Performance Evaluations of Cryptographic Protocols Verification Tools Dealing with Algebraic Properties

  • Pascal Lafourcade
  • Maxime PuysEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9482)


There exist several automatic verification tools of cryptographic protocols, but only few of them are able to check protocols in presence of algebraic properties. Most of these tools are dealing either with Exclusive-Or (XOR) and exponentiation properties, so-called Diffie-Hellman (DH). In the last few years, the number of these tools increased and some existing tools have been updated. Our aim is to compare their performances by analysing a selection of cryptographic protocols using XOR and DH. We compare execution time and memory consumption for different versions of the following tools OFMC, CL-Atse, Scyther, Tamarin, TA4SP, and extensions of ProVerif (XOR-ProVerif and DH-ProVerif ). Our evaluation shows that in most of the cases the new versions of the tools are faster but consume more memory. We also show how the new tools: Tamarin, Scyther and TA4SP, can be compared to previous ones. We also discover and understand for the protocol IKEv2-DS a difference of modelling by the authors of different tools, which leads to different security results. Finally, for Exclusive-Or and Diffie-Hellman properties, we construct two families of protocols Pxor\(_i\) and Pdh\(_i\) that allow us to clearly see for the first time the impact of the number of operators and variables in the tools’ performances.


Verification tools for cryptographic protocols Algebraic properties Benchmarking Performances’ evaluations 



We deeply thank all the tools authors for their helpful advises.


  1. 1.
    IEEE 802.11 Local Metropolitan Area Networks: Wireless LAN Medium Acess Control (MAC) and Physical (PHY) Specifications (1999)Google Scholar
  2. 2.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Armando, A., Basin, D., Bouallagui, M., Chevalier, Y., Compagna, L., Mödersheim, S., Rusinowitch, M., Turuani, M., Viganò, L., Vigneron, L.: The AVISS security protocol analysis tool. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 349–353. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Armando, A., Compagna, L.: An optimized intruder model for SAT-based model-checking of security protocols. In: Armando, A., Viganò, L. (eds.) ENTCS, vol. 125, pp. 91–108. Elsevier Science Publishers, March 2005Google Scholar
  5. 5.
    Ateniese, G., Steiner, M., Tsudik, G.: New multiparty authentication services and key agreement protocols. IEEE J. Sel. Areas Commun. 18(4), 628–639 (2000)CrossRefGoogle Scholar
  6. 6.
    Baigneres, T., Junod, P., Lu, Y., Monnerat, J., Vaudenay, S.: A Classical Introduction to Cryptography Exercise Book, 1st edn. Springer Publishing Company, Berlin (2010). IncorporatedGoogle Scholar
  7. 7.
    Basin, D., Mödersheim, S., Viganò, L.: An on-the-fly model-checker for security protocol analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Basin, D.A., Mödersheim, S., Viganò, L.: OFMC: a symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3), 181–208 (2005)CrossRefGoogle Scholar
  9. 9.
    Bellovin, S.M., Miller, F.: Inventor of the one-time pad. Cryptologia 35(3), 203–222 (2011). An earlier version is available as technical report CUCS-009-11Google Scholar
  10. 10.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW 2001, pp. 82–96. IEEE Computer Society Press (2001)Google Scholar
  11. 11.
    Blanchet, B.: Cryptographic Protocol Verifier User Manual (2004)Google Scholar
  12. 12.
    Boichut, Y., Héam, P.-C., Kouchnarenko, O.: TA4SP, 2004. Produit logiciel. TA4SP est un outil de validation de protocoles de sécurité. Grâce à une technique d’approximation appliquée sur le problème d’atteignabilité en réécriture, TA4SP peut prouver qu’une propriété de secret est inviolée pour un nombre de sessions non-borné en sur-approximant la connaissance atteignable de l’intrus. L’outil peut également montrer qu’une propriété est violée en sous-approximant la connaissance de l’intrus. Une démo de l’outil est disponible à l’adresse :
  13. 13.
    Boichut, Y., Héam, P.-C., Kouchnarenko, O., Oehl, F.: Improvements on the Genet and Klay technique to automatically verify security protocols. In: Proceedings of AVIS 2004, April 2004Google Scholar
  14. 14.
    Boreale, M., Buscemi, M.G.: Experimenting with sta, a tool for automatic analysis of security protocols. In: Proceedings of the ACM Symposium on Applied Computing, SAC 2002, pp. 281–285. New York, NY, USA, ACM (2002)Google Scholar
  15. 15.
    Boyd, C., Mao, W.: On a limitation of BAN logic. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 240–247. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Bozga, L., Lakhnech, Y., Périn, M.: HERMES: an automatic tool for verification of secrecy in security protocols. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 219–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Bull, J., Otway, D.J.: The authentication protocol. Technical report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/03, Defence Research Agency (1997)Google Scholar
  18. 18.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8, 18–36 (1990)CrossRefGoogle Scholar
  19. 19.
    Cervesato, I.: The dolev-yao intruder is the most powerful attacker. In: Proceedings of the Sixteenth Annual Symposium on Logic in Computer Science — LICS 2001, pp. 16–19. IEEE Computer Society Press, Short (2001)Google Scholar
  20. 20.
    Cheminod, M., Bertolotti, I.C., Durante, L., Sisto, R., Valenzano, A.: Experimental comparison of automatic tools for the formal analysis of cryptographic protocols. In: DepCoS-RELCOMEX 2007, pp. 153–160, Szklarska Poreba, Poland. IEEE Computer Society, 14–16 June 2007Google Scholar
  21. 21.
    Chen, X., van Deursen, T., Pang, J.: Improving automatic verification of security protocols with XOR. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 107–126. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Corin, R., Etalle, S.: An improved constraint-based system for the verification of security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, p. 326. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur. 14(1), 1–43 (2006)Google Scholar
  24. 24.
    Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Cremers, C.J.F., Lafourcade, P., Nadeau, P.: Comparing state spaces in automatic security protocol analysis. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 70–94. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Dalal, N., Shah, J., Hisaria, K., Jinwala, D.: A comparative analysis of tools for verification of security protocols. IJCNS 3(10), 779–787 (2010)CrossRefGoogle Scholar
  28. 28.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Soc. 22(6), 644–654 (1976)CrossRefMathSciNetzbMATHGoogle Scholar
  29. 29.
    Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22Nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357, Washington, DC, USA. IEEE Computer Society (1981)Google Scholar
  30. 30.
    Durante, L., Sisto, R., Valenzano, A.: Automatic testing equivalence verification of spi calculus specifications. ACM Trans. Softw. Eng. Methodol. 12(2), 222–284 (2003)CrossRefGoogle Scholar
  31. 31.
    Clavel, M., Eker, S., Lincoln, P., Meseguer, J.: Principles of maude. Electron. Notes Theoret. Comput. Sci. 4, 65–89 (1996)CrossRefGoogle Scholar
  32. 32.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Gong, L.: Using one-way functions for authentication. SIGCOMM Comput. Commun. 19(5), 8–11 (1989)CrossRefGoogle Scholar
  34. 34.
    Horng-Twu, L., Wen-Shenq, J., Chi-Kai, L.: An electronic online bidding auction protocol with both security and efficiency. Appl. Math. Comput. 174, 1487–1497 (2008)Google Scholar
  35. 35.
    Hussain, M., Seret, D.: A comparative study of security protocols validation tools: HERMES vs. AVISPA. In: Proceedings of ICACT 2006, vol. 1, pp. 303–308 (2006)Google Scholar
  36. 36.
    Kaufman, C.: Internet key exchange protocol version 2 (IKEv2). IETF RFC 4306, December 2005Google Scholar
  37. 37.
    Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet key exchange protocol version 2 (IKEv2). IETF RFC 7296, October 2014Google Scholar
  38. 38.
    Küsters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-free case in the horn theory based approach. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 129–138. ACM (2008)Google Scholar
  39. 39.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: Proceedings of the 22nd Computer Security Foundations Symposium (CSF), pp. 157–171. IEEE Computer Society (2009)Google Scholar
  40. 40.
    Lafourcade, P., Terrade, V., Vigier, S.: Comparison of cryptographic verification tools dealing with algebraic properties. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 173–185. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  42. 42.
    Lowe, G.: Casper: a compiler for the analysis of security protocols. J. Comput. Secur. 6(1–2), 53–84 (1998)Google Scholar
  43. 43.
    Lowe, G., Roscoe, A.W.: Using CSP to detect errors in the TMN protocol. IEEE Trans. Softw. Eng. 23(10), 659–669 (1997)CrossRefGoogle Scholar
  44. 44.
    Lowe, G., Roscoe, B.: Using CSP to detect errors in the TMN protocol. IEEE Trans. Softw. Eng. 23(10), 659–669 (1997)CrossRefGoogle Scholar
  45. 45.
    Meadows, C.A.: Analyzing the Needham-Schroeder public key protocol: a comparison of two approaches. In: Martella, G., Kurth, H., Montolivo, E., Bertino, Elisa (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 351–364. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  46. 46.
    Meadows, C.: Language generation and verification in the NRL protocol analyzer. In: Proceedings of CSFW 1996, pp. 48–62. IEEE Computer Society Press (1996)Google Scholar
  47. 47.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  48. 48.
    Mitchell, J., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murphi. In: IEEE Symposium on Security and Privacy, May 1997Google Scholar
  49. 49.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. IEEE Trans. Softw. Eng. 21(12), 993–999 (1978)zbMATHGoogle Scholar
  50. 50.
    Patel, R., Borisaniya, B., Patel, A., Patel, D., Rajarajan, M., Zisman, A.: Comparative analysis of formal model checking tools for security protocol verification. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) CNSA 2010. CCIS, vol. 89, pp. 152–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  51. 51.
    Puys, M., Lafourcade, P.: Protocol tool comparison test archive.
  52. 52.
    Roscoe, A.W.: Model-Checking CSP. Prentice Hall, Upper Saddle River (1994)Google Scholar
  53. 53.
    Roscoe, A.W.: Modelling and verifying key-exchange protocols using CSP and FDR. In: IEEE Symposium on Foundations of Secure Systems (1995)Google Scholar
  54. 54.
    Ryan, P.Y.A., Schneider, S.A.: An attack on a recursive authentication protocol. a cautionary tale. IEEE Trans. Softw. Eng. 65(1), 7–10 (1998)Google Scholar
  55. 55.
    Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: Computer Security Foundations Symposium (CSF), 2012 IEEE 25th, pp. 78–94, June 2012Google Scholar
  56. 56.
    Schneier, B.: Applied Cryptography, 2nd edn. Wiley, Hoboken (1996)Google Scholar
  57. 57.
    Song, D., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. IEEE Trans. Softw. Eng. 9(1/2), 47–74 (2001)Google Scholar
  58. 58.
    Tatebayashi, M., Matsuzaki, N., Newman Jr., D.B.: Key distribution protocol for digital mobile communication systems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 324–334. Springer, Heidelberg (1990)Google Scholar
  59. 59.
    Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  60. 60.
    Vaudenay, S.: A Classical Introduction to Cryptography: Applications for Communications Security. Springer-Verlag New York, Inc., Secaucus, NJ, USA (2005). ISBN: 0387254641, 9780387254647Google Scholar
  61. 61.
    Viganò, L.: Automated security protocol analysis with the AVISPA tool. ENTCS 155, 61–86 (2006)Google Scholar
  62. 62.
    Ylonen, T., Lonvick, C.: The secure shell (SSH) transport layer protocol. IETF RFC 4253, January 2006Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University Clermont Auvergne, LIMOSClermont-FerrandFrance
  2. 2.Université Grenoble Alpes, VERIMAGGrenobleFrance
  3. 3.CNRS, VERIMAGGrenobleFrance

Personalised recommendations