Corrections and Update (June 2017)

The files linked from this page were incorrect versions, and we didn't notice for a long time. We have now corrected the files. Many thanks to Florian Marco (Grenoble) and Mathieu Turuani (INRIA, Nancy) for alerting us.

We are currently making a new version of StatVerif with some updates, which will be based on Proverif 1.96 (rather than the version of 1.86 below).


We extend the ProVerif process calculus with constructs for explicit state, in order to be able to reason about protocols that manipulate global state. Global state is required by protocols used in hardware devices (such as smart cards and the TPM), as well as by protocols involving databases that store persistent information. We provide the operational semantics of our language. We extend the ProVerif compiler that takes processes written in the process language, and produces Horn clauses. Our translation is carefully engineered to avoid many false attacks. We prove the correctness of the extended compiler. We illustrate our method on two examples: a small hardware security device, and a contract signing protocol. We are able to prove their desired properties automatically.

Case studies

1. A simple security device

This hypothetical security device is a piece of hardware that can be given pairs of secrets {(x, y)}k, encrypted with its public key k. The device decrypts each pair with its private key and returns either x or y, but not both. The device can be configured as left to return x, or right to return y, but can only be configured once.

2. Contract signing protocol

A contract signing protocol allows a set of participants to sign a pre-agreed contract. A good contract signing protocol should not let a participant send their signature to another, without an assured means to obtain a signature from all the other participants. This property is called fairness.

Ensuring fairness requires a trusted party. Garay and Mackenzie proposed a contract signing protocol that, for efficiency, only involves the trusted party when a dispute needs to be resolved. This protocol is based on private contract signatures, which act as promises to sign the contract.

In the paper, our techniques are applied to the two-party instance of Garay and Mackenzie's protocol (GM), resulting in an automatic proof of fairness. To achieve this, no bound on the number of sessions, contracts or agents is needed. In comparison, when run with a plain ProVerif model of this protocol, using private channels to model the state of the trusted party, ProVerif reports a false attack. It reports the same false attack even if only one contract is considered.

The security of a protocol like this, with participants holding global mutable state, has been proved automatically only once before, by Mödersheim. Because his language is so low-level, his proof's hypotheses were very difficult to understand just by inspecting his model of the protocol. It isn't clear how many participants or contracts are considered.

Our translation only applies to processes with a finite number of cell names, i.e. with no [s → M] under a replication. However, in the GM protocol, the trusted party creates two cell names for each contract. So for an unbounded number of contracts, the trusted party creates an unbounded number of cell names.

To use our technique to prove the GM protocol's fairness, we make the following correct abstraction:

The trusted party only follows the protocol for one contract, ct. Fairness of the protocol is proved only for ct.

For requests about ct, the trusted party will reply and update its memory according to the protocol. For requests about any other contract, it will reply as if it were the first time it received a request for that contract.

Dynamic measurement and protected execution: model and analysis

These files correspond to the experiments in the paper Dynamic measurement and protected execution: model and analysis. The three examples each have four files:

  • Processes contains the original model as StatVerif processes.
  • Clauses contains the Horn clauses output by stattrans.
  • Modified contains the Horn clauses manually modified as described in the paper.
  • Bounded contains the instantiated clauses with PCR bounds.
Decryption oracle Processes (corrected) Clauses Modified Bounded
SSH server Processes (corrected) Clauses Modified Bounded
Certificate authority Processes (corrected) Clauses Modified Bounded


StatVerif is distributed as a patch for ProVerif 1.86pl4. Apply the patch with patch -p1 < proverif-1.86pl4-statverif-2657ab4.patch before building.

Old translator

The old program to translate processes written in the process calculus to Horn clauses is available here. This is no longer updated due to the limitations of ProVerif's Horn clause input language.