Skip to Main Content
Bilinear pairings are powerful mathematical structures that can be used in cryptography. Their equational properties allow constructing cryptographic primitives and protocols that would be otherwise ineffective or even impossible. In formal cryptography, the protocols are expressed through term algebras and process calculi. ProVerif, one of the most successful protocol analyzers, internally converts them to Horn theories for the analysis. This approach cannot easily deal with complex equational theories. In this paper, we propose an equational theory that models bilinear pairings in formal cryptography. We also propose a reduction from the derivation problem for Horn theories modulo this equational theory to (almost) purely syntactical derivation problem for Horn theories. This derivation problem can be readily tackled by ProVerif. We have implemented our analysis and have demonstrated that it is able to handle several secure and insecure protocols based on bilinear pairings. Our approach mostly follows Kusters's and Truderung's handling of Diffie-Hellman exponentiation. The greater complexity of the theory for bilinear pairings introduces several complications, the arithmetic properties of exponentiation play a much bigger role in our reduction. Still, our approach has the same kind of generality as theirs. Similarly to their approach, we do not treat the group operations as (independent) term constructors. But we show that access to those operations will not increase the power of the adversary.