# Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties

@article{Schmidt2012AutomatedAO, title={Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties}, author={Benedikt Schmidt and Simon Meier and Cas J. F. Cremers and David A. Basin}, journal={2012 IEEE 25th Computer Security Foundations Symposium}, year={2012}, pages={78-94} }

We present a general approach for the symbolic analysis of security protocols that use Diffie-Hellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as first-order formulas. We analyze them using a novel constraint-solving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on…

## Figures and Tables from this paper

## 213 Citations

Automated Verification of Group Key Agreement Protocols

- Computer Science, Mathematics2014 IEEE Symposium on Security and Privacy
- 2014

This work provides the first symbolic correctness proofs for group key agreement protocols that use Diffie-Hellman or bilinear pairing, loops, and recursion, while at the same time supporting advanced security properties, such as perfect forward secrecy and eCK-security.

Decidability for Lightweight Diffie-Hellman Protocols

- Computer Science, Mathematics2014 IEEE 27th Computer Security Foundations Symposium
- 2014

This paper develops an algebraic version of the symbolic approach, working directly within finite fields, the natural structures for the protocols, and proves that security goals for a wide class of protocols are decidable.

Efficient construction of machine-checked symbolic protocol security proofs

- Computer Science, MathematicsJ. Comput. Secur.
- 2013

An untyped security protocol model is embedded in the interactive theorem prover Isabelle/HOL and a theory for constructing proofs of secrecy and authentication properties is derived, based on an inference rule for enumerating the possible origins of messages known to the intruder.

An Algebra for Symbolic Diffie-Hellman Protocol Analysis

- Mathematics, Computer ScienceTGC
- 2012

It is proved that the adversary can never construct a message with a new indicator in the authors' adversary model, one of the main security goals achieved by UM, a protocol using Diffie-Hellman for implicit authentication.

Model Checking Indistinguishability of Randomized Security Protocols

- Computer Science, MathematicsCAV
- 2018

The first practical algorithms for model checking indistinguishability properties of randomized security protocols against the powerful threat model of a bounded Dolev-Yao adversary are given.

Automated Cryptographic Analysis of the Pedersen Commitment Scheme

- Computer Science, MathematicsMMM-ACNS
- 2017

This paper presents a mechanised formal verification of the popular Pedersen commitment protocol, proving its security properties of correctness, perfect hiding, and computational binding.

Enrich-by-need Protocol Analysis for Diffie-Hellman (Extended Version)

- Computer ScienceFoundations of Security, Protocols, and Equational Reasoning
- 2019

This paper describes how to analyze protocols using the Diffie-Hellman mechanism for key agreement (DH) in the enrich-by-need style via an algebraically natural model, which makes the extended CPSA implementation reliable.

ESSM: Formal Analysis Framework for Protocol to Support Algebraic Operations and More Attack Capabilities

- Computer Science, MathematicsSecurity and Communication Networks
- 2021

The extended strand space model (ESSM) framework is established to describe algebraic semantics, including the Abelian group and the XOR operation, and a threat model based on algebraic attacks, key-compromise impersonation attacks, and guess attacks.

Research on Security Protocol Analysis Tool SmartVerif

- Computer Science, MathematicsJournal of Physics: Conference Series
- 2021

This paper introduces SmartVerif, which is the first formal analysis tool to automatically verify the security of protocols through dynamic strategies, and uses it to verify the pseudo-randomness of the encapsulated key of the Two-Pass AKE protocol, which was proposed by Liu’s in ASIACRYPT in 2020.

Refining security protocols

- Computer Science, MathematicsJ. Comput. Secur.
- 2018

The development highlights that guard protocols and channel protocols provide fundamental abstractions for bridging the gap between security properties and standard protocol descriptions based on cryptographic messages, and shows that the refinement approach scales to protocols of nontrivial size and complexity.

## References

SHOWING 1-10 OF 42 REFERENCES

Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically

- Computer Science, MathematicsJ. Log. Algebraic Methods Program.
- 2005

Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

- Mathematics, Computer ScienceESOP
- 2004

For a finite number of protocol sessions, this result enables fully automated, sound and complete analysis of protocols that employ primitives such as Diffie-Hellman exponentiation and modular multiplication without imposing any bounds on the size of terms created by the attacker.

Automated Proofs for Diffie-Hellman-Based Key Exchanges

- Computer Science, Mathematics2011 IEEE 24th Computer Security Foundations Symposium
- 2011

An automated verification method for security of Diffie-Hellman-based key exchange protocols is presented, which includes a Hoare-style logic and syntactic checking.

Diffie-Hellman without Difficulty

- Computer Science, MathematicsFormal Aspects in Security and Trust
- 2011

For a large class of protocols, significantly restricting the abilities of the intruder is without loss of attacks, which enables the efficient use of free-algebra verification tools for Diffie-Hellman based protocols and significantly reduces search-spaces for tools that do support algebraic reasoning.

Sound Approximations to Diffie-Hellman Using Rewrite Rules

- Computer Science, MathematicsICICS
- 2004

The feasibility of approximating the commutative rule for exponentiation with a pair of rewrite rules, for which in unification-based systems, the complexity of the unification algorithm changes from at best exponential to at worst quadratic in the number of variables is discussed.

Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation

- Computer Science, Mathematics2009 22nd IEEE Computer Security Foundations Symposium
- 2009

Surprisingly, the reduction for Diffie-Hellman exponentiation is more efficient than the one for XOR, and works for a large class of Horn theories, allowing to model a wide range of intruder capabilities and protocols.

Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs

- Computer Science, Mathematics2010 23rd IEEE Computer Security Foundations Symposium
- 2010

We embed an operational semantics for security protocols in the interactive theorem prover Isabelle/HOL and derive two strong protocol-independent invariants. These invariants allow us to reason…

LTL Model Checking for Security Protocols

- Computer Science, Mathematics20th IEEE Computer Security Foundations Symposium (CSF'07)
- 2007

This paper proposes a general model for security protocols based on the set-rewriting formalism that allows for the specification of assumptions on principals and communication channels as well as complex security properties that are normally not handled by state-of-the-art protocol analysers.

The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols

- Computer Science, MathematicsCAV
- 2008

The most effective approach so far has been automated falsification or verification of such protocols with state-of-the-art tools such as ProVerif or the Avispa tools, which have shown to be effective at finding attacks on protocols or establishing correctness of protocols.