Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

  • Vitaly Shmatikov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2986)


We demonstrate that the symbolic trace reachability problem for cryptographic protocols is decidable in the presence of an Abelian group operator and modular exponentiation from arbitrary bases. We represent the problem as a sequence of symbolic inference constraints and reduce it to a system of linear Diophantine equations. For a finite number of protocol sessions, this result enables fully automated, sound and complete analysis of protocols that employ primitives such as Diffie-Hellman exponentiation and modular multiplication without imposing any bounds on the size of terms created by the attacker, but taking into account the relevant algebraic properties.


Inference Rule Cryptographic Protocol Modular Exponentiation Constraint Sequence Target Term 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Amadio, R., Lugiez, D.: On the reachability problem in cryptographic protocols. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 380–394. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Baader, F., Snyder, W.: Unification theory. In: Robinson, A., Voronkov, A. (eds.) Handbook of Automated Reasoning, ch. 8, vol. 1, pp. 445–532. Elsevier Science, Amsterdam (2001)CrossRefGoogle Scholar
  3. 3.
    Boreale, M.: Symbolic trace analysis of cryptographic protocols. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 667–681. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Boreale, M., Buscemi, M.: On the symbolic analysis of low-level cryptographic primitives: modular exponentiation and the Diffie-Hellman protocol. In: Proc. Workshop on the Foundations of Computer Security, FCS (2003)Google Scholar
  5. 5.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. Technical Report IFI-Report 0305, CAU Kiel (2003)Google Scholar
  6. 6.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280 (2003)Google Scholar
  7. 7.
    Contejean, E., Devie, H.: An efficient algorithm for solving systems of Diophantine equations. Information and Computation 113(1), 143–172 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Durgin, N., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: Undecidability of bounded security protocols. In: Proc. FLOC Workshop on Formal Methods in Security Protocols (1999)Google Scholar
  9. 9.
    Fiore, M., Abadi, M.: Computing symbolic models for verifying cryptographic protocols. In: Proc. 14th IEEE Computer Security Foundations Workshop, pp. 160–173 (2001)Google Scholar
  10. 10.
    Kapur, D., Narendran, P., Wang, L.: An e-unification algorithm for analyzing protocols that use modular exponentiation. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 165–179. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Meadows, C., Narendran, P.: A unification algorithm for the group Diffie- Hellman protocol. In: Proc. Workshop of Issues in Theory of Security, WITS (2002)Google Scholar
  12. 12.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  13. 13.
    Millen, J., Shmatikov, V.: Constraint solving for bounded process cryptographic protocol analysis. In: Proc. 8th ACM Conference on Computer and Communications Security (CCS 2001), pp. 166–175 (2001)Google Scholar
  14. 14.
    Millen, J., Shmatikov, V.: Symbolic protocol analysis with products and Diffie- Hellman exponentiation. In: Proc. 16th IEEE Computer Security Foundations Workshop, pp. 47–61 (2003)Google Scholar
  15. 15.
    Paulson, L.: Mechanized proofs for a recursive authentication protocol. In: Proc. 10th IEEE Computer Security Foundations Workshop, pp. 84–95 (1997)Google Scholar
  16. 16.
    Pereira, O., Quisquater, J.-J.: A security analysis of the Cliques protocols suites. In: Proc. 14th IEEE Computer Security Foundations Workshop, pp. 73–81 (2001)Google Scholar
  17. 17.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proc. 14th IEEE Computer Security Foundations Workshop, pp. 174–190 (2001)Google Scholar
  18. 18.
    Ryan, P., Schneider, S.: An attack on a recursive authentication protocol: A cautionary tale. Information Processing Letters 65(1), 7–10 (1998)CrossRefGoogle Scholar
  19. 19.
    Steiner, M., Tsudik, G., Waidner, M.: Diffie-Hellman key distribution extended to group communication. In: Proc. 3rd ACM Conference on Computer and Communications Security (CCS 1996), pp. 31–37 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Vitaly Shmatikov
    • 1
  1. 1.SRI International 

Personalised recommendations