Abstract
Tamarin is a popular tool dedicated to the formal analysis of security protocols. One major strength of the tool is that it offers an interactive mode, allowing to go beyond what push-button tools can typically handle. Tamarin is for example able to verify complex protocols such as TLS, 5G, or RFID protocols. However, one of its drawback is its lack of automation. For many simple protocols, the user often needs to help Tamarin by writing specific lemmas, called “sources lemmas”, which requires some knowledge of the internal behaviour of the tool.
In this paper, we propose a technique to automatically generate sources lemmas in Tamarin. We prove formally that our lemmas indeed hold, for arbitrary protocols that make use of cryptographic primitives that can be modelled with a subterm convergent equational theory (modulo associativity and commutativity). We have implemented our approach within Tamarin. Our experiments show that, in most examples of the literature, we are now able to generate suitable sources lemmas automatically, in replacement of the hand-written lemmas. As a direct application, many simple protocols can now be analysed fully automatically, while they previously required user interaction.
This work has been partially supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No 714955-POPSTAR and grant agreement No 645865-SPOOC), as well as from the French National Research Agency (ANR) under the project TECAP.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
This comes from the fact that, whenever the attacker learns a pair \(\textsf {K}^{\downarrow }_{}(\langle m_1,m_2\rangle )\), she cannot directly convert it in \(\textsf {K}^{\uparrow }_{}(\langle m_1,m_2\rangle )\) since the coerce rule does not apply to terms headed with a pair. Hence it is necessary to decompose it first (with \(\textsf {K}^{\downarrow }_{}\) rules) and then reconstruct it (with \(\textsf {K}^{\uparrow }_{}\) rules).
- 2.
SAPIC translates from applied pi models to Tamarin theories.
References
Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_27
Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: 25th ACM Conference on Computer and Communications Security (CCS 2018) (2018)
Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy (S&P 2017), San Jose, CA, pp. 483–503 (2017)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2014), Cape Breton, Nova Scotia, Canada, June 2001, pp. 82–96. IEEE Computer Society (2001)
Blanchet, B.: Symbolic and computational mechanized verification of the ARINC823 avionic protocols. In: 30th IEEE Computer Security Foundations Symposium (CSF 2017), Santa Barbara, CA, USA, pp. 68–82 (2017)
Cheval, V., Kremer, S., Rakotonirina, I.: DEEPSEC: deciding equivalence properties in security protocols - theory and practice. In: Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018), pp. 525–542. IEEE Computer Society Press, May 2018
Cortier, V., Galindo, D., Turuani, M.: A formal analysis of the Neuchâtel e-voting protocol. In: 3rd IEEE European Symposium on Security and Privacy (EuroSP 2018), London, UK, pp. 430–442, April 2018
Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R.: Automated unbounded verification of stateful cryptographic protocols with exclusive OR. In: CSF 2018, pp. 359–373 (2018)
Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols, Trento, Italia (1999)
Girol, G., Hirschi, L., Sasse, R., Jackson, D., Cremers, C., Basin, D.: A spectral analysis of noise: a comprehensive, automated, formal analysis of Diffie-Hellman protocols. In: USENIX Security (2020)
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Schmidt, B., Meier, S., Cremers, C.J.F., Basin, D.A.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: CSF 2012, pp. 78–94 (2012)
Schmidt, B., Sasse, R., Cremers, C., Basin, D.: Automated verification of group key agreement protocols. In: IEEE Symposium on Security and Privacy (S&P 2014) (2014)
Security protocols open repository. http://www.lsv.fr/Software/spore/. Accessed 24 Apr 2020
Main source code repository of the tamarin prover for security protocol verification. https://github.com/tamarin-prover/tamarin-prover. Accessed 06 Dec 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs of Theorems 1 and 2
A Proofs of Theorems 1 and 2
Theorem 1
Given a set of well-formed protocol rules P, a rule \( ru \in \mathsf {Variant}(P)\), a variable x occurring in \( ru \), and \(\phi \) returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru ,x)\), then \(\phi \) is satisfied by \(\mathsf {Variant}(P)\), that is \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \).
Proof
Let P be a set of protocol rules, \( ru \in \mathsf {Variant}(P)\) and a variable x occurring in \( ru \), let \(\phi \) be a formula returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru ,x)\). The rule \( ru \) is of the form \([l] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a \mathrel {]\!\!\!\rightarrow }}} [r]\) and \(\phi \) is of the form:
for some \(t_1\) deepest protected term w.r.t. x, subterm of \(F(t)\in l\). By definition of a deepest protected subterm, \(t_1|_p=x\) for some position p and there are only pairs along the path p (except at position \(\epsilon \)).
Let tr be a normalised trace of \(\mathsf {Variant}(P)\). Let us show that tr satisfies \(\phi \).

Let i be such that \(\mathsf {Left}_{F, ru ,t_1}(m,n)\in S_i\) for some terms m, n. Then the ith applied rule must the rule \( ru \) in \(\mathsf {Variant}(P)\) mentioned above which has the form:
Moreover, there exists a substitution \(\sigma _i\) in normal form (the one used to instantiate \( ru \)) such that
and
. Since the trace is normalised, \(m=_\textit{AC}t_1\sigma _i\) and \(n =_{\textit{AC}}x\sigma _i\). Let
. Again, we have \(u =_{\textit{AC}}t\sigma _i\). Since \(t_1\) is a subterm of t and \(t_1\) is not headed by an AC symbol, we have that m is a subterm of u (modulo AC). Moreover \(F(u)\in S_{i-1}\) by definition of the application of a rule.
Let \(j< i\) be the first occurrence of j such that m (modulo \(\textit{AC}\)) is a subterm of a fact in \(S_{j}\) and consider the jth rule that has been applied.
-
Either this rule is a rule \( ru ''\) in \(\mathsf {Variant}(P)\) of the form
$$\begin{aligned} { ru ''} = [l''] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a'' \mathrel {]\!\!\!\rightarrow }}} [\{F'(w)\}\cup r''] \end{aligned}$$and there exists \(\sigma _j\) in normal form (the substitution used to instantiate \( ru ''\)) such that m (modulo AC) is a subterm of
. Since the trace is normalised,
. Let \(p'\) be the position at which m occurs in \(w\sigma _j\), i.e. such that \({w\sigma _j}|_{p'} =_{\textit{AC}}m\).-
Either \(p'\) is a path of w that does not end on a variable. Then \(w|_{p'}=w'\) with \(w'\) a protected subterm of w.
We have that \(w'\sigma _j =_{\textit{AC}}m =_{\textit{AC}}t_1\sigma _i\) thus \(w'\) and \(t_1\) are unifiable (modulo AC) thus we have annotated \( ru ''\), that is, \(\mathsf {Right}_{F', ru '',t_1}(w')\in a''\), which concludes this case.
-
Or \(p'\) is a path of w that ends on a variable or is not a path at all. Then there must exist a variable y in w such that m (modulo AC) is a subterm of \(y\sigma _j\). Then y also appears in some premise fact \(F''(w'')\), thanks to the definition of a protocol rule and the fact that the variant rules are still protocol rules. Therefore m (modulo AC) is a subterm of a fact in \(S_{j-1}\) (since
), which contradicts the minimality of j.
-
-
Or the rule is one of the \(\mathsf {MD}\) rules. Since m is a protected term, the rule cannot be \([] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x:\textit{pub})]\) nor \([\textsf {Fr}(x:\textit{fr})] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x:\textit{fr})]\) since these two rules only generate names. By minimality of j, it cannot be the rule \( [\textsf {Out}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} [{\textsf {K}^{\downarrow }_{}(x)}]\), nor \([\textsf {K}^{\uparrow }_{}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {In}(x)]\), nor the rule \([\textsf {K}^{\downarrow }_{}(x)] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(x) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(x)]\) either. So it must be the deduction rule, either in the \(\textsf {K}^{\uparrow }_{}\) version or in the \(\textsf {K}^{\downarrow }_{}\) version.
-
Either it is the rule
$$[\textsf {K}^{\uparrow }_{}(x_1\theta ),\ldots , \textsf {K}^{\uparrow }_{}(x_n\theta )] {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}^{\uparrow }_{}(\mathsf {f}(x_1,\ldots ,x_n)\theta ) \mathrel {]\!\!\!\rightarrow }}} [\textsf {K}^{\uparrow }_{}(\mathsf {f}(x_1,\ldots ,x_n)\theta )]$$with \(\mathsf {f}(x_1,\ldots ,x_n)\theta \) in normal form. We have \(\textsf {K}^{\uparrow }_{}(x_1 \theta ),\ldots ,\textsf {K}^{\uparrow }_{}(x_k \theta )\in S_{j-1}\). Then, by minimality of j, and since m is not headed with an AC symbol, we must have \(m =_{\textit{AC}}t_1{\sigma _i} =_{\textit{AC}}\mathsf {f}(x_1\theta ,\ldots ,x_k\theta )\), otherwise we would have that m is subterm of some \(x_i\theta \) hence subterm of \(S_{j-1}\) or m is a constant, which cannot be the case since m is a protected subterm. Remember that \(x{\sigma _i}\) is a subterm at position \(p=i_0.p'\) (for some \(i_0\)) of \(t_1\) such that there are only pairs along \(p'\), that is, \(x{\sigma _i}\in St _{\mathsf {pair}}(x_{i_0}\theta )\). Since the trace is normalised (i.e. pairs are decomposed before being used), we get that \(\textsf {K}^{\uparrow }_{}(x{\sigma _i})\in S_{j-1}\), that is \(\textsf {K}^{\uparrow }_{}(n)\in S_{j-1}\). Now, by inspection of the rules, we notice that the only way to obtain \(\textsf {K}^{\uparrow }_{}(t)\) in a state is through a rule annotated by \(\textsf {K}^{\uparrow }_{}(t)\), hence we can conclude that \(\textsf {K}^{\uparrow }_{}(n)\) appears in one of the actions of an earlier rule.
-
Or the rule

has been applied, with \(\mathsf {f}(x_1,\ldots ,x_k)\theta \) that can be reduced at top level. Since the equational theory is a subterm theory, it must be the case that \(m = (\mathsf {f}(x_1,\ldots ,x_k)\theta )\downarrow \) is a subterm of one of the \(x_i\sigma \), hence m is a subterm of a fact of \(S_{j-1}\), which contradicts the minimality of j. \(\square \)
-
Theorem 2
Given a set of well-formed protocol rules P, a composed rule \( ru = ru _1\circ _{\theta } ru _2\circ _{\theta }\cdots \circ _{\theta } ru _k\) with \( ru _i\in \mathsf {Variant}(P)\), a variable x occurring in \( ru \), and \(\phi \) returned by \(\mathsf {SourceLemmaComp}(\mathsf {Variant}(P), ru ,x)\), then \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \).
Proof
The correctness of Algorithm 2 is a direct consequence of Theorem 1. Indeed, let \(\phi \) be a formula returned by \(\mathsf {SourceLemmaComp}(\mathsf {Variant}(P), ru ,x)\). Then \(\phi \) is actually a formula returned by \(\mathsf {SourceLemma}(\mathsf {Variant}(P), ru _i,v_i|_p)\) for some \( ru _i\in \mathsf {Variant}(P)\) and some variable \(v_i|_p\) of \( ru _i\). Applying Theorem 1, we have that \(\mathsf {Variant}(P)\models _\mathsf {norm}\phi \), hence the conclusion. \(\square \)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Cortier, V., Delaune, S., Dreier, J. (2020). Automatic Generation of Sources Lemmas in Tamarin: Towards Automatic Proofs of Security Protocols. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-59013-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59012-3
Online ISBN: 978-3-030-59013-0
eBook Packages: Computer ScienceComputer Science (R0)

. Since the trace is normalised,
. Let
), which contradicts the minimality of j.