The Tamarin prover is a tool for the analysis of security protocols. It implements a constraint solving algorithm that supports both falsification and verification of security protocols with respect to an unbounded number of sessions. The underlying security protocol model uses multiset rewriting to specify protocols and adversary capabilities, a guarded fragment of first-order logic to specify security properties, and equational theories to model the algebraic properties of cryptographic operators. The paper describing the theory underlying the Tamarin prover was accepted at CSF 2012. Its extended version is available from The Tamarin prover supports both a batch analysis mode and the interactive construction of security proofs using a GUI. Example protocols and the user guide are installed together with the prover. Just call the tamarin-prover executable without any arguments to get more information. The Tamarin prover uses maude ( as a unification backend and GraphViz ( to visualize constraint systems. Detailed instructions for installing the Tamarin prover are given at

deprecated, gpl, program, theorem-provers, Propose Tags
cabal install tamarin-prover-


The Tamarin prover repository

master branch build-status

This README describes the organization of the repository of the Tamarin prover for security protocol verification. Its intended audience are interested users and future developers of the Tamarin prover. For installation and usage instructions of the Tamarin prover see chapter 2 of the manual:

Developing and contributing

See contributing instructions.

Version Numbering Policy

We use version numbers with four components.

  • The first component is the major version number. It indicates complete rewrites of the codebase.
  • The second component is the minor version number. We use odd minor version numbers to denote development releases intended for early adopters. We use even minor version numbers to denote public releases, which are also published.
  • The third component indicates bugfix releases.
  • The fourth component indicates documentation and meta-data changes.

We ensure that the external interface of a version of the Tamarin prover is backwards compatible with the external interface of all versions that agree on the major and minor version number.

We announce all releases of the Tamarin prover on:


The manual is available as PDF or HTML at

Experimental improved graph output

You can use our experimental improved graph output which may be helpful for very large graphs that can be created for complicated protocols. To enable this feature read the instructions about improved graphs.

Spthy code editors

The project contains support for spthy syntax highlighting and support in the etc directory. This includes support for Sublime Text, VIM and Notepad++.

Example Protocol Models

All example protocol models are found in the directory


All models that we consider stable are part of every installation of the Tamarin prover. See tamarin-prover.cabal for the list of installed protocols. We use the following sub-directories to organize the models.

csf12/         the AKE case studies from our CSF'12 paper.
classic/       classic security protocols like the ones from
loops/         experiments for testing loop-invariants and protocols with
               non-monotonic state
related_work/  examples from related work on protocols with loops or
               non-monotonic state
experiments/   all other experiments
ake/           more AKE examples including ID-based and tripartite group KE
               protocols based on bilinear pairing
features/      (small) models that demonstrate a given feature
ccs15/	       the observational equivalence case studies from our CCS'15 paper

Feel free to add more sub-directories and describe them here.

In general, we try use descriptive names for files containing the models. We also document all our findings as comments in the protocol model. Moreover, we use the following header in all files to make their context more explicit.

   Protocol:    Example
   Modeler:     Simon Meier, Benedikt Schmidt
   Date:        January 2012

   Status:      working

   Description of protocol.