Diffie-Hellman without Difficulty

  • Sebastian Mödersheim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7140)


An excellent way for a protocol to obtain shared keys is Diffie-Hellman. For the automated verification of security protocols, the use of Diffie-Hellman poses a certain amount of difficulty, because it requires algebraic reasoning. Several tools work in the free algebra and even for tools that do support Diffie-Hellman, the algebraic reasoning becomes a bottleneck.

We provide a new relative-soundness result: for a large class of protocols, significantly restricting the abilities of the intruder is without loss of attacks. We also show the soundness of a very restrictive encoding of Diffie-Hellman proposed by Millen and how to obtain a problem that can be answered in the free algebra without increasing its size upon encoding. This enables the efficient use of free-algebra verification tools for Diffie-Hellman based protocols and significantly reduces search-spaces for tools that do support algebraic reasoning.


Security Protocol Free Algebra Reduction Rule Modular Exponentiation Simple Constraint 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Needham, R.M.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Software Eng. 22(1), 6–15 (1996)CrossRefGoogle Scholar
  2. 2.
    Arapinis, M., Duflot, M.: Bounding Messages for Free in Security Protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 376–387. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Armando, A., Compagna, L.: SAT-based Model-Checking for Security Protocols Analysis. Int. J. of Information Security 6(1), 3–32 (2007)Google Scholar
  4. 4.
    Basin, D.A., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. Int. J. Inf. Sec. 4(3), 181–208 (2005)CrossRefGoogle Scholar
  5. 5.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96. IEEE Computer Society, Cape Breton (2001)Google Scholar
  6. 6.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Cremers, C.J.F.: The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Denker, G., Millen, J.: CAPSL and CIL Language Design. Technical Report SRI-CSL-99-02, SRI (1999)Google Scholar
  9. 9.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2007)Google Scholar
  11. 11.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE), IETF, RFC 2409 (1998)Google Scholar
  12. 12.
    Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. Journal of Computer Security 11(2), 217–244 (2003)Google Scholar
  13. 13.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: CSF, pp. 157–171 (2009)Google Scholar
  14. 14.
    Lynch, C., Meadows, C.: Sound Approximations to Diffie-Hellman using Rewrite Rules. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 262–277. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Lynch, C., Meadows, C.: On the relative soundness of the free algebra model for public key encryption. Electr. Notes Theor. Comput. Sci. 125(1), 43–54 (2005)CrossRefGoogle Scholar
  16. 16.
    Malladi, S.: Protocol indepedence through disjoint encryption under exclusive-or. In: Proc. Workshop of Foundation of Computer Security and Privacy (FCS-PrivMod) (March 2010)Google Scholar
  17. 17.
    Millen, J., Muller, F.: Cryptographic Protocol Generation From CAPSL. Technical Report SRI-CSL-01-07, SRI (2001)Google Scholar
  18. 18.
    Millen, J.K.: On the freedom of decryption. Inf. Process. Lett. 86(6), 329–333 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Millen, J.K., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: ACM Conference on Computer and Communications Security, pp. 166–175 (2001)Google Scholar
  20. 20.
    Mödersheim, S.: Diffie-Hellman without difficulty (extended version). Technical Report IMM-TR-2011-13, DTU Informatics (2011),
  21. 21.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions, composed keys is NP-complete. Theor. Comput. Sci. 1-3(299), 451–475 (2003)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Turuani, M.: The CL-Atse Protocol Analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Sebastian Mödersheim
    • 1
  1. 1.DTU InformaticsDenmark

Personalised recommendations