Paper 2026/830
DY* Unchained: Now with Composable Security Proofs and Precise Compromise Scenarios
Abstract
Cryptographic protocols are the cornerstone of Internet security, and any flaw in their design would have drastic effects. We can formally prove the absence of such flaws using a variety of automated or semi-automated tools. However, some features of real-world protocols are notoriously hard to analyze using these tools, including unbounded loops, unbounded data structures, and unbounded and dynamic number of protocol participants. The DY* protocol verification framework recently emerged as a tool designed to address these challenges, and it was successfully used to analyze protocols such as Signal, ACME and TreeSync. However, we note that DY* suffers from two deep limitations: first, security proofs of protocol subcomponents cannot be composed, which hinders the analysis of large protocols; second, the security proofs depend on a simple language to describe compromises, which overly restricts the set of compromise scenarios DY* can reason about. In this paper, we present a major overhaul of DY* that addresses these limitations. We enable composing security proofs in DY* by developing a framework to define trace invariants modularly, and we improve the precision of compromise scenarios that DY* can prove by fully generalizing the notion of security labels. These improvements are essential to enable the analysis of large protocols. In particular, our new version of DY* was already used by and crucial to the security proofs of the TreeKEM protocol (IEEE S&P 2025).
BibTeX
@misc{cryptoeprint:2026/830,
author = {Théophile Wallez},
title = {{DY}* Unchained: Now with Composable Security Proofs and Precise Compromise Scenarios},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/830},
year = {2026},
url = {https://eprint.iacr.org/2026/830}
}