Paper 2023/1246

Automated Analysis of Protocols that use Authenticated Encryption: How Subtle AEAD Differences can impact Protocol Security

Cas Cremers, CISPA Helmholtz Center for Information Security
Alexander Dax, CISPA Helmholtz Center for Information Security
Charlie Jacomme, Inria Paris
Mang Zhao, CISPA Helmholtz Center for Information Security

Many modern security protocols such as TLS, WPA2, WireGuard, and Signal use a cryptographic primitive called Authenticated Encryption (optionally with Authenticated Data), also known as an AEAD scheme. AEAD is a variant of symmetric encryption that additionally provides authentication. While authentication may seem to be a straightforward additional requirement, it has in fact turned out to be complex: many different security notions for AEADs are still being proposed, and several recent protocol-level attacks exploit subtle behaviors that differ among real-world AEAD schemes. We provide the first automated analysis method for protocols that use AEADs that can systematically find attacks that exploit the subtleties of the specific type of AEAD used. This can then be used to analyze specific protocols with a fixed AEAD choice, or to provide guidance on which AEADs might be (in)sufficient to make a protocol design secure. We develop generic symbolic AEAD models, which we instantiate for the Tamarin prover. Our approach can automatically and efficiently discover protocol attacks that could previously only be found using manual inspection, such as the Salamander attack on Facebook’s message franking, and attacks on SFrame and YubiHSM. Furthermore, our analysis reveals undesirable behaviors of several other protocols.

Available format(s)
Publication info
Published elsewhere. Major revision. Usenix Security 2023
authenticated encryptionAEADTamarin proversymbolic modelsformal methodsautomation
Contact author(s)
cremers @ cispa de
alexander dax @ cispa de
charlie jacomme @ inria fr
mang zhao @ cispa de
2024-02-09: revised
2023-08-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cas Cremers and Alexander Dax and Charlie Jacomme and Mang Zhao},
      title = {Automated Analysis of Protocols that use Authenticated Encryption: How Subtle {AEAD} Differences can impact Protocol Security},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1246},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.