��L��23 �5��1 � �� q "BA�:�#1 � �&��B+<

� �6�TA6� = J �� IKML.q

� � �Yj9�� "< ��+� � 1D��=.��+_K�" TV�A ��o>��X,#��VN"OQPSR��.eP � � � _`��"��5� � �� o�N8�� )(��Q��- � �� -�."l �k]Q< ��".:R��< �8.3T�&B � � � �

� � �YN8�+6�� z�#��+63�+ ��+ 8JSOQ� � - � 6:�".&�4< �� KTV� �o�+�� =.��0jG>'m�O x j9��+-+��6�� l � �� :��> � �� %me�+ "� � ��-[OQ��#��A��+�L�F�+�t�� L�8� R��)(*�+��,A��.kOQ��A�� -+��#�G�� {��0 :�#�'P � � � P)�0��:�#� � �+�:��'>��+�"�F��"��?�+�^TV�+2 � �� A�%�� N8��+�;N0B8�SJ��1D�&cvTV�oN�N � �� 0fs. �o��2a�� J � � . ��

� ��4OQ�=<GN8�X��A�23��=.��+_K�" >��+1;6��5r � �)B �#�t_`�1;6a��]b�+- � � TV�A ��D>��X, � ��-��".�:�+ ��4P)��#� � �+�:��n$�+��,0��"�+6��+�4�{ "!#�� T?�8 :�#�0]i��- � �+c � � T] �� f5.#N8�6AJ�o�� 8.�_`�+ �� #. �z��

� �4mG<Wjk��=. ��<gOg�� M. T$< ��<gl �� .W�� O`<gn$�+��63��.QN � 1D6�� o�8J _K��5J �W��B �� "��IJ1t�I� � � l/�� H ��#� � �+��M] � ��C_`�1;6a�+��:]b�+- � ��.#OQ��A�� "-+�/P �WPSO � n j � <��NABA1D6=<OQ��8��+�eN863�� H ��#� � �+�=./_g�� -�.*�� l/�� H ��#� � �+� cdO N8_'l � �+fs.�6�6=< � J ��".QnE��\J��&(9.�� 8<

� � ��+�� A�X�=. �k�u! � �4<�T�#�� . �k�u! � �{<��+��"��+�=. � � � >��0 �� L =.�� X��!#�". �+� Og��F�+��1t�#��*>��+1;6:�� k��:T? �� +6kn � ��`�� A�/R��)(*�+��,mL�� "� � ��-�OQ��#��A��+��.aOQ��A�� "-+�k��Q��" �:�+ �� {�"�A ��C�L>KT � P � � � P)��:� J� � �+�:��>��+�"�F�� +� T?�+2 � �� >��+1;6� "� � ��-E�� hRL��)(*�+��, � �"-zcvT � ��P\> �9T � � �f5.�o��2a�� J ��". � � �

� � �GP !#��$NA�� 1;��"� ! � ��.`T��, me ��d. ��+��,��ql/ �,�� 5! � ��.�� o�6"�� \�4N8&��X�E�#�� ]b�8��#� � �+� �'�#�� p]b�A�&�� me�+ "� � ��-%�#�� o�0Nme�+ "� � ��- � �n � ��kRL��)(*�+��,0��.OQ��A�� "-+�i��8��Q�L>KT P)�"��:�#� � �+�:�#�0>��+�"�F��"�� +�YOg��#��+OQ��A�� -�.��

Documents

Network Protocol Verification Using Linear Temporal Logic