package proverif

  1. Overview
  2. Docs


ProVerif is an automatic cryptographic protocol verifier, in the symbolic model (so called Dolev-Yao model). This protocol verifier is based on a representation of the protocol by Horn clauses. Its main features are:

  • It can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key agreements, specified both as rewrite rules or as equations.

  • It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen approximations. This means that the verifier can give false attacks, but if it claims that the protocol satisfies some property, then the property is actually satisfied.

ProVerif can prove the following properties:

  • secrecy (the adversary cannot obtain the secret)
  • authentication and more generally correspondence
  • strong secrecy (the adversary does not see the difference when the value of the secret changes)
  • equivalences between processes that differ only by terms

A survey of ProVerif with references to other papers is available at

Bruno Blanchet. Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif. Foundations and Trends in Privacy and Security, 1(1-2):1-135, October 2016.

Published: 05 Sep 2020



Protocol verifier, copyright INRIA-CNRS, by Bruno Blanchet,
Vincent Cheval, and Marc Sylvestre 2000-2020.

This software can be used to prove secrecy and authenticity properties
of cryptographic protocols.


To run this software, you need Objective Caml version 4.03 or
higher. Objective Caml can be downloaded from

The installation of graphviz is required if you want to have a drawing
of graphs representing attacks that ProVerif found. It can be downloaded from

The installation GTK+2.24 and LablGTK2 is required if you want to
run the interactive simulator proverif_interact. Use the package manager
of your distribution to install GTK+2 and download lablgtk-2.18.6.tar.gz
and follow the installation instructions in their README file.

Furthermore, on Mac OS X, you need to install XCode if you do not
already have it. It can be downloaded from

* under Unix / Mac

Uncompress the source and documentation archives using tar:

	gunzip proverif2.02pl1.tar.gz
	tar -xf proverif2.02pl1.tar
	gunzip proverifdoc2.02pl1.tar.gz
	tar -xf proverifdoc2.02pl1.tar

or if you have GNU tar:

	tar -xzf proverif2.02pl1.tar.gz
	tar -xzf proverifdoc2.02pl1.tar.gz

This will create a directory named proverif2.02pl1 in the current directory.
Go into this directory, and build the programs:

	cd proverif2.02pl1

* under Windows 

Uncompress the archives proverif2.02pl1.tar.gz and proverifdoc2.02pl1.tar.gz
using Winzip, in the directory of your choice. This will create a
subdirectory named proverif2.02pl1. Open a DOS window, cd into the
proverif2.02pl1 directory and run the build .BAT file:


The system can run under Windows, but it is not very Windows-friendly:
you have to use the command line to run the programs. Improving the interface
is on the to-do list...


This software contains three executable programs, proverif, proveriftotex,
and proverif_interact. 

The program proverif takes as input a description of a cryptographic
protocol, and checks whether it satisfies secrecy, authenticity, or
equivalence properties. The description of the protocol can have
several different formats.  The recommended format is the typed pi
calculus format, which is a dialect of the applied pi calculus (Abadi
and Fournet, POPL'01).  The description of the protocol is first
translated into Horn clauses, then the core of the verifier is called.
This input format is documented in the file docs/manual.pdf
(found in proverifdoc2.02pl1.tar.gz). Examples of protocol descriptions 
can be found in the examples/pitype subdirectory. 
To run these examples, use 
        ./proverif <filename>.pv
or if your filename does not end in .pv,
        ./proverif -in pitype <filename>
For example:
	./proverif examples/pitype/secr-auth/NeedhamSchroederPK.pv

Other input formats are documented in the file docs/manual-untyped.pv
Research papers can be downloaded at
They are not included in the distribution because of copyright differences.
(You cannot redistribute these papers.)

The program proveriftotex takes as input a protocol description
and converts it into a LaTeX file. This is useful for including
protocols in research papers.

The program proverif_interact is an interactive simulator for ProVerif

The script "test" runs several tests (Unix or cygwin only):
You can run them by
The output of these scripts is written in the directory tests. The
filename of the output is "typed" followed by the
date/time of the run.


This software is distributed under the GNU general public license.
See the file LICENSE for more information.


Bugs and comments should be reported by e-mail to
(replace -AT- with @)


A mailing list is available for discussions on ProVerif. New releases
are announced on this mailing list.

* If you wish to subscribe, send an email to with subject
"subscribe proverif <your name>" (without quotes) and an empty body.

* To post a message on the list, send it to 
To avoid spam, only people that have subscribed to the list can post.


I would like to thank all users of ProVerif who contributed to the
development of the software by their helpful remarks.
From July 2008 to October 2010, the development of ProVerif was partly 
supported by DGA.

Dependencies (3)

  1. lablgtk
  2. ocamlfind build
  3. ocaml >= "4.03"

Dev Dependencies (1)

  1. proverifdoc = "2.02pl1" & post & with-doc

Used by





Innovation. Community. Security.