Results 11 
14 of
14
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties (Extended Version),” April 2012, available http: //www.infsec.ethz.ch/research/software#TAMARIN
"... Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel const ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model. I.
Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures ⋆
"... Abstract. The intruder deduction problem for an electronic purse protocol with blind signatures is considered. The algebraic properties of the protocol are modeled by an equational theory implemented as a convergent rewriting system which involves rules for addition, multiplication and exponentiatio ..."
Abstract
 Add to MetaCart
Abstract. The intruder deduction problem for an electronic purse protocol with blind signatures is considered. The algebraic properties of the protocol are modeled by an equational theory implemented as a convergent rewriting system which involves rules for addition, multiplication and exponentiation. The whole deductive power of the intruder is modeled as a sequent calculus that, modulo this rewriting system, deals with blind signatures. It is proved that the associativecommutative (AC) equality of the algebraic theory can be decided in polynomial time, provided a strategy to avoid distributivity law between the AC operators is adopted. Moreover, it is also shown that the intruder deduction problem can be reduced in polynomial time to the elementary deduction problem for this equational theory. 1
An Algebra for Symbolic DiffieHellman Protocol Analysis
"... Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted ..."
Abstract
 Add to MetaCart
Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using DiffieHellman for implicit authentication. Despite vigorous research in symbolic analysis of security protocols, many
Symbolic Protocol Analysis for DiffieHellman
"... Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symb ..."
Abstract
 Add to MetaCart
Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symbolic approaches. We work in an algebra defined by the normal forms of a rewriting theory (modulo associativity and commutativity). These normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by several different protocols that use DiffieHellman operators in subtle ways. We also give a modeltheoretic justification of our rewriting theory: the theory proves all equations that are uniformly true as the order of the cyclic group varies. 1