Symbolic Protocol Analysis for Diffie-Hellman

We extend symbolic protocol analysis to apply to protocols using Diffie-Hellman operations. Diffie-Hellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisted previous symbolic approaches. We work in an algebra defined by the normal forms of a rewriting theory (modulo associativity and commutativity). These normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by several different protocols that use Diffie-Hellman operators in subtle ways. We also give a model-theoretic justification of our rewriting theory: the theory proves all equations that are uniformly true as the order of the cyclic group varies.

💡 Research Summary

The paper tackles the long‑standing difficulty of applying symbolic protocol analysis to cryptographic protocols that use Diffie‑Hellman (DH) operations. DH works over a cyclic group G of prime order p together with an exponentiation operator; the exponents themselves form a finite field Fₚ. Because of the rich algebraic laws—associativity, commutativity, and especially the exponent laws (gᵃ)ᵇ = g^{ab}, g^{a+b}=gᵃ·gᵇ, etc.—traditional Dolev‑Yao style symbolic models, which treat messages as uninterpreted terms, cannot capture the necessary equalities without exploding into infinitely many rewrite rules.

The authors introduce a dedicated rewriting theory that encodes all DH algebraic laws as oriented rewrite rules modulo associativity and commutativity. By repeatedly applying these rules every message can be reduced to a unique normal form. This normal form is a tree built from atomic elements (public constants, secret exponents, public keys) and the DH operators (multiplication, exponentiation). Uniqueness of the normal form guarantees that two syntactically different terms that are algebraically equal will be mapped to the same representation.

On top of the normal‑form representation they define the notion of an indicator: a vector of integers, each component counting how many times a particular secret exponent appears in the term. For example, the term g^{ab}·g^{c} has indicator (1,1,1) with respect to the secret exponents a, b, and c. Crucially, the indicator is invariant under the rewrite rules: if two terms are equal in the rewriting theory they have identical indicators.

The adversary model is the standard Dolev‑Yao attacker extended with the ability to apply the DH rewrite rules to any messages it has seen. The central technical result (Theorem 1) shows that, despite this power, the attacker can never produce a term whose indicator is not a linear combination of indicators of messages it has already observed. In other words, the attacker cannot synthesize a new secret exponent or a new product of existing exponents that it has not already “seen” in the appropriate form. This invariant is the cornerstone of all subsequent security proofs.

Using the indicator invariant the authors analyze several well‑known DH‑based protocols:

• Basic DH key exchange – they show that an attacker cannot compute the shared secret g^{ab} because the required indicator (1,1) cannot be derived from the observed indicators (1,0) and (0,1) alone.
• MQV – the protocol mixes long‑term and ephemeral keys. By tracking indicators through each step, the paper proves that the final session key’s indicator involves a combination of long‑term and ephemeral exponents that the attacker cannot reconstruct without breaking the invariant.
• HMQV – a variant that adds hash‑based binding. The analysis demonstrates that the hash does not hide any exponent information; the indicator still reflects all secret components, and the invariant blocks forgery.
• SIGMA – a DH‑based authenticated key exchange. The indicator captures both the DH component and the authentication tags, and the invariant guarantees both key secrecy and mutual authentication.

For each protocol the authors formalize the security goals (key secrecy, authentication, forward secrecy) and prove them by showing that any attack violating a goal would require constructing a term with a “new” indicator, contradicting the invariant.

The paper also provides a model‑theoretic justification: the rewriting theory proves exactly those equations that hold uniformly for all prime orders p. Consequently, the security proofs are independent of the concrete group size; they remain valid when the underlying DH parameters change, a property lacking in many earlier algebraic analyses.

In conclusion, the work delivers a robust symbolic framework for DH‑based protocols. By abstracting the algebra into normal forms and a simple integer‑vector indicator, it restores the tractability of symbolic analysis while preserving the expressive power needed to reason about exponentiation. The approach opens the door to symbolic verification of more complex algebraic primitives such as elliptic‑curve Diffie‑Hellman and other protocols that rely on rich group‑theoretic operations.