Beyond the Finite Variant Property: Extending Symbolic Diffie-Hellman Group Models (Extended Version)

Diffie-Hellman groups are commonly used in cryptographic protocols. While most state-of-the-art, symbolic protocol verifiers support them to some degree, they do not support all mathematical operations possible in these groups. In particular, they lack support for exponent addition, as these tools reason about terms using unification, which is undecidable in the theory describing all Diffie-Hellman operators. In this paper we approximate such a theory and propose a semi-decision procedure to determine whether a protocol, which may use all operations in such groups, satisfies user-defined properties. We implement this approach by extending the Tamarin prover to support the full Diffie-Hellman theory, including group element multiplication and hence addition of exponents. This is the first time a state-of-the-art tool can model and reason about such protocols. We illustrate our approach’s effectiveness with different case studies: ElGamal encryption and MQV. Using Tamarin, we prove security properties of ElGamal, and we rediscover known attacks on MQV.

💡 Research Summary

The paper tackles a long‑standing limitation of symbolic protocol verification tools: the inability to model the full algebraic structure of Diffie‑Hellman (DH) groups, in particular the addition of exponents (i.e., the field operations). Existing tools such as Tamarin, ProVerif, and Maude‑NP support only exponentiation and multiplication of exponents, avoiding the group‑element multiplication that implicitly performs exponent addition. This avoidance is due to the undecidability and infinitary nature of unification when distributivity, associativity, and commutativity are combined, which leads to an infinite set of most general unifiers.

The authors build on the rewrite system introduced by Dougherty and Guttman, which approximates finite fields with a terminating, confluent set of rewrite rules modulo AC (associativity‑commutativity). They adapt this system to a signature Σ_DH containing two sorts, G (group elements) and E (exponents), and function symbols for group multiplication (·), exponentiation (exp), exponent addition (+), exponent multiplication (∗), inversion (inv), and a non‑invertible coercion µ (modeled as a hash). By orienting non‑AC equations left‑to‑right and adding critical‑pair derived rules, they obtain a rewrite system →_DH that yields unique normal forms: exponents become sums of irreducible monomials, and group elements become products of irreducible monomials possibly wrapped with µ or inv.

The core contribution is a semi‑decision procedure that integrates this algebraic reasoning into the Tamarin prover without relying on direct unification of terms containing group multiplication. The procedure works under two modest assumptions:

• C1 – All group elements belong to a single, fixed DH group, i.e., they are of the form g^e for a public generator g and an exponent e (which may contain +). This matches the majority of real‑world protocols.
• C2 – The security property’s target terms do not contain subterms that cancel each other out (i.e., they cannot be reduced to the neutral element 1 or 0). This excludes trivial cases where a term’s own algebraic simplification would invalidate secrecy or authentication claims.

Given a goal term, the algorithm first uses Tamarin’s existing unification engine to check whether each subterm (ignoring group multiplication) is deducible from the adversary’s knowledge. If any subterm fails, the goal is unreachable. If all subterms are deducible, the algorithm translates the remaining combination problem into a system of linear equations over the exponent sort E. This system captures the constraints imposed by the DH algebra (e.g., (g^a)·(g^b) = g^{a+b}). Gaussian elimination solves the system; a solution corresponds to a concrete construction of the goal term using the available group operations.

The authors prove soundness (any attack found corresponds to a real protocol execution) and completeness (if the goal is unreachable under C2, the procedure will report failure). When C2 is violated, the tool still attempts a proof; if it succeeds, the user must manually verify that the non‑cancellation condition indeed holds for the involved terms.

Implementation details include extending Tamarin’s constraint‑solving algorithm with new rules that generate the algebraic equations, and ensuring that the combined symbolic‑algebraic search remains terminating. The extended prover, called Tamarin‑DH, is evaluated on two case studies:

1. ElGamal encryption – The authors model the encryption and decryption steps, where ciphertexts involve the product g^r·m. Using Tamarin‑DH they automatically prove secrecy of the plaintext and authenticity of the ciphertext within minutes.
2. MQV key‑exchange – MQV uses complex DH expressions to derive a shared session key. Known small‑key attacks exploit the algebraic interaction of exponent addition and group multiplication. Tamarin‑DH successfully rediscovered these attacks, producing concrete attack traces.

These experiments demonstrate that the approach scales to realistic protocols, handles arbitrary user‑defined equational theories alongside DH operations, and works with an active Dolev‑Yao adversary. The paper also discusses limitations (the need for C2, handling of zero‑exponent inversion) and future work such as automating the detection of cancellable subterms and extending the method to other algebraic structures like elliptic‑curve groups with pairing operations.

In summary, the work provides the first automated, sound, and (under reasonable assumptions) complete method for symbolic verification of protocols that employ the full Diffie‑Hellman group algebra, bridging a gap between symbolic analysis and the richer algebraic reasoning traditionally required for such protocols.