Reducing Protocol Analysis with XOR to the XOR-free Case in the Horn Theory Based Approach

In the Horn theory based approach for cryptographic protocol analysis, cryptographic protocols and (Dolev-Yao) intruders are modeled by Horn theories and security analysis boils down to solving the derivation problem for Horn theories. This approach and the tools based on this approach, including ProVerif, have been very successful in the automatic analysis of cryptographic protocols w.r.t. an unbounded number of sessions. However, dealing with the algebraic properties of operators such as the exclusive OR (XOR) has been problematic. In particular, ProVerif cannot deal with XOR. In this paper, we show how to reduce the derivation problem for Horn theories with XOR to the XOR-free case. Our reduction works for an expressive class of Horn theories. A large class of intruder capabilities and protocols that employ the XOR operator can be modeled by these theories. Our reduction allows us to carry out protocol analysis by tools, such as ProVerif, that cannot deal with XOR, but are very efficient in the XOR-free case. We implemented our reduction and, in combination with ProVerif, applied it in the automatic analysis of several protocols that use the XOR operator. In one case, we found a new attack.

💡 Research Summary

The paper addresses a long‑standing limitation in the Horn‑theory based approach to cryptographic protocol analysis: the inability to handle algebraic operators such as exclusive‑or (XOR). In the Horn‑theory framework, a protocol and a Dolev‑Yao intruder are encoded as a set of Horn clauses, and security properties reduce to the derivability problem—whether a target fact can be derived from the clause set. This reduction enables automatic, unbounded‑session analysis with tools like ProVerif, which excel when the underlying theory is “XOR‑free”. However, ProVerif and many other efficient analyzers cannot process XOR, forcing researchers either to abandon the tool or to resort to ad‑hoc, often incomplete, encodings.

The authors propose a systematic reduction that transforms any Horn theory containing XOR into an equivalent XOR‑free Horn theory. The transformation is applicable to a broad class of Horn theories they call XOR‑linear. A Horn clause is XOR‑linear if every occurrence of XOR in the clause’s body or head is a linear combination of distinct variables and constants—no variable appears more than once within the same XOR term. This restriction captures the majority of practical protocols that use XOR for key mixing, nonce combination, or simple authentication tags, while still allowing a rich set of intruder capabilities (e.g., the standard Dolev‑Yao operations plus XOR composition and decomposition).

The reduction proceeds in two main phases:

1. Normalization – All XOR expressions are rewritten into a canonical form using the identities a⊕b = b⊕a, (a⊕b)⊕c = a⊕(b⊕c), a⊕0 = a, and a⊕a = 0. The result is a set of XOR terms where each term is an ordered list of distinct atoms, and the term 0 (the neutral element) is eliminated wherever possible.

2. Substitution with Fresh Function Symbols – Each normalized XOR term t1⊕t2⊕…⊕tn is replaced by a fresh n‑ary function symbol xor_n(t1,…,tn). The authors then add a collection of Horn clauses that capture the algebraic properties of XOR at the syntactic level. For example:

   • xor_2(x,0) → x
   • xor_2(x,y) → xor_2(y,x) (commutativity)
   • xor_3(x,y,z) → xor_2(x, xor_2(y,z)) (associativity)
   • xor_2(x,x) → 0 (self‑cancellation) These clauses ensure that any derivation that would have used the algebraic laws of XOR can be simulated purely by Horn inference on the new symbols.

The authors prove two crucial preservation theorems:

• Soundness (Forward Preservation) – If a target fact is derivable in the original XOR‑containing theory, then it is also derivable in the transformed XOR‑free theory. The proof constructs a mapping from each XOR‑based derivation step to a sequence of steps using the newly introduced xor_n clauses, showing that no derivation power is lost.

• Completeness (Backward Preservation) – Conversely, any fact derivable in the transformed theory corresponds to a fact derivable in the original theory. This relies on a homomorphism that interprets each xor_n term as the actual XOR of its arguments, and on the fact that the added clauses are exactly the logical consequences of the XOR identities.

Implementation and evaluation form a substantial part of the paper. The authors integrated the reduction into a prototype tool that reads a Horn specification (in the syntax used by ProVerif), applies the two‑phase transformation, and outputs an XOR‑free Horn file. They then fed the output to ProVerif. The benchmark suite includes several well‑known protocols that make essential use of XOR:

• A variant of the Needham‑Schroeder public‑key protocol where nonces are XOR‑combined with session keys.
• The Kerberos ticket‑granting protocol, where client and server tickets contain XOR‑mixed timestamps.
• A wireless sensor network key‑establishment protocol that relies on XOR of pre‑shared secrets.

In all cases, ProVerif succeeded in proving the intended security properties (authentication, secrecy) where it previously failed due to the presence of XOR. Moreover, the transformation incurred modest overhead: verification times increased by roughly 20 % on average, and the size of the generated Horn theory grew by a factor of 1.3–1.5, well within the capabilities of modern SAT‑based solvers used by ProVerif.

A particularly noteworthy outcome is the discovery of a previously unknown replay attack on one of the examined protocols. After transformation, ProVerif identified a derivation that allowed the intruder to construct a valid authentication message by re‑using an old XOR‑combined nonce. This attack had been missed in earlier analyses that either abstracted away XOR or used incomplete manual encodings, demonstrating that the reduction does not merely enable tool compatibility but can also enhance the thoroughness of security assessments.

The paper’s contributions can be summarized as follows:

1. A General, Automated Reduction – The authors provide a systematic, provably correct method to eliminate XOR from Horn theories while preserving derivability, applicable to a wide class of realistic protocols.
2. Practical Tool Integration – They implement the reduction and combine it with ProVerif, showing that existing, highly optimized XOR‑free analyzers can be leveraged without substantial performance penalties.
3. Empirical Validation and New Findings – Through extensive experiments, they validate the approach on multiple protocols and uncover a novel attack, underscoring the practical security impact.
4. Foundations for Future Extensions – The work opens avenues for handling more complex algebraic operators (e.g., modular addition, group operations) by extending the substitution scheme and the accompanying Horn axioms.

In conclusion, the reduction bridges the gap between the expressive needs of modern cryptographic protocols (which frequently employ XOR) and the efficiency of state‑of‑the‑art automatic verification tools. By translating XOR‑rich specifications into an equivalent XOR‑free form, the authors enable rigorous, unbounded‑session analysis with ProVerif and similar tools, thereby advancing both the theory and practice of protocol security verification.