An excellent way for a protocol to obtain shared keys is
Diffie-Hellman. For the automated verification of security protocols, the
use of Diffie-Hellman poses a certain amount of difficulty, because it
requires algebraic reasoning. Several tools work in the free algebra and
even for tools that do support Diffie-Hellman, the algebraic reasoning
becomes a bottleneck.
We provide a new relative-soundness result: for a large class of protocols,
significantly restricting the abilities of the intruder is without loss of
attacks. We also show the soundness of a very restrictive encoding of
Diffie-Hellman proposed by Millen and how to obtain a problem that
can be answered in the free algebra without increasing its size upon
encoding. This enables the efficient use of free-algebra verification tools
for Diffie-Hellman based protocols and significantly reduces search-spaces
for tools that do support algebraic reasoning.