In this article we describe the data model of the MBase system, a webbased,

We describe a mechanism for theory interpretations in PVS. The mechanization makes it possible to show that one collection of theories is correctly interpreted by another collection of theories under a user-specified interpretation for the uninterpreted types and constants. A theory instance is generated and imported, while the axiom instances are generated as proof obligations to ensure that the interpretation is valid. Interpretations can be used to show that an implementation is a correct refinement of a specification, that an axiomatically defined specification is consistent, or that a axiomatically defined specification captures its intended models. In addition, the theory parameter mechanism has been extended with a notion of theory as parameter so that a theory instance can be given as an actual parameter to an imported theory. Theory interpretations can thus be used to refine an abstract specification or to demonstrate the consistency of an axiomatic theory. In this report we describe the mechanism in detail. This extension is a part of PVS version 3.0, which will be publicly released in mid-2001.

The Mondex case study about the specification and refinement of an electronic purse as defined in [SCJ00] has recently been proposed as a challenge for formal system-supported verification. This paper reports on the successful verification of the major part of the case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study. We also provide an alternative formalisation of the communication protocol using abstract state machines. Finally the Mondex case study verifies functional correctness assuming a suitable security protocol. Therefore we propose to extend the case study to include the verification of a suitable security protocol.

The little theories method, in which mathematical reasoning is distributed across a network of theories, is a powerful technique for describing and analyzing complex systems. This paper presents an infrastructure for intertheory reasoning that can support applications of the little theories method. The infrastructure includes machinery to store theories and theory interpretations, to store known theorems of a theory with the theory, and to make denitions in a theory by extending the theory "in place". The infrastructure is an extension of the intertheory infrastructure employed in the imps Interactive Mathematical Proof System.

. Although set theory is the most popular foundation for mathematics, not many mechanized mathematics systems are based on set theory. Zermelo-Fraenkel (zf) set theory and other traditional set theories are not an adequate foundation for mechanized mathematics. stmm is a version of von-Neumann-Bernays-Godel (nbg) set theory that is intended to be a Set Theory for Mechanized Mathematics. stmm allows terms to denote proper classes and to be undened, has a denite description operator, provides a sort system for classifying terms by value, and includes lambdanotation with term constructors for function application and function abstraction. This paper describes stmm and discusses why it is a good foundation for mechanized mathematics. Keywords: Set theory, nbg, higher-order logic, mechanized mathematics, theorem proving systems, partial functions, undenedness, sorts. 1.

Set theory is the standard foundation for mathematics, but the majority of general purpose mechanised proof assistants support versions of type theory (higher order logic). Examples include Alf, Automath, Coq, EHDM, HOL, IMPS, LAMBDA, LEGO, Nuprl, PVS and Veritas. For many applications type theory works well and provides, for specification, the benefits of type-checking that are well-known in programming. However, there are areas where types get in the way or seem unmotivated. Furthermore, most people with a scientific or engineering background already know set theory, whereas type theory may appear inaccessable and so be an obstacle to the uptake of proof assistants based on it. This paper describes some experiments (using HOL) in combining set theory and type theory; the aim is to get the best of both worlds in a single system. Three approaches have been tried, all based on an axiomatically specified type V of ZF-like sets: (i) HOL is used without any additions besides V; (ii) an emb...

Mathematics is a process of creating, exploring, and connecting mathematical models. This paper presents an overview of a formal framework for managing the mathematics process as well as the mathematical knowledge produced by the process. The central idea of the framework is the notion of a biform theory which is simultaneously an axiomatic theory and an algorithmic theory. Representing a collection of mathematical models, a biform theory provides a formal context for both deduction and computation. The framework includes facilities for deriving theorems via a mixture of deduction and computation, constructing sound deduction and computation rules, and developing networks of biform theories linked by interpretations. The framework is not tied to a specific underlying logic; indeed, it is intended to be used with several background logics simultaneously. Many of the ideas and mechanisms used in the framework are inspired by the imps Interactive Mathematical Proof System and the Axiom computer algebra system.

The Mondex case study about the specification and refinement of an electronic purse as defined in [SCW00] has recently been proposed as a challenge for formal system-supported verification. In this paper we report on two results. First, on the successful verification of the full case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study. Second, the original Mondex case study verifies functional correctness assuming a suitable security protocol. We extend the case study here with a refinement to a suitable security protocol that uses symmetric cryptography to achieve the necessary properties of the security-relevant messages. The definition is based on a generic framework for defining such protocols based on abstract state machines (ASMs). We prove the refinement using a forward simulation.

Abstract. Undefined terms are commonplace in mathematics, particularly in calculus. The traditional approach to undefinedness in mathematical practice is to treat undefined terms as legitimate, nondenoting terms that can be components of meaningful statements. The traditional approach enables statements about partial functions and undefined terms to be stated very concisely. Unfortunately, the traditional approach cannot be easily employed in a standard logic in which all functions are total and all terms are defined, but it can be directly formalized in a standard logic if the logic is modified slightly to admit undefined terms and statements about definedness. This paper demonstrates this by defining a version of simple type theory called Simple Type Theory with Undefinedness (sttwu) and then formalizing in sttwu examples of undefinedness arising in calculus. The examples are taken from M. Spivak’s well-known textbook Calculus. 1

Partial functions can be easily represented in set theory as certain sets of ordered pairs. However, classical set theory provides no special machinery for reasoning about partial functions. For instance, there is no direct way of handling the application of a function to an argument outside its domain as in partial logic. There is also no utilization of lambda-notation and sorts or types as in type theory. This paper introduces a version of von-Neumann-Bernays-Gödel set theory for reasoning about sets, proper classes, and partial functions represented as classes of ordered pairs. The underlying logic of the system is a partial first-order logic, so classvalued terms may be nondenoting. Functions can be specified using lambda-notation, and reasoning about the application of functions to arguments is facilitated using sorts similar to those employed in the logic of the imps Interactive Mathematical Proof System. The set theory is intended to serve as a foundation for mechanized mathematics systems.