Logical Protocol Analysis for Authenticated Diffie-Hellman∗

Diffie-Hellman protocols for authenticated key agreement construct a shared secret with a peer using a minimum of communication and using limited cryptographic operations. However, their analysis has been challenging in computational models and especially in symbolic models. In this paper, we develop a logical framework for protocol analysis based on strand space ideas. We show that it identifies exact assumptions on the behavior of a certifying authority. These assumptions prevent attacks on two authenticated DH protocols, the Unified Model and Menezes-Qu-Vanstone (MQV). Verification within our framework implies that the adversary has no strategy that works uniformly, independent of the choice of the cyclic group in which the protocol operates. Computational soundness would assert that an adversary strategy successful in groups satisfying the Decisional Diffie-Hellman assumption would also furnish a uniform, group-independent strategy. Computational soundness awaits further investigation.