Proving Group Protocols Secure Against Eavesdroppers

  • Steve Kremer
  • Antoine Mercier
  • Ralf Treinen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5195)


Security protocols are small programs designed to ensure properties such as secrecy of messages or authentication of parties in a hostile environment. In this paper we investigate automated verification of a particular type of security protocols, called group protocols, in the presence of an eavesdropper, i.e., a passive attacker. The specificity of group protocols is that the number of participants is not bounded. Our approach consists in representing an infinite set of messages exchanged during an unbounded number of sessions, one session for each possible number of participants, as well as the infinite set of associated secrets. We use so-called visibly tree automata with memory and structural constraints (introduced recently by Comon-Lundh et al.) to represent over-approximations of these two sets. We identify restrictions on the specification of protocols which allow us to reduce the attacker capabilities guaranteeing that the above mentioned class of automata is closed under the application of the remaining attacker rules. The class of protocols respecting these restrictions is large enough to cover several existing protocols, such as the GDH family, GKE, and others.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boyd, C., González Nieto, J.-M.: Round-optimal ciontributory conference key agreement. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 161–174. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Bresson, E., Chevassut, O., Essiari, A., Pointcheval, D.: Mutual authentication and group key agreement for low-power mobile devices. Computer Communications 27(17), 1730–1737 (2004)CrossRefGoogle Scholar
  3. 3.
    Comon-Lundh, H., Jacquemard, F., Perrin, N.: Tree automata with memory, visibility and structural constraints. In: Seidl, H. (ed.) FOSSACS 2007. LNCS, vol. 4423, pp. 168–182. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Comon-Lundh, H., Jacquemard, F., Perrin, N.: Visibly tree automata with memory and constraints. Research Report LSV-07-30, Laboratoire Spécification et Vérification, ENS Cachan, France, Logical Methods in Computer Science (September 2007) (to appear)Google Scholar
  5. 5.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of the 18th IEEE Symposium on Logic in Computer Science (LICS 2003), vol. 171, pp. 271–280. IEEE Computer Society Press, Los Alamitos (2003)CrossRefGoogle Scholar
  6. 6.
    Contejean, E., Marché, C., Monate, B., Urbain, X.: The CiME Rewrite Tool (2000),
  7. 7.
    Dershowitz, N.: Termination of rewriting. J. Symb. Comput. 3(1-2), 69–116 (1987)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Goubault-Larrecq, J.: A method for automatic cryptographic protocol verification (extended abstract). In: IPDPS-WS 2000. LNCS, vol. 1800, pp. 977–984. Springer, Heidelberg (2000)Google Scholar
  10. 10.
    Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003)Google Scholar
  11. 11.
    Kremer, S., Mercier, A., Treinen, R.: Proving group protocols secure against eavesdroppers. Research Report LSV, Laboratoire Spécification et Vérification, ENS Cachan, France (May 2008),
  12. 12.
    Küsters, R., Truderung, T.: On the Automatic Analysis of Recursive Security Protocols with XOR. In: Thomas, W., Weil, P. (eds.) STACS 2007. LNCS, vol. 4393. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Pereira, O., Quisquater, J.-J.: Some attacks upon authenticated group key agreement protocols. Journal of Computer Security 11(4), 555–580 (2003)Google Scholar
  14. 14.
    Pereira, O., Quisquater, J.-J.: On the impossibility of building secure cliques-type authenticated group key agreement protocols. Journal of Computer Security 14(2), 197–246 (2006)Google Scholar
  15. 15.
    Steel, G., Bundy, A.: Attacking group protocols by refuting incorrect inductive conjectures. Journal of Automated Reasoning 36(1-2), 149–176 (2006)MATHCrossRefGoogle Scholar
  16. 16.
    Steiner, M., Tsudik, G., Waidner, M.: Diffie-Hellman key distribution extended to group communication. In: ACM Conference on Computer and Communications Security, pp. 31–37 (1996)Google Scholar
  17. 17.
    Truderung, T.: Selecting theories and recursive protocols. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 217–232. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Steve Kremer
    • 1
  • Antoine Mercier
    • 1
  • Ralf Treinen
    • 2
  1. 1.LSV, ENS Cachan, CNRS, INRIAFrance
  2. 2.PPS, Université Paris Diderot, CNRSFrance

Personalised recommendations