diff --git a/results/Basic/eac_tamarin.err.45221786 b/results/45991167.err.ALL_CLASSIC_EAC_TAMARIN
similarity index 86%
rename from results/Basic/eac_tamarin.err.45221786
rename to results/45991167.err.ALL_CLASSIC_EAC_TAMARIN
index 1f61aae55c21ecd2bc906c49f8eb899cc6d49e2d..35cf59a4de87742e8526e575ef29d8946ab1831a 100644
--- a/results/Basic/eac_tamarin.err.45221786
+++ b/results/45991167.err.ALL_CLASSIC_EAC_TAMARIN
@@ -30,3 +30,5 @@
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN b/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..9db40ed75b648a4229ffcbd62775a678e5ca650f
--- /dev/null
+++ b/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN
@@ -0,0 +1,21360 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory ClassicEAC begin
+
+// Function signature and definition of the equational theory E
+
+builtins: diffie-hellman
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, fst/1, kdf_enc/2, kdf_mac/2, mac/2, pair/2, pk/1, sign/2,
+ snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ fst(<x.1, x.2>) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ --[ TestMe( ) ]->
+ [ !Pk( $A, 'g'^~ltk, 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( 'g'^~ltk )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~skTe ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [
+ Out( <certT, 'g'^~skTe, '1', 't'> ), Out( ~iid ),
+ TAInitT( <$T, ~iid>, ~skTe )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+ --[ Eq( z, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.13
+ z = verify(cert_sig(certT.13),
+ <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(x.14, sign(<x.14, x.15, 'terminal'>, ca_sk), x.15)
+ z = true
+
+ 3. certT = cert(x.15, x.16, x.17)
+ z = verify(x.16, <x.15, x.17, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), '3', 't'> ),
+ TAResponseT( <$T, iid>, skTe, id_c )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <sign(<id_c, r1, z>, ~skT), '3', 't'> ),
+ TAResponseT( <$T, iid>, skTe, id_c )
+ ]
+ variants (modulo AC)
+ 1. skTe = skTe.12
+ z = 'g'^skTe.12
+
+ 2. skTe = one
+ z = 'g'
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+ --[
+ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ),
+ CompletedTA( $C, iid, cert_id(certT) )
+ ]->
+ [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+ --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
+ [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+ variants (modulo AC)
+ 1. certT = certT.18
+ id_c = id_c.19
+ pkTe = pkTe.21
+ r1 = r1.22
+ s = s.23
+ z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
+ z.1 = cert_id(certT.18)
+
+ 2. certT = cert(x.41, x.42, z.31)
+ id_c = id_c.23
+ pkTe = pkTe.25
+ r1 = r1.26
+ s = s.27
+ z = verify(s.27, <id_c.23, r1.26, pkTe.25>, x.41)
+ z.1 = z.31
+
+ 3. certT = cert(pk(x.41), x.42, z.31)
+ id_c = id_c.23
+ pkTe = pkTe.25
+ r1 = r1.26
+ s = sign(<id_c.23, r1.26, pkTe.25>, x.41)
+ z = true
+ z.1 = z.31
+ */
+
+rule (modulo E) CA_INIT_C:
+ [
+ !Cert( $C, certC, 'chip' ), Fr( ~r2 ),
+ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
+ ]
+ -->
+ [
+ Out( <certC, ~r2, '4', 'c'> ), Out( iid ),
+ CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_INIT_T:
+ [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ]
+ --[ Eq( verify_cert(certC, 'chip'), true ) ]->
+ [ Out( <'g'^skTe, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ]
+
+ /*
+ rule (modulo AC) CA_INIT_T:
+ [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ]
+ --[ Eq( z.1, true ) ]->
+ [ Out( <z, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ]
+ variants (modulo AC)
+ 1. certC = certC.14
+ skTe = one
+ z = 'g'
+ z.1 = verify(cert_sig(certC.14),
+ <cert_pk(certC.14), cert_id(certC.14), 'chip'>, pk(ca_sk))
+
+ 2. certC = certC.18
+ skTe = skTe.22
+ z = 'g'^skTe.22
+ z.1 = verify(cert_sig(certC.18),
+ <cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk))
+
+ 3. certC = cert(x.15, sign(<x.15, x.16, 'chip'>, ca_sk), x.16)
+ skTe = one
+ z = 'g'
+ z.1 = true
+
+ 4. certC = cert(x.16, x.17, x.18)
+ skTe = one
+ z = 'g'
+ z.1 = verify(x.17, <x.16, x.18, 'chip'>, pk(ca_sk))
+
+ 5. certC = cert(x.64, sign(<x.64, x.65, 'chip'>, ca_sk), x.65)
+ skTe = skTe.36
+ z = 'g'^skTe.36
+ z.1 = true
+
+ 6. certC = cert(x.65, x.66, x.67)
+ skTe = skTe.37
+ z = 'g'^skTe.37
+ z.1 = verify(x.66, <x.65, x.67, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) CA_FINISH_C:
+ [
+ In( <pkTe_t, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( pkTe_t, pkTe ),
+ Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
+ <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <r2, mac(pkTe, kdf_mac(pkTe^~skC, r2)), '6', 'c'> ),
+ CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_C:
+ [
+ In( <pkTe_t, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( pkTe_t, pkTe ),
+ Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>,
+ <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', z.1
+ )
+ ]->
+ [
+ Out( <r2, mac(pkTe, kdf_mac(z, r2)), '6', 'c'> ),
+ CAFinishC( $C, z.1, kdf_enc(z, r2) )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.24
+ certT = certT.26
+ pkTe = pkTe.29
+ z = pkTe.29^~skC.24
+ z.1 = cert_id(certT.26)
+
+ 2. ~skC = ~skC.31
+ certT = certT.33
+ pkTe = z.43^inv(~skC.31)
+ z = z.43
+ z.1 = cert_id(certT.33)
+
+ 3. ~skC = ~skC.170
+ certT = certT.172
+ pkTe = x.336^x.337
+ z = x.336^(~skC.170*x.337)
+ z.1 = cert_id(certT.172)
+
+ 4. ~skC = ~skC.170
+ certT = cert(x.336, x.337, z.185)
+ pkTe = pkTe.175
+ z = pkTe.175^~skC.170
+ z.1 = z.185
+
+ 5. ~skC = ~skC.172
+ certT = cert(x.340, x.341, z.187)
+ pkTe = z.184^inv(~skC.172)
+ z = z.184
+ z.1 = z.187
+
+ 6. ~skC = ~skC.175
+ certT = certT.177
+ pkTe = x.346^inv((~skC.175*x.347))
+ z = x.346^inv(x.347)
+ z.1 = cert_id(certT.177)
+
+ 7. ~skC = ~skC.175
+ certT = certT.177
+ pkTe = x.346^(x.347*inv(~skC.175))
+ z = x.346^x.347
+ z.1 = cert_id(certT.177)
+
+ 8. ~skC = ~skC.175
+ certT = cert(x.341, x.342, z.190)
+ pkTe = x.346^x.347
+ z = x.346^(~skC.175*x.347)
+ z.1 = z.190
+
+ 9. ~skC = ~skC.176
+ certT = certT.178
+ pkTe = x.347^(x.348*inv((~skC.176*x.349)))
+ z = x.347^(x.348*inv(x.349))
+ z.1 = cert_id(certT.178)
+
+ 10. ~skC = ~skC.177
+ certT = cert(x.345, x.346, z.192)
+ pkTe = x.350^inv((~skC.177*x.351))
+ z = x.350^inv(x.351)
+ z.1 = z.192
+
+ 11. ~skC = ~skC.177
+ certT = cert(x.345, x.346, z.192)
+ pkTe = x.350^(x.351*inv(~skC.177))
+ z = x.350^x.351
+ z.1 = z.192
+
+ 12. ~skC = ~skC.178
+ certT = cert(x.346, x.347, z.193)
+ pkTe = x.351^(x.352*inv((~skC.178*x.353)))
+ z = x.351^(x.352*inv(x.353))
+ z.1 = z.193
+
+ 13. certT = certT.19
+ pkTe = DH_neutral
+ z = DH_neutral
+ z.1 = cert_id(certT.19)
+
+ 14. certT = cert(x.201, x.202, z.110)
+ pkTe = DH_neutral
+ z = DH_neutral
+ z.1 = z.110
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( tag, mac('g'^skTe, kdf_mac(cert_pk(certC)^skTe, r2)) ),
+ Completed( <kdf_enc(cert_pk(certC)^skTe, r2),
+ kdf_mac(cert_pk(certC)^skTe, r2)>,
+ <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal',
+ cert_id(certC)
+ ),
+ Finished( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
+ !SessionReveal( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>,
+ <kdf_enc(cert_pk(certC)^skTe, r2), kdf_mac(cert_pk(certC)^skTe, r2)>
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( tag, mac(z.2, kdf_mac(z.1, r2)) ),
+ Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>,
+ <certT, certC, z.2, z.3, id_c, r2>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, z.2, z.3, id_c, r2> )
+ ]->
+ [
+ CAFinishT( z, $T, kdf_enc(z.1, r2) ),
+ !SessionReveal( <certT, certC, z.2, z.3, id_c, r2>,
+ <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.17
+ skTe = one
+ z = cert_id(certC.17)
+ z.1 = cert_pk(certC.17)
+ z.2 = 'g'
+ z.3 = cert_pk(certC.17)
+
+ 2. certC = certC.22
+ skTe = skTe.27
+ z = cert_id(certC.22)
+ z.1 = cert_pk(certC.22)^skTe.27
+ z.2 = 'g'^skTe.27
+ z.3 = cert_pk(certC.22)
+
+ 3. certC = cert(z.27, x.39, z.26)
+ skTe = one
+ z = z.26
+ z.1 = z.27
+ z.2 = 'g'
+ z.3 = z.27
+
+ 4. certC = cert(z.44, x.64, z.41)
+ skTe = skTe.36
+ z = z.41
+ z.1 = z.44^skTe.36
+ z.2 = 'g'^skTe.36
+ z.3 = z.44
+
+ 5. certC = cert(DH_neutral, x.62, z.40)
+ skTe = skTe.35
+ z = z.40
+ z.1 = DH_neutral
+ z.2 = 'g'^skTe.35
+ z.3 = DH_neutral
+
+ 6. certC = cert(z.28^x.40, x.41, z.27)
+ skTe = inv(x.40)
+ z = z.27
+ z.1 = z.28
+ z.2 = 'g'^inv(x.40)
+ z.3 = z.28^x.40
+
+ 7. certC = cert(z.29^(x.41*inv(x.42)), x.43, z.28)
+ skTe = (x.42*inv(x.41))
+ z = z.28
+ z.1 = z.29
+ z.2 = 'g'^(x.42*inv(x.41))
+ z.3 = z.29^(x.41*inv(x.42))
+
+ 8. certC = cert(x.40^(x.41*x.42), x.43, z.28)
+ skTe = inv(x.41)
+ z = z.28
+ z.1 = x.40^x.42
+ z.2 = 'g'^inv(x.41)
+ z.3 = x.40^(x.41*x.42)
+
+ 9. certC = cert(x.41^(x.42*x.43*inv(x.44)), x.45, z.29)
+ skTe = (x.44*inv(x.43))
+ z = z.29
+ z.1 = x.41^x.42
+ z.2 = 'g'^(x.44*inv(x.43))
+ z.3 = x.41^(x.42*x.43*inv(x.44))
+
+ 10. certC = cert(x.41^(x.42*inv((x.43*x.44))), x.45, z.29)
+ skTe = (x.44*inv(x.42))
+ z = z.29
+ z.1 = x.41^inv(x.43)
+ z.2 = 'g'^(x.44*inv(x.42))
+ z.3 = x.41^(x.42*inv((x.43*x.44)))
+
+ 11. certC = cert(x.42^(x.43*x.44*inv((x.45*x.46))), x.47, z.30)
+ skTe = (x.46*inv(x.44))
+ z = z.30
+ z.1 = x.42^(x.43*inv(x.45))
+ z.2 = 'g'^(x.46*inv(x.44))
+ z.3 = x.42^(x.43*x.44*inv((x.45*x.46)))
+
+ 12. certC = cert(z.43^inv(skTe.37), x.66, z.42)
+ skTe = skTe.37
+ z = z.42
+ z.1 = z.43
+ z.2 = 'g'^skTe.37
+ z.3 = z.43^inv(skTe.37)
+
+ 13. certC = cert(x.45^x.46, x.47, z.33)
+ skTe = inv((x.46*x.53))
+ z = z.33
+ z.1 = x.45^inv(x.53)
+ z.2 = 'g'^inv((x.46*x.53))
+ z.3 = x.45^x.46
+
+ 14. certC = cert(x.45^x.46, x.47, z.33)
+ skTe = (x.53*inv(x.46))
+ z = z.33
+ z.1 = x.45^x.53
+ z.2 = 'g'^(x.53*inv(x.46))
+ z.3 = x.45^x.46
+
+ 15. certC = cert(x.45^inv(x.46), x.47, z.33)
+ skTe = inv(x.53)
+ z = z.33
+ z.1 = x.45^inv((x.46*x.53))
+ z.2 = 'g'^inv(x.53)
+ z.3 = x.45^inv(x.46)
+
+ 16. certC = cert(x.45^inv(x.46), x.47, z.33)
+ skTe = (x.46*x.53)
+ z = z.33
+ z.1 = x.45^x.53
+ z.2 = 'g'^(x.46*x.53)
+ z.3 = x.45^inv(x.46)
+
+ 17. certC = cert(x.46^x.47, x.48, z.34)
+ skTe = (x.54*inv((x.47*x.55)))
+ z = z.34
+ z.1 = x.46^(x.54*inv(x.55))
+ z.2 = 'g'^(x.54*inv((x.47*x.55)))
+ z.3 = x.46^x.47
+
+ 18. certC = cert(x.46^inv(x.47), x.48, z.34)
+ skTe = (x.54*inv(x.55))
+ z = z.34
+ z.1 = x.46^(x.54*inv((x.47*x.55)))
+ z.2 = 'g'^(x.54*inv(x.55))
+ z.3 = x.46^inv(x.47)
+
+ 19. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34)
+ skTe = (x.47*x.55)
+ z = z.34
+ z.1 = x.46^(x.55*inv(x.48))
+ z.2 = 'g'^(x.47*x.55)
+ z.3 = x.46^inv((x.47*x.48))
+
+ 20. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34)
+ skTe = (x.47*inv(x.55))
+ z = z.34
+ z.1 = x.46^inv((x.48*x.55))
+ z.2 = 'g'^(x.47*inv(x.55))
+ z.3 = x.46^inv((x.47*x.48))
+
+ 21. certC = cert(x.46^(x.47*x.48), x.49, z.34)
+ skTe = inv((x.47*x.55))
+ z = z.34
+ z.1 = x.46^(x.48*inv(x.55))
+ z.2 = 'g'^inv((x.47*x.55))
+ z.3 = x.46^(x.47*x.48)
+
+ 22. certC = cert(x.46^(x.47*x.48), x.49, z.34)
+ skTe = (x.55*inv(x.47))
+ z = z.34
+ z.1 = x.46^(x.48*x.55)
+ z.2 = 'g'^(x.55*inv(x.47))
+ z.3 = x.46^(x.47*x.48)
+
+ 23. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
+ skTe = inv(x.55)
+ z = z.34
+ z.1 = x.46^(x.47*inv((x.48*x.55)))
+ z.2 = 'g'^inv(x.55)
+ z.3 = x.46^(x.47*inv(x.48))
+
+ 24. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
+ skTe = inv((x.47*x.55))
+ z = z.34
+ z.1 = x.46^inv((x.48*x.55))
+ z.2 = 'g'^inv((x.47*x.55))
+ z.3 = x.46^(x.47*inv(x.48))
+
+ 25. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
+ skTe = (x.48*x.55)
+ z = z.34
+ z.1 = x.46^(x.47*x.55)
+ z.2 = 'g'^(x.48*x.55)
+ z.3 = x.46^(x.47*inv(x.48))
+
+ 26. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
+ skTe = (x.48*x.55*inv(x.47))
+ z = z.34
+ z.1 = x.46^x.55
+ z.2 = 'g'^(x.48*x.55*inv(x.47))
+ z.3 = x.46^(x.47*inv(x.48))
+
+ 27. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
+ skTe = (x.48*inv((x.47*x.55)))
+ z = z.34
+ z.1 = x.46^inv(x.55)
+ z.2 = 'g'^(x.48*inv((x.47*x.55)))
+ z.3 = x.46^(x.47*inv(x.48))
+
+ 28. certC = cert(x.47^inv((x.48*x.49)), x.50, z.35)
+ skTe = (x.48*x.56*inv(x.57))
+ z = z.35
+ z.1 = x.47^(x.56*inv((x.49*x.57)))
+ z.2 = 'g'^(x.48*x.56*inv(x.57))
+ z.3 = x.47^inv((x.48*x.49))
+
+ 29. certC = cert(x.47^(x.48*x.49), x.50, z.35)
+ skTe = (x.56*inv((x.48*x.57)))
+ z = z.35
+ z.1 = x.47^(x.49*x.56*inv(x.57))
+ z.2 = 'g'^(x.56*inv((x.48*x.57)))
+ z.3 = x.47^(x.48*x.49)
+
+ 30. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
+ skTe = inv((x.49*x.57))
+ z = z.35
+ z.1 = x.47^(x.48*inv((x.50*x.57)))
+ z.2 = 'g'^inv((x.49*x.57))
+ z.3 = x.47^(x.48*x.49*inv(x.50))
+
+ 31. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
+ skTe = (x.50*x.57*inv(x.48))
+ z = z.35
+ z.1 = x.47^(x.49*x.57)
+ z.2 = 'g'^(x.50*x.57*inv(x.48))
+ z.3 = x.47^(x.48*x.49*inv(x.50))
+
+ 32. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
+ skTe = (x.50*inv((x.48*x.57)))
+ z = z.35
+ z.1 = x.47^(x.49*inv(x.57))
+ z.2 = 'g'^(x.50*inv((x.48*x.57)))
+ z.3 = x.47^(x.48*x.49*inv(x.50))
+
+ 33. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
+ skTe = (x.49*x.56*inv((x.48*x.57)))
+ z = z.35
+ z.1 = x.47^(x.56*inv(x.57))
+ z.2 = 'g'^(x.49*x.56*inv((x.48*x.57)))
+ z.3 = x.47^(x.48*inv(x.49))
+
+ 34. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
+ skTe = (x.56*inv(x.57))
+ z = z.35
+ z.1 = x.47^(x.48*x.56*inv((x.49*x.57)))
+ z.2 = 'g'^(x.56*inv(x.57))
+ z.3 = x.47^(x.48*inv(x.49))
+
+ 35. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
+ skTe = (x.56*inv((x.48*x.57)))
+ z = z.35
+ z.1 = x.47^(x.56*inv((x.49*x.57)))
+ z.2 = 'g'^(x.56*inv((x.48*x.57)))
+ z.3 = x.47^(x.48*inv(x.49))
+
+ 36. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
+ skTe = (x.49*x.57)
+ z = z.35
+ z.1 = x.47^(x.48*x.57*inv(x.50))
+ z.2 = 'g'^(x.49*x.57)
+ z.3 = x.47^(x.48*inv((x.49*x.50)))
+
+ 37. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
+ skTe = (x.49*x.57*inv(x.48))
+ z = z.35
+ z.1 = x.47^(x.57*inv(x.50))
+ z.2 = 'g'^(x.49*x.57*inv(x.48))
+ z.3 = x.47^(x.48*inv((x.49*x.50)))
+
+ 38. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
+ skTe = (x.49*inv(x.57))
+ z = z.35
+ z.1 = x.47^(x.48*inv((x.50*x.57)))
+ z.2 = 'g'^(x.49*inv(x.57))
+ z.3 = x.47^(x.48*inv((x.49*x.50)))
+
+ 39. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
+ skTe = (x.49*inv((x.48*x.57)))
+ z = z.35
+ z.1 = x.47^inv((x.50*x.57))
+ z.2 = 'g'^(x.49*inv((x.48*x.57)))
+ z.3 = x.47^(x.48*inv((x.49*x.50)))
+
+ 40. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36)
+ skTe = (x.51*x.58*inv((x.49*x.59)))
+ z = z.36
+ z.1 = x.48^(x.50*x.58*inv(x.59))
+ z.2 = 'g'^(x.51*x.58*inv((x.49*x.59)))
+ z.3 = x.48^(x.49*x.50*inv(x.51))
+
+ 41. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36)
+ skTe = (x.58*inv((x.49*x.59)))
+ z = z.36
+ z.1 = x.48^(x.50*x.58*inv((x.51*x.59)))
+ z.2 = 'g'^(x.58*inv((x.49*x.59)))
+ z.3 = x.48^(x.49*x.50*inv(x.51))
+
+ 42. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36)
+ skTe = (x.51*x.59*inv(x.49))
+ z = z.36
+ z.1 = x.48^(x.50*x.59*inv(x.52))
+ z.2 = 'g'^(x.51*x.59*inv(x.49))
+ z.3 = x.48^(x.49*x.50*inv((x.51*x.52)))
+
+ 43. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36)
+ skTe = (x.51*inv((x.49*x.59)))
+ z = z.36
+ z.1 = x.48^(x.50*inv((x.52*x.59)))
+ z.2 = 'g'^(x.51*inv((x.49*x.59)))
+ z.3 = x.48^(x.49*x.50*inv((x.51*x.52)))
+
+ 44. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36)
+ skTe = (x.50*x.58*inv(x.59))
+ z = z.36
+ z.1 = x.48^(x.49*x.58*inv((x.51*x.59)))
+ z.2 = 'g'^(x.50*x.58*inv(x.59))
+ z.3 = x.48^(x.49*inv((x.50*x.51)))
+
+ 45. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36)
+ skTe = (x.50*x.58*inv((x.49*x.59)))
+ z = z.36
+ z.1 = x.48^(x.58*inv((x.51*x.59)))
+ z.2 = 'g'^(x.50*x.58*inv((x.49*x.59)))
+ z.3 = x.48^(x.49*inv((x.50*x.51)))
+
+ 46. certC = cert(x.49^(x.50*x.51*inv((x.52*x.53))), x.54, z.37)
+ skTe = (x.52*x.60*inv((x.50*x.61)))
+ z = z.37
+ z.1 = x.49^(x.51*x.60*inv((x.53*x.61)))
+ z.2 = 'g'^(x.52*x.60*inv((x.50*x.61)))
+ z.3 = x.49^(x.50*x.51*inv((x.52*x.53)))
+
+ 47. certC = cert(x.64^x.65, x.66, z.42)
+ skTe = skTe.37
+ z = z.42
+ z.1 = x.64^(skTe.37*x.65)
+ z.2 = 'g'^skTe.37
+ z.3 = x.64^x.65
+
+ 48. certC = cert(x.65^inv((skTe.38*x.66)), x.68, z.43)
+ skTe = skTe.38
+ z = z.43
+ z.1 = x.65^inv(x.66)
+ z.2 = 'g'^skTe.38
+ z.3 = x.65^inv((skTe.38*x.66))
+
+ 49. certC = cert(x.65^(x.66*inv(skTe.38)), x.68, z.43)
+ skTe = skTe.38
+ z = z.43
+ z.1 = x.65^x.66
+ z.2 = 'g'^skTe.38
+ z.3 = x.65^(x.66*inv(skTe.38))
+
+ 50. certC = cert(x.66^(x.67*inv((skTe.39*x.68))), x.70, z.44)
+ skTe = skTe.39
+ z = z.44
+ z.1 = x.66^(x.67*inv(x.68))
+ z.2 = 'g'^skTe.39
+ z.3 = x.66^(x.67*inv((skTe.39*x.68)))
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(certC) ), Eq( tag, mac(pkTe, kdf_mac(pkTe^skC, r2)) ),
+ Eq( pkTe, pkTe2 ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(s1, <IDc, r1, pkTe>, cert_pk(certT)), true ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( tag, mac(pkTe, kdf_mac(z.1, r2)) ), Eq( pkTe, pkTe2 ),
+ Eq( z.2, true ), Eq( z.3, true ), Eq( z.4, true ),
+ ValidTrans( C, 'chip', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.20
+ certC = certC.21
+ certT = certT.22
+ pkTe = pkTe.23
+ r1 = r1.25
+ s1 = s1.27
+ skC = skC.28
+ z = cert_id(certC.21)
+ z.1 = pkTe.23^skC.28
+ z.2 = verify(cert_sig(certT.22),
+ <cert_pk(certT.22), cert_id(certT.22), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.21),
+ <cert_pk(certC.21), cert_id(certC.21), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.27, <IDc.20, r1.25, pkTe.23>, cert_pk(certT.22))
+ z.5 = cert_id(certT.22)
+
+ 2. IDc = IDc.20
+ certC = certC.21
+ certT = certT.22
+ pkTe = pkTe.23
+ r1 = r1.25
+ s1 = s1.27
+ skC = one
+ z = cert_id(certC.21)
+ z.1 = pkTe.23
+ z.2 = verify(cert_sig(certT.22),
+ <cert_pk(certT.22), cert_id(certT.22), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.21),
+ <cert_pk(certC.21), cert_id(certC.21), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.27, <IDc.20, r1.25, pkTe.23>, cert_pk(certT.22))
+ z.5 = cert_id(certT.22)
+
+ 3. IDc = IDc.20
+ certC = certC.21
+ certT = certT.22
+ pkTe = DH_neutral
+ r1 = r1.25
+ s1 = s1.27
+ z = cert_id(certC.21)
+ z.1 = DH_neutral
+ z.2 = verify(cert_sig(certT.22),
+ <cert_pk(certT.22), cert_id(certT.22), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.21),
+ <cert_pk(certC.21), cert_id(certC.21), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.27, <IDc.20, r1.25, DH_neutral>, cert_pk(certT.22))
+ z.5 = cert_id(certT.22)
+
+ 4. IDc = IDc.22
+ certC = certC.23
+ certT = certT.24
+ pkTe = z.34^x.40
+ r1 = r1.27
+ s1 = s1.29
+ skC = inv(x.40)
+ z = cert_id(certC.23)
+ z.1 = z.34
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, z.34^x.40>, cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 5. IDc = IDc.22
+ certC = certC.23
+ certT = certT.24
+ pkTe = z.34^inv(skC.30)
+ r1 = r1.27
+ s1 = s1.29
+ skC = skC.30
+ z = cert_id(certC.23)
+ z.1 = z.34
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, z.34^inv(skC.30)>,
+ cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 6. IDc = IDc.22
+ certC = certC.23
+ certT = certT.24
+ pkTe = x.39^x.40
+ r1 = r1.27
+ s1 = s1.29
+ skC = skC.30
+ z = cert_id(certC.23)
+ z.1 = x.39^(skC.30*x.40)
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, x.39^x.40>, cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 7. IDc = IDc.22
+ certC = certC.23
+ certT = cert(x.39, sign(<x.39, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.25
+ r1 = r1.27
+ s1 = s1.29
+ skC = skC.30
+ z = cert_id(certC.23)
+ z.1 = pkTe.25^skC.30
+ z.2 = true
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, pkTe.25>, x.39)
+ z.5 = z.38
+
+ 8. IDc = IDc.22
+ certC = certC.23
+ certT = cert(x.39, sign(<x.39, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.25
+ r1 = r1.27
+ s1 = s1.29
+ skC = one
+ z = cert_id(certC.23)
+ z.1 = pkTe.25
+ z.2 = true
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, pkTe.25>, x.39)
+ z.5 = z.38
+
+ 9. IDc = IDc.22
+ certC = certC.23
+ certT = cert(x.39, sign(<x.39, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = DH_neutral
+ r1 = r1.27
+ s1 = s1.29
+ z = cert_id(certC.23)
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(cert_sig(certC.23),
+ <cert_pk(certC.23), cert_id(certC.23), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.29, <IDc.22, r1.27, DH_neutral>, x.39)
+ z.5 = z.38
+
+ 10. IDc = IDc.22
+ certC = cert(x.39, sign(<x.39, z.33, 'chip'>, ca_sk), z.33)
+ certT = certT.24
+ pkTe = pkTe.25
+ r1 = r1.27
+ s1 = s1.29
+ skC = skC.30
+ z = z.33
+ z.1 = pkTe.25^skC.30
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.29, <IDc.22, r1.27, pkTe.25>, cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 11. IDc = IDc.22
+ certC = cert(x.39, sign(<x.39, z.33, 'chip'>, ca_sk), z.33)
+ certT = certT.24
+ pkTe = pkTe.25
+ r1 = r1.27
+ s1 = s1.29
+ skC = one
+ z = z.33
+ z.1 = pkTe.25
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.29, <IDc.22, r1.27, pkTe.25>, cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 12. IDc = IDc.22
+ certC = cert(x.39, sign(<x.39, z.33, 'chip'>, ca_sk), z.33)
+ certT = certT.24
+ pkTe = DH_neutral
+ r1 = r1.27
+ s1 = s1.29
+ z = z.33
+ z.1 = DH_neutral
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.29, <IDc.22, r1.27, DH_neutral>, cert_pk(certT.24))
+ z.5 = cert_id(certT.24)
+
+ 13. IDc = IDc.23
+ certC = certC.24
+ certT = certT.25
+ pkTe = z.35^(x.41*inv(x.42))
+ r1 = r1.28
+ s1 = s1.30
+ skC = (x.42*inv(x.41))
+ z = cert_id(certC.24)
+ z.1 = z.35
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, z.35^(x.41*inv(x.42))>,
+ cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 14. IDc = IDc.23
+ certC = certC.24
+ certT = certT.25
+ pkTe = x.40^inv((skC.31*x.41))
+ r1 = r1.28
+ s1 = s1.30
+ skC = skC.31
+ z = cert_id(certC.24)
+ z.1 = x.40^inv(x.41)
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, x.40^inv((skC.31*x.41))>,
+ cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 15. IDc = IDc.23
+ certC = certC.24
+ certT = certT.25
+ pkTe = x.40^(x.41*x.42)
+ r1 = r1.28
+ s1 = s1.30
+ skC = inv(x.41)
+ z = cert_id(certC.24)
+ z.1 = x.40^x.42
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, x.40^(x.41*x.42)>,
+ cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 16. IDc = IDc.23
+ certC = certC.24
+ certT = certT.25
+ pkTe = x.40^(x.41*inv(skC.31))
+ r1 = r1.28
+ s1 = s1.30
+ skC = skC.31
+ z = cert_id(certC.24)
+ z.1 = x.40^x.41
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, x.40^(x.41*inv(skC.31))>,
+ cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 17. IDc = IDc.23
+ certC = certC.24
+ certT = cert(x.40, x.41, z.39)
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skC = skC.31
+ z = cert_id(certC.24)
+ z.1 = pkTe.26^skC.31
+ z.2 = verify(x.41, <x.40, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, pkTe.26>, x.40)
+ z.5 = z.39
+
+ 18. IDc = IDc.23
+ certC = certC.24
+ certT = cert(x.40, x.41, z.39)
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skC = one
+ z = cert_id(certC.24)
+ z.1 = pkTe.26
+ z.2 = verify(x.41, <x.40, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, pkTe.26>, x.40)
+ z.5 = z.39
+
+ 19. IDc = IDc.23
+ certC = certC.24
+ certT = cert(x.40, x.41, z.39)
+ pkTe = DH_neutral
+ r1 = r1.28
+ s1 = s1.30
+ z = cert_id(certC.24)
+ z.1 = DH_neutral
+ z.2 = verify(x.41, <x.40, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, DH_neutral>, x.40)
+ z.5 = z.39
+
+ 20. IDc = IDc.23
+ certC = cert(x.40, x.41, z.34)
+ certT = certT.25
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skC = skC.31
+ z = z.34
+ z.1 = pkTe.26^skC.31
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.41, <x.40, z.34, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, pkTe.26>, cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 21. IDc = IDc.23
+ certC = cert(x.40, x.41, z.34)
+ certT = certT.25
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skC = one
+ z = z.34
+ z.1 = pkTe.26
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.41, <x.40, z.34, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, pkTe.26>, cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 22. IDc = IDc.23
+ certC = cert(x.40, x.41, z.34)
+ certT = certT.25
+ pkTe = DH_neutral
+ r1 = r1.28
+ s1 = s1.30
+ z = z.34
+ z.1 = DH_neutral
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.41, <x.40, z.34, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.23, r1.28, DH_neutral>, cert_pk(certT.25))
+ z.5 = cert_id(certT.25)
+
+ 23. IDc = IDc.24
+ certC = certC.25
+ certT = certT.26
+ pkTe = x.41^(x.42*x.43*inv(x.44))
+ r1 = r1.29
+ s1 = s1.31
+ skC = (x.44*inv(x.43))
+ z = cert_id(certC.25)
+ z.1 = x.41^x.42
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, x.41^(x.42*x.43*inv(x.44))>,
+ cert_pk(certT.26))
+ z.5 = cert_id(certT.26)
+
+ 24. IDc = IDc.24
+ certC = certC.25
+ certT = certT.26
+ pkTe = x.41^(x.42*inv((skC.32*x.43)))
+ r1 = r1.29
+ s1 = s1.31
+ skC = skC.32
+ z = cert_id(certC.25)
+ z.1 = x.41^(x.42*inv(x.43))
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, x.41^(x.42*inv((skC.32*x.43)))>,
+ cert_pk(certT.26))
+ z.5 = cert_id(certT.26)
+
+ 25. IDc = IDc.24
+ certC = certC.25
+ certT = certT.26
+ pkTe = x.41^(x.42*inv((x.43*x.44)))
+ r1 = r1.29
+ s1 = s1.31
+ skC = (x.44*inv(x.42))
+ z = cert_id(certC.25)
+ z.1 = x.41^inv(x.43)
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, x.41^(x.42*inv((x.43*x.44)))>,
+ cert_pk(certT.26))
+ z.5 = cert_id(certT.26)
+
+ 26. IDc = IDc.24
+ certC = certC.25
+ certT = cert(x.41, sign(<x.41, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = z.36^x.44
+ r1 = r1.29
+ s1 = s1.31
+ skC = inv(x.44)
+ z = cert_id(certC.25)
+ z.1 = z.36
+ z.2 = true
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, z.36^x.44>, x.41)
+ z.5 = z.40
+
+ 27. IDc = IDc.24
+ certC = certC.25
+ certT = cert(x.41, sign(<x.41, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = z.36^inv(skC.32)
+ r1 = r1.29
+ s1 = s1.31
+ skC = skC.32
+ z = cert_id(certC.25)
+ z.1 = z.36
+ z.2 = true
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, z.36^inv(skC.32)>, x.41)
+ z.5 = z.40
+
+ 28. IDc = IDc.24
+ certC = certC.25
+ certT = cert(x.41, sign(<x.41, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = x.43^x.44
+ r1 = r1.29
+ s1 = s1.31
+ skC = skC.32
+ z = cert_id(certC.25)
+ z.1 = x.43^(skC.32*x.44)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.24, r1.29, x.43^x.44>, x.41)
+ z.5 = z.40
+
+ 29. IDc = IDc.24
+ certC = cert(x.41, sign(<x.41, z.35, 'chip'>, ca_sk), z.35)
+ certT = cert(x.43, sign(<x.43, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skC = skC.32
+ z = z.35
+ z.1 = pkTe.27^skC.32
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.24, r1.29, pkTe.27>, x.43)
+ z.5 = z.40
+
+ 30. IDc = IDc.24
+ certC = cert(x.41, sign(<x.41, z.35, 'chip'>, ca_sk), z.35)
+ certT = cert(x.43, sign(<x.43, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skC = one
+ z = z.35
+ z.1 = pkTe.27
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.24, r1.29, pkTe.27>, x.43)
+ z.5 = z.40
+
+ 31. IDc = IDc.24
+ certC = cert(x.41, sign(<x.41, z.35, 'chip'>, ca_sk), z.35)
+ certT = cert(x.43, sign(<x.43, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = DH_neutral
+ r1 = r1.29
+ s1 = s1.31
+ z = z.35
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.24, r1.29, DH_neutral>, x.43)
+ z.5 = z.40
+
+ 32. IDc = IDc.25
+ certC = certC.26
+ certT = certT.27
+ pkTe = x.42^(x.43*x.44*inv((x.45*x.46)))
+ r1 = r1.30
+ s1 = s1.32
+ skC = (x.46*inv(x.44))
+ z = cert_id(certC.26)
+ z.1 = x.42^(x.43*inv(x.45))
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.42^(x.43*x.44*inv((x.45*x.46)))>,
+ cert_pk(certT.27))
+ z.5 = cert_id(certT.27)
+
+ 33. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, x.43, z.41)
+ pkTe = z.37^x.46
+ r1 = r1.30
+ s1 = s1.32
+ skC = inv(x.46)
+ z = cert_id(certC.26)
+ z.1 = z.37
+ z.2 = verify(x.43, <x.42, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, z.37^x.46>, x.42)
+ z.5 = z.41
+
+ 34. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, x.43, z.41)
+ pkTe = z.37^inv(skC.33)
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = cert_id(certC.26)
+ z.1 = z.37
+ z.2 = verify(x.43, <x.42, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, z.37^inv(skC.33)>, x.42)
+ z.5 = z.41
+
+ 35. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, x.43, z.41)
+ pkTe = x.45^x.46
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = cert_id(certC.26)
+ z.1 = x.45^(skC.33*x.46)
+ z.2 = verify(x.43, <x.42, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.45^x.46>, x.42)
+ z.5 = z.41
+
+ 36. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, sign(<x.42, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = z.37^(x.45*inv(x.46))
+ r1 = r1.30
+ s1 = s1.32
+ skC = (x.46*inv(x.45))
+ z = cert_id(certC.26)
+ z.1 = z.37
+ z.2 = true
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, z.37^(x.45*inv(x.46))>, x.42)
+ z.5 = z.41
+
+ 37. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, sign(<x.42, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = x.44^inv((skC.33*x.45))
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = cert_id(certC.26)
+ z.1 = x.44^inv(x.45)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.44^inv((skC.33*x.45))>, x.42)
+ z.5 = z.41
+
+ 38. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, sign(<x.42, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = x.44^(x.45*x.46)
+ r1 = r1.30
+ s1 = s1.32
+ skC = inv(x.45)
+ z = cert_id(certC.26)
+ z.1 = x.44^x.46
+ z.2 = true
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.44^(x.45*x.46)>, x.42)
+ z.5 = z.41
+
+ 39. IDc = IDc.25
+ certC = certC.26
+ certT = cert(x.42, sign(<x.42, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = x.44^(x.45*inv(skC.33))
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = cert_id(certC.26)
+ z.1 = x.44^x.45
+ z.2 = true
+ z.3 = verify(cert_sig(certC.26),
+ <cert_pk(certC.26), cert_id(certC.26), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.44^(x.45*inv(skC.33))>, x.42)
+ z.5 = z.41
+
+ 40. IDc = IDc.25
+ certC = cert(x.42, x.43, z.36)
+ certT = cert(x.45, sign(<x.45, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = z.36
+ z.1 = pkTe.28^skC.33
+ z.2 = true
+ z.3 = verify(x.43, <x.42, z.36, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, pkTe.28>, x.45)
+ z.5 = z.41
+
+ 41. IDc = IDc.25
+ certC = cert(x.42, x.43, z.36)
+ certT = cert(x.45, sign(<x.45, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skC = one
+ z = z.36
+ z.1 = pkTe.28
+ z.2 = true
+ z.3 = verify(x.43, <x.42, z.36, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, pkTe.28>, x.45)
+ z.5 = z.41
+
+ 42. IDc = IDc.25
+ certC = cert(x.42, x.43, z.36)
+ certT = cert(x.45, sign(<x.45, z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = DH_neutral
+ r1 = r1.30
+ s1 = s1.32
+ z = z.36
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(x.43, <x.42, z.36, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.25, r1.30, DH_neutral>, x.45)
+ z.5 = z.41
+
+ 43. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = certT.27
+ pkTe = z.37^x.46
+ r1 = r1.30
+ s1 = s1.32
+ skC = inv(x.46)
+ z = z.36
+ z.1 = z.37
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, z.37^x.46>, cert_pk(certT.27))
+ z.5 = cert_id(certT.27)
+
+ 44. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = certT.27
+ pkTe = z.37^inv(skC.33)
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = z.36
+ z.1 = z.37
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, z.37^inv(skC.33)>,
+ cert_pk(certT.27))
+ z.5 = cert_id(certT.27)
+
+ 45. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = certT.27
+ pkTe = x.45^x.46
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = z.36
+ z.1 = x.45^(skC.33*x.46)
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, x.45^x.46>, cert_pk(certT.27))
+ z.5 = cert_id(certT.27)
+
+ 46. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = cert(x.44, x.45, z.41)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skC = skC.33
+ z = z.36
+ z.1 = pkTe.28^skC.33
+ z.2 = verify(x.45, <x.44, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, pkTe.28>, x.44)
+ z.5 = z.41
+
+ 47. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = cert(x.44, x.45, z.41)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skC = one
+ z = z.36
+ z.1 = pkTe.28
+ z.2 = verify(x.45, <x.44, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, pkTe.28>, x.44)
+ z.5 = z.41
+
+ 48. IDc = IDc.25
+ certC = cert(x.42, sign(<x.42, z.36, 'chip'>, ca_sk), z.36)
+ certT = cert(x.44, x.45, z.41)
+ pkTe = DH_neutral
+ r1 = r1.30
+ s1 = s1.32
+ z = z.36
+ z.1 = DH_neutral
+ z.2 = verify(x.45, <x.44, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.25, r1.30, DH_neutral>, x.44)
+ z.5 = z.41
+
+ 49. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, x.44, z.42)
+ pkTe = z.38^(x.47*inv(x.48))
+ r1 = r1.31
+ s1 = s1.33
+ skC = (x.48*inv(x.47))
+ z = cert_id(certC.27)
+ z.1 = z.38
+ z.2 = verify(x.44, <x.43, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^(x.47*inv(x.48))>, x.43)
+ z.5 = z.42
+
+ 50. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, x.44, z.42)
+ pkTe = x.46^inv((skC.34*x.47))
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = cert_id(certC.27)
+ z.1 = x.46^inv(x.47)
+ z.2 = verify(x.44, <x.43, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^inv((skC.34*x.47))>, x.43)
+ z.5 = z.42
+
+ 51. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, x.44, z.42)
+ pkTe = x.46^(x.47*x.48)
+ r1 = r1.31
+ s1 = s1.33
+ skC = inv(x.47)
+ z = cert_id(certC.27)
+ z.1 = x.46^x.48
+ z.2 = verify(x.44, <x.43, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^(x.47*x.48)>, x.43)
+ z.5 = z.42
+
+ 52. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, x.44, z.42)
+ pkTe = x.46^(x.47*inv(skC.34))
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = cert_id(certC.27)
+ z.1 = x.46^x.47
+ z.2 = verify(x.44, <x.43, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^(x.47*inv(skC.34))>, x.43)
+ z.5 = z.42
+
+ 53. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, sign(<x.43, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = x.45^(x.46*x.47*inv(x.48))
+ r1 = r1.31
+ s1 = s1.33
+ skC = (x.48*inv(x.47))
+ z = cert_id(certC.27)
+ z.1 = x.45^x.46
+ z.2 = true
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.45^(x.46*x.47*inv(x.48))>, x.43)
+ z.5 = z.42
+
+ 54. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, sign(<x.43, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = x.45^(x.46*inv((skC.34*x.47)))
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = cert_id(certC.27)
+ z.1 = x.45^(x.46*inv(x.47))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.45^(x.46*inv((skC.34*x.47)))>,
+ x.43)
+ z.5 = z.42
+
+ 55. IDc = IDc.26
+ certC = certC.27
+ certT = cert(x.43, sign(<x.43, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = x.45^(x.46*inv((x.47*x.48)))
+ r1 = r1.31
+ s1 = s1.33
+ skC = (x.48*inv(x.46))
+ z = cert_id(certC.27)
+ z.1 = x.45^inv(x.47)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.45^(x.46*inv((x.47*x.48)))>,
+ x.43)
+ z.5 = z.42
+
+ 56. IDc = IDc.26
+ certC = certC.27
+ certT = cert(pk(x.45), sign(<pk(x.45), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = DH_neutral
+ r1 = r1.31
+ s1 = sign(<IDc.26, r1.31, DH_neutral>, x.45)
+ z = cert_id(certC.27)
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(cert_sig(certC.27),
+ <cert_pk(certC.27), cert_id(certC.27), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.42
+
+ 57. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = certT.28
+ pkTe = z.38^x.48
+ r1 = r1.31
+ s1 = s1.33
+ skC = inv(x.48)
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^x.48>, cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 58. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = certT.28
+ pkTe = z.38^inv(skC.34)
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^inv(skC.34)>,
+ cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 59. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = certT.28
+ pkTe = x.47^x.48
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = x.47^(skC.34*x.48)
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.47^x.48>, cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 60. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = cert(x.46, x.47, z.42)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = pkTe.29^skC.34
+ z.2 = verify(x.47, <x.46, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 61. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = cert(x.46, x.47, z.42)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skC = one
+ z = z.37
+ z.1 = pkTe.29
+ z.2 = verify(x.47, <x.46, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 62. IDc = IDc.26
+ certC = cert(x.43, x.44, z.37)
+ certT = cert(x.46, x.47, z.42)
+ pkTe = DH_neutral
+ r1 = r1.31
+ s1 = s1.33
+ z = z.37
+ z.1 = DH_neutral
+ z.2 = verify(x.47, <x.46, z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.43, z.37, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.26, r1.31, DH_neutral>, x.46)
+ z.5 = z.42
+
+ 63. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = certT.28
+ pkTe = z.38^(x.47*inv(x.48))
+ r1 = r1.31
+ s1 = s1.33
+ skC = (x.48*inv(x.47))
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^(x.47*inv(x.48))>,
+ cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 64. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = certT.28
+ pkTe = x.46^inv((skC.34*x.47))
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = x.46^inv(x.47)
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^inv((skC.34*x.47))>,
+ cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 65. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = certT.28
+ pkTe = x.46^(x.47*x.48)
+ r1 = r1.31
+ s1 = s1.33
+ skC = inv(x.47)
+ z = z.37
+ z.1 = x.46^x.48
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^(x.47*x.48)>,
+ cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 66. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = certT.28
+ pkTe = x.46^(x.47*inv(skC.34))
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = x.46^x.47
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.46^(x.47*inv(skC.34))>,
+ cert_pk(certT.28))
+ z.5 = cert_id(certT.28)
+
+ 67. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = cert(x.45, sign(<x.45, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = z.38^x.48
+ r1 = r1.31
+ s1 = s1.33
+ skC = inv(x.48)
+ z = z.37
+ z.1 = z.38
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^x.48>, x.45)
+ z.5 = z.42
+
+ 68. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = cert(x.45, sign(<x.45, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = z.38^inv(skC.34)
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = z.38
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, z.38^inv(skC.34)>, x.45)
+ z.5 = z.42
+
+ 69. IDc = IDc.26
+ certC = cert(x.43, sign(<x.43, z.37, 'chip'>, ca_sk), z.37)
+ certT = cert(x.45, sign(<x.45, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = x.47^x.48
+ r1 = r1.31
+ s1 = s1.33
+ skC = skC.34
+ z = z.37
+ z.1 = x.47^(skC.34*x.48)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.26, r1.31, x.47^x.48>, x.45)
+ z.5 = z.42
+
+ 70. IDc = IDc.26
+ certC = cert(x.44, sign(<x.44, z.37, 'chip'>, ca_sk), z.37)
+ certT = cert(pk(x.46), sign(<pk(x.46), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = DH_neutral
+ r1 = r1.31
+ s1 = sign(<IDc.26, r1.31, DH_neutral>, x.46)
+ z = z.37
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.42
+
+ 71. IDc = IDc.27
+ certC = certC.28
+ certT = certT.29
+ pkTe = x.44^x.45
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv((x.45*x.50))
+ z = cert_id(certC.28)
+ z.1 = x.44^inv(x.50)
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.44^x.45>, cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 72. IDc = IDc.27
+ certC = certC.28
+ certT = certT.29
+ pkTe = x.44^x.45
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.45))
+ z = cert_id(certC.28)
+ z.1 = x.44^x.50
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.44^x.45>, cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 73. IDc = IDc.27
+ certC = certC.28
+ certT = certT.29
+ pkTe = x.44^inv(x.45)
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv(x.50)
+ z = cert_id(certC.28)
+ z.1 = x.44^inv((x.45*x.50))
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.44^inv(x.45)>, cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 74. IDc = IDc.27
+ certC = certC.28
+ certT = certT.29
+ pkTe = x.44^inv(x.45)
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.45*x.50)
+ z = cert_id(certC.28)
+ z.1 = x.44^x.50
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.44^inv(x.45)>, cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 75. IDc = IDc.27
+ certC = certC.28
+ certT = cert(x.44, x.45, z.43)
+ pkTe = x.47^(x.48*x.49*inv(x.50))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.49))
+ z = cert_id(certC.28)
+ z.1 = x.47^x.48
+ z.2 = verify(x.45, <x.44, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*x.49*inv(x.50))>, x.44)
+ z.5 = z.43
+
+ 76. IDc = IDc.27
+ certC = certC.28
+ certT = cert(x.44, x.45, z.43)
+ pkTe = x.47^(x.48*inv((skC.35*x.49)))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = cert_id(certC.28)
+ z.1 = x.47^(x.48*inv(x.49))
+ z.2 = verify(x.45, <x.44, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*inv((skC.35*x.49)))>,
+ x.44)
+ z.5 = z.43
+
+ 77. IDc = IDc.27
+ certC = certC.28
+ certT = cert(x.44, x.45, z.43)
+ pkTe = x.47^(x.48*inv((x.49*x.50)))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.48))
+ z = cert_id(certC.28)
+ z.1 = x.47^inv(x.49)
+ z.2 = verify(x.45, <x.44, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*inv((x.49*x.50)))>,
+ x.44)
+ z.5 = z.43
+
+ 78. IDc = IDc.27
+ certC = certC.28
+ certT = cert(x.44, sign(<x.44, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = x.46^(x.47*x.48*inv((x.49*x.50)))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.48))
+ z = cert_id(certC.28)
+ z.1 = x.46^(x.47*inv(x.49))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.46^(x.47*x.48*inv((x.49*x.50)))>,
+ x.44)
+ z.5 = z.43
+
+ 79. IDc = IDc.27
+ certC = certC.28
+ certT = cert(pk(x.46), x.47, z.43)
+ pkTe = DH_neutral
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, DH_neutral>, x.46)
+ z = cert_id(certC.28)
+ z.1 = DH_neutral
+ z.2 = verify(x.47, <pk(x.46), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.43
+
+ 80. IDc = IDc.27
+ certC = certC.28
+ certT = cert(pk(x.46), sign(<pk(x.46), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, pkTe.30>, x.46)
+ skC = skC.35
+ z = cert_id(certC.28)
+ z.1 = pkTe.30^skC.35
+ z.2 = true
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.43
+
+ 81. IDc = IDc.27
+ certC = certC.28
+ certT = cert(pk(x.46), sign(<pk(x.46), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, pkTe.30>, x.46)
+ skC = one
+ z = cert_id(certC.28)
+ z.1 = pkTe.30
+ z.2 = true
+ z.3 = verify(cert_sig(certC.28),
+ <cert_pk(certC.28), cert_id(certC.28), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.43
+
+ 82. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = certT.29
+ pkTe = z.39^(x.49*inv(x.50))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.49))
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^(x.49*inv(x.50))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 83. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = certT.29
+ pkTe = x.48^inv((skC.35*x.49))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.48^inv(x.49)
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^inv((skC.35*x.49))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 84. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = certT.29
+ pkTe = x.48^(x.49*x.50)
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv(x.49)
+ z = z.38
+ z.1 = x.48^x.50
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^(x.49*x.50)>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 85. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = certT.29
+ pkTe = x.48^(x.49*inv(skC.35))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.48^x.49
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^(x.49*inv(skC.35))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 86. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = cert(x.47, sign(<x.47, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = z.39^x.50
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv(x.50)
+ z = z.38
+ z.1 = z.39
+ z.2 = true
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^x.50>, x.47)
+ z.5 = z.43
+
+ 87. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = cert(x.47, sign(<x.47, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = z.39^inv(skC.35)
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = z.39
+ z.2 = true
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^inv(skC.35)>, x.47)
+ z.5 = z.43
+
+ 88. IDc = IDc.27
+ certC = cert(x.44, x.45, z.38)
+ certT = cert(x.47, sign(<x.47, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = x.49^x.50
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.49^(skC.35*x.50)
+ z.2 = true
+ z.3 = verify(x.45, <x.44, z.38, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.49^x.50>, x.47)
+ z.5 = z.43
+
+ 89. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = certT.29
+ pkTe = x.47^(x.48*x.49*inv(x.50))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.49))
+ z = z.38
+ z.1 = x.47^x.48
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*x.49*inv(x.50))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 90. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = certT.29
+ pkTe = x.47^(x.48*inv((skC.35*x.49)))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.47^(x.48*inv(x.49))
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*inv((skC.35*x.49)))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 91. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = certT.29
+ pkTe = x.47^(x.48*inv((x.49*x.50)))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.48))
+ z = z.38
+ z.1 = x.47^inv(x.49)
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.47^(x.48*inv((x.49*x.50)))>,
+ cert_pk(certT.29))
+ z.5 = cert_id(certT.29)
+
+ 92. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, x.47, z.43)
+ pkTe = z.39^x.50
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv(x.50)
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(x.47, <x.46, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^x.50>, x.46)
+ z.5 = z.43
+
+ 93. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, x.47, z.43)
+ pkTe = z.39^inv(skC.35)
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(x.47, <x.46, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^inv(skC.35)>, x.46)
+ z.5 = z.43
+
+ 94. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, x.47, z.43)
+ pkTe = x.49^x.50
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.49^(skC.35*x.50)
+ z.2 = verify(x.47, <x.46, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.49^x.50>, x.46)
+ z.5 = z.43
+
+ 95. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, sign(<x.46, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = z.39^(x.49*inv(x.50))
+ r1 = r1.32
+ s1 = s1.34
+ skC = (x.50*inv(x.49))
+ z = z.38
+ z.1 = z.39
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, z.39^(x.49*inv(x.50))>, x.46)
+ z.5 = z.43
+
+ 96. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, sign(<x.46, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = x.48^inv((skC.35*x.49))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.48^inv(x.49)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^inv((skC.35*x.49))>, x.46)
+ z.5 = z.43
+
+ 97. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, sign(<x.46, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = x.48^(x.49*x.50)
+ r1 = r1.32
+ s1 = s1.34
+ skC = inv(x.49)
+ z = z.38
+ z.1 = x.48^x.50
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^(x.49*x.50)>, x.46)
+ z.5 = z.43
+
+ 98. IDc = IDc.27
+ certC = cert(x.44, sign(<x.44, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(x.46, sign(<x.46, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = x.48^(x.49*inv(skC.35))
+ r1 = r1.32
+ s1 = s1.34
+ skC = skC.35
+ z = z.38
+ z.1 = x.48^x.49
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.27, r1.32, x.48^(x.49*inv(skC.35))>, x.46)
+ z.5 = z.43
+
+ 99. IDc = IDc.27
+ certC = cert(x.45, x.46, z.38)
+ certT = cert(pk(x.48), sign(<pk(x.48), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = DH_neutral
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, DH_neutral>, x.48)
+ z = z.38
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(x.46, <x.45, z.38, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.43
+
+ 100. IDc = IDc.27
+ certC = cert(x.45, sign(<x.45, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(pk(x.47), x.48, z.43)
+ pkTe = DH_neutral
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, DH_neutral>, x.47)
+ z = z.38
+ z.1 = DH_neutral
+ z.2 = verify(x.48, <pk(x.47), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.43
+
+ 101. IDc = IDc.27
+ certC = cert(x.45, sign(<x.45, z.38, 'chip'>, ca_sk), z.38)
+ certT = cert(pk(x.47), sign(<pk(x.47), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = sign(<IDc.27, r1.32, pkTe.30>, x.47)
+ skC = one
+ z = z.38
+ z.1 = pkTe.30
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.43
+
+ 102. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^x.46
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.51*inv((x.46*x.52)))
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.51*inv(x.52))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^x.46>, cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 103. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^inv(x.46)
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.51*inv(x.52))
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.51*inv((x.46*x.52)))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^inv(x.46)>, cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 104. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^inv((x.46*x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.46*x.52)
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.52*inv(x.47))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^inv((x.46*x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 105. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^inv((x.46*x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.46*inv(x.52))
+ z = cert_id(certC.29)
+ z.1 = x.45^inv((x.47*x.52))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^inv((x.46*x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 106. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*x.47)
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv((x.46*x.52))
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.47*inv(x.52))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*x.47)>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 107. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*x.47)
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.46))
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.47*x.52)
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*x.47)>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 108. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*inv(x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv(x.52)
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.46*inv((x.47*x.52)))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*inv(x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 109. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*inv(x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv((x.46*x.52))
+ z = cert_id(certC.29)
+ z.1 = x.45^inv((x.47*x.52))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*inv(x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 110. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*inv(x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.47*x.52)
+ z = cert_id(certC.29)
+ z.1 = x.45^(x.46*x.52)
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*inv(x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 111. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*inv(x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.47*x.52*inv(x.46))
+ z = cert_id(certC.29)
+ z.1 = x.45^x.52
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*inv(x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 112. IDc = IDc.28
+ certC = certC.29
+ certT = certT.30
+ pkTe = x.45^(x.46*inv(x.47))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.47*inv((x.46*x.52)))
+ z = cert_id(certC.29)
+ z.1 = x.45^inv(x.52)
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.45^(x.46*inv(x.47))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 113. IDc = IDc.28
+ certC = certC.29
+ certT = cert(x.45, x.46, z.44)
+ pkTe = x.48^(x.49*x.50*inv((x.51*x.52)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.50))
+ z = cert_id(certC.29)
+ z.1 = x.48^(x.49*inv(x.51))
+ z.2 = verify(x.46, <x.45, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.48^(x.49*x.50*inv((x.51*x.52)))>,
+ x.45)
+ z.5 = z.44
+
+ 114. IDc = IDc.28
+ certC = certC.29
+ certT = cert(pk(x.47), x.48, z.44)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, pkTe.31>, x.47)
+ skC = skC.36
+ z = cert_id(certC.29)
+ z.1 = pkTe.31^skC.36
+ z.2 = verify(x.48, <pk(x.47), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 115. IDc = IDc.28
+ certC = certC.29
+ certT = cert(pk(x.47), x.48, z.44)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, pkTe.31>, x.47)
+ skC = one
+ z = cert_id(certC.29)
+ z.1 = pkTe.31
+ z.2 = verify(x.48, <pk(x.47), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 116. IDc = IDc.28
+ certC = certC.29
+ certT = cert(pk(x.47), sign(<pk(x.47), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = z.40^x.50
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, z.40^x.50>, x.47)
+ skC = inv(x.50)
+ z = cert_id(certC.29)
+ z.1 = z.40
+ z.2 = true
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 117. IDc = IDc.28
+ certC = certC.29
+ certT = cert(pk(x.47), sign(<pk(x.47), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = z.40^inv(skC.36)
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, z.40^inv(skC.36)>, x.47)
+ skC = skC.36
+ z = cert_id(certC.29)
+ z.1 = z.40
+ z.2 = true
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 118. IDc = IDc.28
+ certC = certC.29
+ certT = cert(pk(x.47), sign(<pk(x.47), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.49^x.50
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, x.49^x.50>, x.47)
+ skC = skC.36
+ z = cert_id(certC.29)
+ z.1 = x.49^(skC.36*x.50)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.29),
+ <cert_pk(certC.29), cert_id(certC.29), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 119. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = certT.30
+ pkTe = x.49^(x.50*x.51*inv(x.52))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.51))
+ z = z.39
+ z.1 = x.49^x.50
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*x.51*inv(x.52))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 120. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = certT.30
+ pkTe = x.49^(x.50*inv((skC.36*x.51)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.49^(x.50*inv(x.51))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*inv((skC.36*x.51)))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 121. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = certT.30
+ pkTe = x.49^(x.50*inv((x.51*x.52)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.50))
+ z = z.39
+ z.1 = x.49^inv(x.51)
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*inv((x.51*x.52)))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 122. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, x.49, z.44)
+ pkTe = z.40^x.52
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv(x.52)
+ z = z.39
+ z.1 = z.40
+ z.2 = verify(x.49, <x.48, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, z.40^x.52>, x.48)
+ z.5 = z.44
+
+ 123. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, x.49, z.44)
+ pkTe = z.40^inv(skC.36)
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = z.40
+ z.2 = verify(x.49, <x.48, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, z.40^inv(skC.36)>, x.48)
+ z.5 = z.44
+
+ 124. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, x.49, z.44)
+ pkTe = x.51^x.52
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.51^(skC.36*x.52)
+ z.2 = verify(x.49, <x.48, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.51^x.52>, x.48)
+ z.5 = z.44
+
+ 125. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, sign(<x.48, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = z.40^(x.51*inv(x.52))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.51))
+ z = z.39
+ z.1 = z.40
+ z.2 = true
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, z.40^(x.51*inv(x.52))>, x.48)
+ z.5 = z.44
+
+ 126. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, sign(<x.48, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.50^inv((skC.36*x.51))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.50^inv(x.51)
+ z.2 = true
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^inv((skC.36*x.51))>, x.48)
+ z.5 = z.44
+
+ 127. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, sign(<x.48, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.50^(x.51*x.52)
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv(x.51)
+ z = z.39
+ z.1 = x.50^x.52
+ z.2 = true
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^(x.51*x.52)>, x.48)
+ z.5 = z.44
+
+ 128. IDc = IDc.28
+ certC = cert(x.45, x.46, z.39)
+ certT = cert(x.48, sign(<x.48, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.50^(x.51*inv(skC.36))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.50^x.51
+ z.2 = true
+ z.3 = verify(x.46, <x.45, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^(x.51*inv(skC.36))>, x.48)
+ z.5 = z.44
+
+ 129. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = certT.30
+ pkTe = x.48^(x.49*x.50*inv((x.51*x.52)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.50))
+ z = z.39
+ z.1 = x.48^(x.49*inv(x.51))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.48^(x.49*x.50*inv((x.51*x.52)))>,
+ cert_pk(certT.30))
+ z.5 = cert_id(certT.30)
+
+ 130. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, x.48, z.44)
+ pkTe = z.40^(x.51*inv(x.52))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.51))
+ z = z.39
+ z.1 = z.40
+ z.2 = verify(x.48, <x.47, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, z.40^(x.51*inv(x.52))>, x.47)
+ z.5 = z.44
+
+ 131. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, x.48, z.44)
+ pkTe = x.50^inv((skC.36*x.51))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.50^inv(x.51)
+ z.2 = verify(x.48, <x.47, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^inv((skC.36*x.51))>, x.47)
+ z.5 = z.44
+
+ 132. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, x.48, z.44)
+ pkTe = x.50^(x.51*x.52)
+ r1 = r1.33
+ s1 = s1.35
+ skC = inv(x.51)
+ z = z.39
+ z.1 = x.50^x.52
+ z.2 = verify(x.48, <x.47, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^(x.51*x.52)>, x.47)
+ z.5 = z.44
+
+ 133. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, x.48, z.44)
+ pkTe = x.50^(x.51*inv(skC.36))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.50^x.51
+ z.2 = verify(x.48, <x.47, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.50^(x.51*inv(skC.36))>, x.47)
+ z.5 = z.44
+
+ 134. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, sign(<x.47, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.49^(x.50*x.51*inv(x.52))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.51))
+ z = z.39
+ z.1 = x.49^x.50
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*x.51*inv(x.52))>, x.47)
+ z.5 = z.44
+
+ 135. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, sign(<x.47, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.49^(x.50*inv((skC.36*x.51)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = skC.36
+ z = z.39
+ z.1 = x.49^(x.50*inv(x.51))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*inv((skC.36*x.51)))>,
+ x.47)
+ z.5 = z.44
+
+ 136. IDc = IDc.28
+ certC = cert(x.45, sign(<x.45, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(x.47, sign(<x.47, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = x.49^(x.50*inv((x.51*x.52)))
+ r1 = r1.33
+ s1 = s1.35
+ skC = (x.52*inv(x.50))
+ z = z.39
+ z.1 = x.49^inv(x.51)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.28, r1.33, x.49^(x.50*inv((x.51*x.52)))>,
+ x.47)
+ z.5 = z.44
+
+ 137. IDc = IDc.28
+ certC = cert(x.46, x.47, z.39)
+ certT = cert(pk(x.49), x.50, z.44)
+ pkTe = DH_neutral
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, DH_neutral>, x.49)
+ z = z.39
+ z.1 = DH_neutral
+ z.2 = verify(x.50, <pk(x.49), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.39, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 138. IDc = IDc.28
+ certC = cert(x.46, x.47, z.39)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, pkTe.31>, x.49)
+ skC = one
+ z = z.39
+ z.1 = pkTe.31
+ z.2 = true
+ z.3 = verify(x.47, <x.46, z.39, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.44
+
+ 139. IDc = IDc.28
+ certC = cert(x.46, sign(<x.46, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(pk(x.48), x.49, z.44)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, pkTe.31>, x.48)
+ skC = one
+ z = z.39
+ z.1 = pkTe.31
+ z.2 = verify(x.49, <pk(x.48), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.44
+
+ 140. IDc = IDc.28
+ certC = cert(x.46, sign(<x.46, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(pk(x.48), sign(<pk(x.48), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, pkTe.31>, x.48)
+ skC = skC.36
+ z = z.39
+ z.1 = pkTe.31^skC.36
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.44
+
+ 141. IDc = IDc.28
+ certC = cert(x.46, sign(<x.46, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(pk(x.48), sign(<pk(x.48), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = z.40^x.51
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, z.40^x.51>, x.48)
+ skC = inv(x.51)
+ z = z.39
+ z.1 = z.40
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.44
+
+ 142. IDc = IDc.28
+ certC = cert(x.46, sign(<x.46, z.39, 'chip'>, ca_sk), z.39)
+ certT = cert(pk(x.48), sign(<pk(x.48), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = z.40^inv(skC.36)
+ r1 = r1.33
+ s1 = sign(<IDc.28, r1.33, z.40^inv(skC.36)>, x.48)
+ skC = skC.36
+ z = z.39
+ z.1 = z.40
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.44
+
+ 143. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^inv((x.47*x.48))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.47*x.53*inv(x.54))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.53*inv((x.48*x.54)))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^inv((x.47*x.48))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 144. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*x.48)
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.53*inv((x.47*x.54)))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.48*x.53*inv(x.54))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*x.48)>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 145. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*x.48*inv(x.49))
+ r1 = r1.34
+ s1 = s1.36
+ skC = inv((x.48*x.54))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.47*inv((x.49*x.54)))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*x.48*inv(x.49))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 146. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*x.48*inv(x.49))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.49*x.54*inv(x.47))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.48*x.54)
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*x.48*inv(x.49))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 147. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*x.48*inv(x.49))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.49*inv((x.47*x.54)))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.48*inv(x.54))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*x.48*inv(x.49))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 148. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv(x.48))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.48*x.53*inv((x.47*x.54)))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.53*inv(x.54))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv(x.48))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 149. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv(x.48))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.53*inv(x.54))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.47*x.53*inv((x.48*x.54)))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv(x.48))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 150. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv(x.48))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.53*inv((x.47*x.54)))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.53*inv((x.48*x.54)))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv(x.48))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 151. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv((x.48*x.49)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.48*x.54)
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.47*x.54*inv(x.49))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv((x.48*x.49)))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 152. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv((x.48*x.49)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.48*x.54*inv(x.47))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.54*inv(x.49))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv((x.48*x.49)))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 153. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv((x.48*x.49)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.48*inv(x.54))
+ z = cert_id(certC.30)
+ z.1 = x.46^(x.47*inv((x.49*x.54)))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv((x.48*x.49)))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 154. IDc = IDc.29
+ certC = certC.30
+ certT = certT.31
+ pkTe = x.46^(x.47*inv((x.48*x.49)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.48*inv((x.47*x.54)))
+ z = cert_id(certC.30)
+ z.1 = x.46^inv((x.49*x.54))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.46^(x.47*inv((x.48*x.49)))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 155. IDc = IDc.29
+ certC = certC.30
+ certT = cert(x.46, sign(<x.46, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.48^x.49
+ r1 = r1.34
+ s1 = s1.36
+ skC = inv((x.49*x.54))
+ z = cert_id(certC.30)
+ z.1 = x.48^inv(x.54)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.48^x.49>, x.46)
+ z.5 = z.45
+
+ 156. IDc = IDc.29
+ certC = certC.30
+ certT = cert(x.46, sign(<x.46, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.48^x.49
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.49))
+ z = cert_id(certC.30)
+ z.1 = x.48^x.54
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.48^x.49>, x.46)
+ z.5 = z.45
+
+ 157. IDc = IDc.29
+ certC = certC.30
+ certT = cert(x.46, sign(<x.46, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.48^inv(x.49)
+ r1 = r1.34
+ s1 = s1.36
+ skC = inv(x.54)
+ z = cert_id(certC.30)
+ z.1 = x.48^inv((x.49*x.54))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.48^inv(x.49)>, x.46)
+ z.5 = z.45
+
+ 158. IDc = IDc.29
+ certC = certC.30
+ certT = cert(x.46, sign(<x.46, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.48^inv(x.49)
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.49*x.54)
+ z = cert_id(certC.30)
+ z.1 = x.48^x.54
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.48^inv(x.49)>, x.46)
+ z.5 = z.45
+
+ 159. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), x.49, z.45)
+ pkTe = z.41^x.52
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^x.52>, x.48)
+ skC = inv(x.52)
+ z = cert_id(certC.30)
+ z.1 = z.41
+ z.2 = verify(x.49, <pk(x.48), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 160. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), x.49, z.45)
+ pkTe = z.41^inv(skC.37)
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^inv(skC.37)>, x.48)
+ skC = skC.37
+ z = cert_id(certC.30)
+ z.1 = z.41
+ z.2 = verify(x.49, <pk(x.48), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 161. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), x.49, z.45)
+ pkTe = x.51^x.52
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.51^x.52>, x.48)
+ skC = skC.37
+ z = cert_id(certC.30)
+ z.1 = x.51^(skC.37*x.52)
+ z.2 = verify(x.49, <pk(x.48), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 162. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), sign(<pk(x.48), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = z.41^(x.51*inv(x.52))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^(x.51*inv(x.52))>, x.48)
+ skC = (x.52*inv(x.51))
+ z = cert_id(certC.30)
+ z.1 = z.41
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 163. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), sign(<pk(x.48), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.50^inv((skC.37*x.51))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.50^inv((skC.37*x.51))>, x.48)
+ skC = skC.37
+ z = cert_id(certC.30)
+ z.1 = x.50^inv(x.51)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 164. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), sign(<pk(x.48), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.50^(x.51*x.52)
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.50^(x.51*x.52)>, x.48)
+ skC = inv(x.51)
+ z = cert_id(certC.30)
+ z.1 = x.50^x.52
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 165. IDc = IDc.29
+ certC = certC.30
+ certT = cert(pk(x.48), sign(<pk(x.48), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.50^(x.51*inv(skC.37))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.50^(x.51*inv(skC.37))>, x.48)
+ skC = skC.37
+ z = cert_id(certC.30)
+ z.1 = x.50^x.51
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 166. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = certT.31
+ pkTe = x.50^(x.51*x.52*inv((x.53*x.54)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.52))
+ z = z.40
+ z.1 = x.50^(x.51*inv(x.53))
+ z.2 = verify(cert_sig(certT.31),
+ <cert_pk(certT.31), cert_id(certT.31), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.50^(x.51*x.52*inv((x.53*x.54)))>,
+ cert_pk(certT.31))
+ z.5 = cert_id(certT.31)
+
+ 167. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, x.50, z.45)
+ pkTe = z.41^(x.53*inv(x.54))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.53))
+ z = z.40
+ z.1 = z.41
+ z.2 = verify(x.50, <x.49, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, z.41^(x.53*inv(x.54))>, x.49)
+ z.5 = z.45
+
+ 168. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, x.50, z.45)
+ pkTe = x.52^inv((skC.37*x.53))
+ r1 = r1.34
+ s1 = s1.36
+ skC = skC.37
+ z = z.40
+ z.1 = x.52^inv(x.53)
+ z.2 = verify(x.50, <x.49, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.52^inv((skC.37*x.53))>, x.49)
+ z.5 = z.45
+
+ 169. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, x.50, z.45)
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.34
+ s1 = s1.36
+ skC = inv(x.53)
+ z = z.40
+ z.1 = x.52^x.54
+ z.2 = verify(x.50, <x.49, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.52^(x.53*x.54)>, x.49)
+ z.5 = z.45
+
+ 170. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, x.50, z.45)
+ pkTe = x.52^(x.53*inv(skC.37))
+ r1 = r1.34
+ s1 = s1.36
+ skC = skC.37
+ z = z.40
+ z.1 = x.52^x.53
+ z.2 = verify(x.50, <x.49, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.52^(x.53*inv(skC.37))>, x.49)
+ z.5 = z.45
+
+ 171. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, sign(<x.49, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^(x.52*x.53*inv(x.54))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.53))
+ z = z.40
+ z.1 = x.51^x.52
+ z.2 = true
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*x.53*inv(x.54))>, x.49)
+ z.5 = z.45
+
+ 172. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, sign(<x.49, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^(x.52*inv((skC.37*x.53)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = skC.37
+ z = z.40
+ z.1 = x.51^(x.52*inv(x.53))
+ z.2 = true
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*inv((skC.37*x.53)))>,
+ x.49)
+ z.5 = z.45
+
+ 173. IDc = IDc.29
+ certC = cert(x.46, x.47, z.40)
+ certT = cert(x.49, sign(<x.49, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^(x.52*inv((x.53*x.54)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.52))
+ z = z.40
+ z.1 = x.51^inv(x.53)
+ z.2 = true
+ z.3 = verify(x.47, <x.46, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*inv((x.53*x.54)))>,
+ x.49)
+ z.5 = z.45
+
+ 174. IDc = IDc.29
+ certC = cert(x.46, sign(<x.46, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(x.48, x.49, z.45)
+ pkTe = x.51^(x.52*x.53*inv(x.54))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.53))
+ z = z.40
+ z.1 = x.51^x.52
+ z.2 = verify(x.49, <x.48, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*x.53*inv(x.54))>, x.48)
+ z.5 = z.45
+
+ 175. IDc = IDc.29
+ certC = cert(x.46, sign(<x.46, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(x.48, x.49, z.45)
+ pkTe = x.51^(x.52*inv((skC.37*x.53)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = skC.37
+ z = z.40
+ z.1 = x.51^(x.52*inv(x.53))
+ z.2 = verify(x.49, <x.48, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*inv((skC.37*x.53)))>,
+ x.48)
+ z.5 = z.45
+
+ 176. IDc = IDc.29
+ certC = cert(x.46, sign(<x.46, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(x.48, x.49, z.45)
+ pkTe = x.51^(x.52*inv((x.53*x.54)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.52))
+ z = z.40
+ z.1 = x.51^inv(x.53)
+ z.2 = verify(x.49, <x.48, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.51^(x.52*inv((x.53*x.54)))>,
+ x.48)
+ z.5 = z.45
+
+ 177. IDc = IDc.29
+ certC = cert(x.46, sign(<x.46, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(x.48, sign(<x.48, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.50^(x.51*x.52*inv((x.53*x.54)))
+ r1 = r1.34
+ s1 = s1.36
+ skC = (x.54*inv(x.52))
+ z = z.40
+ z.1 = x.50^(x.51*inv(x.53))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.29, r1.34, x.50^(x.51*x.52*inv((x.53*x.54)))>,
+ x.48)
+ z.5 = z.45
+
+ 178. IDc = IDc.29
+ certC = cert(x.47, x.48, z.40)
+ certT = cert(pk(x.50), x.51, z.45)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, pkTe.32>, x.50)
+ skC = one
+ z = z.40
+ z.1 = pkTe.32
+ z.2 = verify(x.51, <pk(x.50), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.47, z.40, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 179. IDc = IDc.29
+ certC = cert(x.47, x.48, z.40)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, pkTe.32>, x.50)
+ skC = skC.37
+ z = z.40
+ z.1 = pkTe.32^skC.37
+ z.2 = true
+ z.3 = verify(x.48, <x.47, z.40, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 180. IDc = IDc.29
+ certC = cert(x.47, x.48, z.40)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = z.41^x.53
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^x.53>, x.50)
+ skC = inv(x.53)
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = verify(x.48, <x.47, z.40, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 181. IDc = IDc.29
+ certC = cert(x.47, x.48, z.40)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = z.41^inv(skC.37)
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^inv(skC.37)>, x.50)
+ skC = skC.37
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = verify(x.48, <x.47, z.40, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 182. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), x.50, z.45)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, pkTe.32>, x.49)
+ skC = skC.37
+ z = z.40
+ z.1 = pkTe.32^skC.37
+ z.2 = verify(x.50, <pk(x.49), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 183. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), x.50, z.45)
+ pkTe = z.41^x.53
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^x.53>, x.49)
+ skC = inv(x.53)
+ z = z.40
+ z.1 = z.41
+ z.2 = verify(x.50, <pk(x.49), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 184. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), x.50, z.45)
+ pkTe = z.41^inv(skC.37)
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^inv(skC.37)>, x.49)
+ skC = skC.37
+ z = z.40
+ z.1 = z.41
+ z.2 = verify(x.50, <pk(x.49), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 185. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = z.41^(x.52*inv(x.53))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, z.41^(x.52*inv(x.53))>, x.49)
+ skC = (x.53*inv(x.52))
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 186. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^x.52
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.51^x.52>, x.49)
+ skC = skC.37
+ z = z.40
+ z.1 = x.51^(skC.37*x.52)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 187. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^inv((skC.37*x.52))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.51^inv((skC.37*x.52))>, x.49)
+ skC = skC.37
+ z = z.40
+ z.1 = x.51^inv(x.52)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 188. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^(x.52*x.53)
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.51^(x.52*x.53)>, x.49)
+ skC = inv(x.52)
+ z = z.40
+ z.1 = x.51^x.53
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 189. IDc = IDc.29
+ certC = cert(x.47, sign(<x.47, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(pk(x.49), sign(<pk(x.49), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = x.51^(x.52*inv(skC.37))
+ r1 = r1.34
+ s1 = sign(<IDc.29, r1.34, x.51^(x.52*inv(skC.37))>, x.49)
+ skC = skC.37
+ z = z.40
+ z.1 = x.51^x.52
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 190. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*x.49*inv(x.50))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.50*x.55*inv((x.48*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.49*x.55*inv(x.56))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*x.49*inv(x.50))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 191. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*x.49*inv(x.50))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.55*inv((x.48*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.49*x.55*inv((x.50*x.56)))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*x.49*inv(x.50))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 192. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*x.49*inv((x.50*x.51)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.50*x.56*inv(x.48))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.49*x.56*inv(x.51))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*x.49*inv((x.50*x.51)))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 193. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*x.49*inv((x.50*x.51)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.50*inv((x.48*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.49*inv((x.51*x.56)))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*x.49*inv((x.50*x.51)))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 194. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*inv((x.49*x.50)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.49*x.55*inv(x.56))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.48*x.55*inv((x.50*x.56)))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*inv((x.49*x.50)))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 195. IDc = IDc.30
+ certC = certC.31
+ certT = certT.32
+ pkTe = x.47^(x.48*inv((x.49*x.50)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.49*x.55*inv((x.48*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.47^(x.55*inv((x.50*x.56)))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.47^(x.48*inv((x.49*x.50)))>,
+ cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 196. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, x.48, z.46)
+ pkTe = x.50^x.51
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv((x.51*x.56))
+ z = cert_id(certC.31)
+ z.1 = x.50^inv(x.56)
+ z.2 = verify(x.48, <x.47, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^x.51>, x.47)
+ z.5 = z.46
+
+ 197. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, x.48, z.46)
+ pkTe = x.50^x.51
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.51))
+ z = cert_id(certC.31)
+ z.1 = x.50^x.56
+ z.2 = verify(x.48, <x.47, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^x.51>, x.47)
+ z.5 = z.46
+
+ 198. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, x.48, z.46)
+ pkTe = x.50^inv(x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv(x.56)
+ z = cert_id(certC.31)
+ z.1 = x.50^inv((x.51*x.56))
+ z.2 = verify(x.48, <x.47, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^inv(x.51)>, x.47)
+ z.5 = z.46
+
+ 199. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, x.48, z.46)
+ pkTe = x.50^inv(x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.51*x.56)
+ z = cert_id(certC.31)
+ z.1 = x.50^x.56
+ z.2 = verify(x.48, <x.47, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^inv(x.51)>, x.47)
+ z.5 = z.46
+
+ 200. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^x.50
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.55*inv((x.50*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.55*inv(x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^x.50>, x.47)
+ z.5 = z.46
+
+ 201. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^inv(x.50)
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.55*inv(x.56))
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.55*inv((x.50*x.56)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^inv(x.50)>, x.47)
+ z.5 = z.46
+
+ 202. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^inv((x.50*x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.50*x.56)
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.56*inv(x.51))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^inv((x.50*x.51))>, x.47)
+ z.5 = z.46
+
+ 203. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^inv((x.50*x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.50*inv(x.56))
+ z = cert_id(certC.31)
+ z.1 = x.49^inv((x.51*x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^inv((x.50*x.51))>, x.47)
+ z.5 = z.46
+
+ 204. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv((x.50*x.56))
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.51*inv(x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*x.51)>, x.47)
+ z.5 = z.46
+
+ 205. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.50))
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.51*x.56)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*x.51)>, x.47)
+ z.5 = z.46
+
+ 206. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*inv(x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv(x.56)
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.50*inv((x.51*x.56)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*inv(x.51))>, x.47)
+ z.5 = z.46
+
+ 207. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*inv(x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv((x.50*x.56))
+ z = cert_id(certC.31)
+ z.1 = x.49^inv((x.51*x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*inv(x.51))>, x.47)
+ z.5 = z.46
+
+ 208. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*inv(x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.51*x.56)
+ z = cert_id(certC.31)
+ z.1 = x.49^(x.50*x.56)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*inv(x.51))>, x.47)
+ z.5 = z.46
+
+ 209. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*inv(x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.51*x.56*inv(x.50))
+ z = cert_id(certC.31)
+ z.1 = x.49^x.56
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*inv(x.51))>, x.47)
+ z.5 = z.46
+
+ 210. IDc = IDc.30
+ certC = certC.31
+ certT = cert(x.47, sign(<x.47, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.49^(x.50*inv(x.51))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.51*inv((x.50*x.56)))
+ z = cert_id(certC.31)
+ z.1 = x.49^inv(x.56)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.49^(x.50*inv(x.51))>, x.47)
+ z.5 = z.46
+
+ 211. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), x.50, z.46)
+ pkTe = z.42^(x.53*inv(x.54))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, z.42^(x.53*inv(x.54))>, x.49)
+ skC = (x.54*inv(x.53))
+ z = cert_id(certC.31)
+ z.1 = z.42
+ z.2 = verify(x.50, <pk(x.49), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 212. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), x.50, z.46)
+ pkTe = x.52^inv((skC.38*x.53))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^inv((skC.38*x.53))>, x.49)
+ skC = skC.38
+ z = cert_id(certC.31)
+ z.1 = x.52^inv(x.53)
+ z.2 = verify(x.50, <pk(x.49), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 213. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), x.50, z.46)
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^(x.53*x.54)>, x.49)
+ skC = inv(x.53)
+ z = cert_id(certC.31)
+ z.1 = x.52^x.54
+ z.2 = verify(x.50, <pk(x.49), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 214. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), x.50, z.46)
+ pkTe = x.52^(x.53*inv(skC.38))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^(x.53*inv(skC.38))>, x.49)
+ skC = skC.38
+ z = cert_id(certC.31)
+ z.1 = x.52^x.53
+ z.2 = verify(x.50, <pk(x.49), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 215. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^x.52
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^x.52>, x.49)
+ skC = inv((x.52*x.56))
+ z = cert_id(certC.31)
+ z.1 = x.51^inv(x.56)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 216. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^x.52
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^x.52>, x.49)
+ skC = (x.56*inv(x.52))
+ z = cert_id(certC.31)
+ z.1 = x.51^x.56
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 217. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^inv(x.52)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^inv(x.52)>, x.49)
+ skC = inv(x.56)
+ z = cert_id(certC.31)
+ z.1 = x.51^inv((x.52*x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 218. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^inv(x.52)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^inv(x.52)>, x.49)
+ skC = (x.52*x.56)
+ z = cert_id(certC.31)
+ z.1 = x.51^x.56
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 219. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^(x.52*x.53*inv(x.54))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^(x.52*x.53*inv(x.54))>, x.49)
+ skC = (x.54*inv(x.53))
+ z = cert_id(certC.31)
+ z.1 = x.51^x.52
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 220. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^(x.52*inv((skC.38*x.53)))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^(x.52*inv((skC.38*x.53)))>, x.49)
+ skC = skC.38
+ z = cert_id(certC.31)
+ z.1 = x.51^(x.52*inv(x.53))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 221. IDc = IDc.30
+ certC = certC.31
+ certT = cert(pk(x.49), sign(<pk(x.49), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.51^(x.52*inv((x.53*x.54)))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.51^(x.52*inv((x.53*x.54)))>, x.49)
+ skC = (x.54*inv(x.52))
+ z = cert_id(certC.31)
+ z.1 = x.51^inv(x.53)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 222. IDc = IDc.30
+ certC = cert(x.47, x.48, z.41)
+ certT = cert(x.50, x.51, z.46)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.55))
+ z = z.41
+ z.1 = x.53^x.54
+ z.2 = verify(x.51, <x.50, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.47, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.53^(x.54*x.55*inv(x.56))>, x.50)
+ z.5 = z.46
+
+ 223. IDc = IDc.30
+ certC = cert(x.47, x.48, z.41)
+ certT = cert(x.50, x.51, z.46)
+ pkTe = x.53^(x.54*inv((skC.38*x.55)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^(x.54*inv(x.55))
+ z.2 = verify(x.51, <x.50, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.47, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.53^(x.54*inv((skC.38*x.55)))>,
+ x.50)
+ z.5 = z.46
+
+ 224. IDc = IDc.30
+ certC = cert(x.47, x.48, z.41)
+ certT = cert(x.50, x.51, z.46)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.54))
+ z = z.41
+ z.1 = x.53^inv(x.55)
+ z.2 = verify(x.51, <x.50, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.47, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.53^(x.54*inv((x.55*x.56)))>,
+ x.50)
+ z.5 = z.46
+
+ 225. IDc = IDc.30
+ certC = cert(x.47, x.48, z.41)
+ certT = cert(x.50, sign(<x.50, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^(x.53*x.54*inv((x.55*x.56)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.54))
+ z = z.41
+ z.1 = x.52^(x.53*inv(x.55))
+ z.2 = true
+ z.3 = verify(x.48, <x.47, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.52^(x.53*x.54*inv((x.55*x.56)))>,
+ x.50)
+ z.5 = z.46
+
+ 226. IDc = IDc.30
+ certC = cert(x.47, sign(<x.47, z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.32
+ pkTe = x.50^x.51
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv((x.51*x.56))
+ z = z.41
+ z.1 = x.50^inv(x.56)
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^x.51>, cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 227. IDc = IDc.30
+ certC = cert(x.47, sign(<x.47, z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.32
+ pkTe = x.50^x.51
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.51))
+ z = z.41
+ z.1 = x.50^x.56
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^x.51>, cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 228. IDc = IDc.30
+ certC = cert(x.47, sign(<x.47, z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.32
+ pkTe = x.50^inv(x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = inv(x.56)
+ z = z.41
+ z.1 = x.50^inv((x.51*x.56))
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^inv(x.51)>, cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 229. IDc = IDc.30
+ certC = cert(x.47, sign(<x.47, z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.32
+ pkTe = x.50^inv(x.51)
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.51*x.56)
+ z = z.41
+ z.1 = x.50^x.56
+ z.2 = verify(cert_sig(certT.32),
+ <cert_pk(certT.32), cert_id(certT.32), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.50^inv(x.51)>, cert_pk(certT.32))
+ z.5 = cert_id(certT.32)
+
+ 230. IDc = IDc.30
+ certC = cert(x.47, sign(<x.47, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(x.49, x.50, z.46)
+ pkTe = x.52^(x.53*x.54*inv((x.55*x.56)))
+ r1 = r1.35
+ s1 = s1.37
+ skC = (x.56*inv(x.54))
+ z = z.41
+ z.1 = x.52^(x.53*inv(x.55))
+ z.2 = verify(x.50, <x.49, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.30, r1.35, x.52^(x.53*x.54*inv((x.55*x.56)))>,
+ x.49)
+ z.5 = z.46
+
+ 231. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), x.52, z.46)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, pkTe.33>, x.51)
+ skC = skC.38
+ z = z.41
+ z.1 = pkTe.33^skC.38
+ z.2 = verify(x.52, <pk(x.51), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 232. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), x.52, z.46)
+ pkTe = z.42^x.55
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, z.42^x.55>, x.51)
+ skC = inv(x.55)
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.52, <pk(x.51), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 233. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), x.52, z.46)
+ pkTe = z.42^inv(skC.38)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, z.42^inv(skC.38)>, x.51)
+ skC = skC.38
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.52, <pk(x.51), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 234. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = z.42^(x.54*inv(x.55))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, z.42^(x.54*inv(x.55))>, x.51)
+ skC = (x.55*inv(x.54))
+ z = z.41
+ z.1 = z.42
+ z.2 = true
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 235. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.53^x.54
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^x.54>, x.51)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^(skC.38*x.54)
+ z.2 = true
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 236. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.53^inv((skC.38*x.54))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^inv((skC.38*x.54))>, x.51)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^inv(x.54)
+ z.2 = true
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 237. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^(x.54*x.55)>, x.51)
+ skC = inv(x.54)
+ z = z.41
+ z.1 = x.53^x.55
+ z.2 = true
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 238. IDc = IDc.30
+ certC = cert(x.48, x.49, z.41)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.53^(x.54*inv(skC.38))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^(x.54*inv(skC.38))>, x.51)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^x.54
+ z.2 = true
+ z.3 = verify(x.49, <x.48, z.41, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 239. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), x.51, z.46)
+ pkTe = z.42^(x.54*inv(x.55))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, z.42^(x.54*inv(x.55))>, x.50)
+ skC = (x.55*inv(x.54))
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.51, <pk(x.50), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 240. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), x.51, z.46)
+ pkTe = x.53^x.54
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^x.54>, x.50)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^(skC.38*x.54)
+ z.2 = verify(x.51, <pk(x.50), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 241. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), x.51, z.46)
+ pkTe = x.53^inv((skC.38*x.54))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^inv((skC.38*x.54))>, x.50)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^inv(x.54)
+ z.2 = verify(x.51, <pk(x.50), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 242. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), x.51, z.46)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^(x.54*x.55)>, x.50)
+ skC = inv(x.54)
+ z = z.41
+ z.1 = x.53^x.55
+ z.2 = verify(x.51, <pk(x.50), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 243. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), x.51, z.46)
+ pkTe = x.53^(x.54*inv(skC.38))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.53^(x.54*inv(skC.38))>, x.50)
+ skC = skC.38
+ z = z.41
+ z.1 = x.53^x.54
+ z.2 = verify(x.51, <pk(x.50), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 244. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^x.53
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^x.53>, x.50)
+ skC = inv((x.53*x.57))
+ z = z.41
+ z.1 = x.52^inv(x.57)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 245. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^x.53
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^x.53>, x.50)
+ skC = (x.57*inv(x.53))
+ z = z.41
+ z.1 = x.52^x.57
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 246. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^inv(x.53)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^inv(x.53)>, x.50)
+ skC = inv(x.57)
+ z = z.41
+ z.1 = x.52^inv((x.53*x.57))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 247. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^inv(x.53)
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^inv(x.53)>, x.50)
+ skC = (x.53*x.57)
+ z = z.41
+ z.1 = x.52^x.57
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 248. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^(x.53*x.54*inv(x.55))>, x.50)
+ skC = (x.55*inv(x.54))
+ z = z.41
+ z.1 = x.52^x.53
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 249. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^(x.53*inv((skC.38*x.54)))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^(x.53*inv((skC.38*x.54)))>, x.50)
+ skC = skC.38
+ z = z.41
+ z.1 = x.52^(x.53*inv(x.54))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 250. IDc = IDc.30
+ certC = cert(x.48, sign(<x.48, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.35
+ s1 = sign(<IDc.30, r1.35, x.52^(x.53*inv((x.54*x.55)))>, x.50)
+ skC = (x.55*inv(x.53))
+ z = z.41
+ z.1 = x.52^inv(x.54)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 251. IDc = IDc.31
+ certC = certC.32
+ certT = certT.33
+ pkTe = x.48^(x.49*x.50*inv((x.51*x.52)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.51*x.57*inv((x.49*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.48^(x.50*x.57*inv((x.52*x.58)))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.48^(x.49*x.50*inv((x.51*x.52)))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 252. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^x.52
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv((x.52*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.57*inv(x.58))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^x.52>, x.48)
+ z.5 = z.47
+
+ 253. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^inv(x.52)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.57*inv((x.52*x.58)))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv(x.52)>, x.48)
+ z.5 = z.47
+
+ 254. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^inv((x.52*x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.58*inv(x.53))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv((x.52*x.53))>, x.48)
+ z.5 = z.47
+
+ 255. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^inv((x.52*x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.51^inv((x.53*x.58))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv((x.52*x.53))>, x.48)
+ z.5 = z.47
+
+ 256. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.52*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.53*inv(x.58))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*x.53)>, x.48)
+ z.5 = z.47
+
+ 257. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.58*inv(x.52))
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.53*x.58)
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*x.53)>, x.48)
+ z.5 = z.47
+
+ 258. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv(x.58)
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.52*inv((x.53*x.58)))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 259. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.52*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.51^inv((x.53*x.58))
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 260. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.51^(x.52*x.58)
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 261. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58*inv(x.52))
+ z = cert_id(certC.32)
+ z.1 = x.51^x.58
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 262. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, x.49, z.47)
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*inv((x.52*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.51^inv(x.58)
+ z.2 = verify(x.49, <x.48, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 263. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^inv((x.51*x.52))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.51*x.57*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.57*inv((x.52*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^inv((x.51*x.52))>, x.48)
+ z.5 = z.47
+
+ 264. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*x.52)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv((x.51*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.52*x.57*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*x.52)>, x.48)
+ z.5 = z.47
+
+ 265. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.52*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.51*inv((x.53*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 266. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58*inv(x.51))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.52*x.58)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 267. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*inv((x.51*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.52*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*x.52*inv(x.53))>, x.48)
+ z.5 = z.47
+
+ 268. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv(x.52))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*x.57*inv((x.51*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.57*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv(x.52))>, x.48)
+ z.5 = z.47
+
+ 269. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv(x.52))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.51*x.57*inv((x.52*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv(x.52))>, x.48)
+ z.5 = z.47
+
+ 270. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv(x.52))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv((x.51*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.57*inv((x.52*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv(x.52))>, x.48)
+ z.5 = z.47
+
+ 271. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv((x.52*x.53)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.51*x.58*inv(x.53))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv((x.52*x.53)))>,
+ x.48)
+ z.5 = z.47
+
+ 272. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv((x.52*x.53)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*x.58*inv(x.51))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.58*inv(x.53))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv((x.52*x.53)))>,
+ x.48)
+ z.5 = z.47
+
+ 273. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv((x.52*x.53)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.50^(x.51*inv((x.53*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv((x.52*x.53)))>,
+ x.48)
+ z.5 = z.47
+
+ 274. IDc = IDc.31
+ certC = certC.32
+ certT = cert(x.48, sign(<x.48, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.50^(x.51*inv((x.52*x.53)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*inv((x.51*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.50^inv((x.53*x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.50^(x.51*inv((x.52*x.53)))>,
+ x.48)
+ z.5 = z.47
+
+ 275. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^x.54
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^x.54>, x.50)
+ skC = inv((x.54*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.53^inv(x.58)
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 276. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^x.54
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^x.54>, x.50)
+ skC = (x.58*inv(x.54))
+ z = cert_id(certC.32)
+ z.1 = x.53^x.58
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 277. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^inv(x.54)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^inv(x.54)>, x.50)
+ skC = inv(x.58)
+ z = cert_id(certC.32)
+ z.1 = x.53^inv((x.54*x.58))
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 278. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^inv(x.54)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^inv(x.54)>, x.50)
+ skC = (x.54*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.53^x.58
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 279. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*x.55*inv(x.56))>, x.50)
+ skC = (x.56*inv(x.55))
+ z = cert_id(certC.32)
+ z.1 = x.53^x.54
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 280. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^(x.54*inv((skC.39*x.55)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv((skC.39*x.55)))>, x.50)
+ skC = skC.39
+ z = cert_id(certC.32)
+ z.1 = x.53^(x.54*inv(x.55))
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 281. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), x.51, z.47)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv((x.55*x.56)))>, x.50)
+ skC = (x.56*inv(x.54))
+ z = cert_id(certC.32)
+ z.1 = x.53^inv(x.55)
+ z.2 = verify(x.51, <pk(x.50), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 282. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^x.53
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^x.53>, x.50)
+ skC = (x.57*inv((x.53*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.57*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 283. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^inv(x.53)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^inv(x.53)>, x.50)
+ skC = (x.57*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.57*inv((x.53*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 284. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^inv((x.53*x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^inv((x.53*x.54))>, x.50)
+ skC = (x.53*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.58*inv(x.54))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 285. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^inv((x.53*x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^inv((x.53*x.54))>, x.50)
+ skC = (x.53*inv(x.58))
+ z = cert_id(certC.32)
+ z.1 = x.52^inv((x.54*x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 286. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*x.54)>, x.50)
+ skC = inv((x.53*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.54*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 287. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*x.54)>, x.50)
+ skC = (x.58*inv(x.53))
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.54*x.58)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 288. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*x.54*inv((x.55*x.56)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*x.54*inv((x.55*x.56)))>, x.50)
+ skC = (x.56*inv(x.54))
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.53*inv(x.55))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 289. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*inv(x.54))>, x.50)
+ skC = inv(x.58)
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.53*inv((x.54*x.58)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 290. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*inv(x.54))>, x.50)
+ skC = inv((x.53*x.58))
+ z = cert_id(certC.32)
+ z.1 = x.52^inv((x.54*x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 291. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*inv(x.54))>, x.50)
+ skC = (x.54*x.58)
+ z = cert_id(certC.32)
+ z.1 = x.52^(x.53*x.58)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 292. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*inv(x.54))>, x.50)
+ skC = (x.54*x.58*inv(x.53))
+ z = cert_id(certC.32)
+ z.1 = x.52^x.58
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 293. IDc = IDc.31
+ certC = certC.32
+ certT = cert(pk(x.50), sign(<pk(x.50), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.52^(x.53*inv(x.54))>, x.50)
+ skC = (x.54*inv((x.53*x.58)))
+ z = cert_id(certC.32)
+ z.1 = x.52^inv(x.58)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 294. IDc = IDc.31
+ certC = cert(x.48, x.49, z.42)
+ certT = certT.33
+ pkTe = x.52^x.53
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.53*x.58))
+ z = z.42
+ z.1 = x.52^inv(x.58)
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^x.53>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 295. IDc = IDc.31
+ certC = cert(x.48, x.49, z.42)
+ certT = certT.33
+ pkTe = x.52^x.53
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.58*inv(x.53))
+ z = z.42
+ z.1 = x.52^x.58
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^x.53>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 296. IDc = IDc.31
+ certC = cert(x.48, x.49, z.42)
+ certT = certT.33
+ pkTe = x.52^inv(x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv(x.58)
+ z = z.42
+ z.1 = x.52^inv((x.53*x.58))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^inv(x.53)>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 297. IDc = IDc.31
+ certC = cert(x.48, x.49, z.42)
+ certT = certT.33
+ pkTe = x.52^inv(x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58)
+ z = z.42
+ z.1 = x.52^x.58
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^inv(x.53)>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 298. IDc = IDc.31
+ certC = cert(x.48, x.49, z.42)
+ certT = cert(x.51, x.52, z.47)
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.58*inv(x.56))
+ z = z.42
+ z.1 = x.54^(x.55*inv(x.57))
+ z.2 = verify(x.52, <x.51, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.48, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.54^(x.55*x.56*inv((x.57*x.58)))>,
+ x.51)
+ z.5 = z.47
+
+ 299. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^x.52
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv((x.52*x.58)))
+ z = z.42
+ z.1 = x.51^(x.57*inv(x.58))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^x.52>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 300. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^inv(x.52)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.57*inv(x.58))
+ z = z.42
+ z.1 = x.51^(x.57*inv((x.52*x.58)))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv(x.52)>, cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 301. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^inv((x.52*x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*x.58)
+ z = z.42
+ z.1 = x.51^(x.58*inv(x.53))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv((x.52*x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 302. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^inv((x.52*x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.52*inv(x.58))
+ z = z.42
+ z.1 = x.51^inv((x.53*x.58))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^inv((x.52*x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 303. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.52*x.58))
+ z = z.42
+ z.1 = x.51^(x.53*inv(x.58))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*x.53)>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 304. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.58*inv(x.52))
+ z = z.42
+ z.1 = x.51^(x.53*x.58)
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*x.53)>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 305. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv(x.58)
+ z = z.42
+ z.1 = x.51^(x.52*inv((x.53*x.58)))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 306. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.52*x.58))
+ z = z.42
+ z.1 = x.51^inv((x.53*x.58))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 307. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58)
+ z = z.42
+ z.1 = x.51^(x.52*x.58)
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 308. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58*inv(x.52))
+ z = z.42
+ z.1 = x.51^x.58
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 309. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.33
+ pkTe = x.51^(x.52*inv(x.53))
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*inv((x.52*x.58)))
+ z = z.42
+ z.1 = x.51^inv(x.58)
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.51^(x.52*inv(x.53))>,
+ cert_pk(certT.33))
+ z.5 = cert_id(certT.33)
+
+ 310. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.50, sign(<x.50, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^x.53
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv((x.53*x.58))
+ z = z.42
+ z.1 = x.52^inv(x.58)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^x.53>, x.50)
+ z.5 = z.47
+
+ 311. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.50, sign(<x.50, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^x.53
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.58*inv(x.53))
+ z = z.42
+ z.1 = x.52^x.58
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^x.53>, x.50)
+ z.5 = z.47
+
+ 312. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.50, sign(<x.50, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^inv(x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = inv(x.58)
+ z = z.42
+ z.1 = x.52^inv((x.53*x.58))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^inv(x.53)>, x.50)
+ z.5 = z.47
+
+ 313. IDc = IDc.31
+ certC = cert(x.48, sign(<x.48, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.50, sign(<x.50, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.52^inv(x.53)
+ r1 = r1.36
+ s1 = s1.38
+ skC = (x.53*x.58)
+ z = z.42
+ z.1 = x.52^x.58
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.31, r1.36, x.52^inv(x.53)>, x.50)
+ z.5 = z.47
+
+ 314. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), x.53, z.47)
+ pkTe = z.43^(x.56*inv(x.57))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, z.43^(x.56*inv(x.57))>, x.52)
+ skC = (x.57*inv(x.56))
+ z = z.42
+ z.1 = z.43
+ z.2 = verify(x.53, <pk(x.52), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 315. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), x.53, z.47)
+ pkTe = x.55^x.56
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.55^x.56>, x.52)
+ skC = skC.39
+ z = z.42
+ z.1 = x.55^(skC.39*x.56)
+ z.2 = verify(x.53, <pk(x.52), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 316. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), x.53, z.47)
+ pkTe = x.55^inv((skC.39*x.56))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.55^inv((skC.39*x.56))>, x.52)
+ skC = skC.39
+ z = z.42
+ z.1 = x.55^inv(x.56)
+ z.2 = verify(x.53, <pk(x.52), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 317. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), x.53, z.47)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.55^(x.56*x.57)>, x.52)
+ skC = inv(x.56)
+ z = z.42
+ z.1 = x.55^x.57
+ z.2 = verify(x.53, <pk(x.52), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 318. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), x.53, z.47)
+ pkTe = x.55^(x.56*inv(skC.39))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.55^(x.56*inv(skC.39))>, x.52)
+ skC = skC.39
+ z = z.42
+ z.1 = x.55^x.56
+ z.2 = verify(x.53, <pk(x.52), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 319. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^x.55
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^x.55>, x.52)
+ skC = inv((x.55*x.59))
+ z = z.42
+ z.1 = x.54^inv(x.59)
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 320. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^x.55
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^x.55>, x.52)
+ skC = (x.59*inv(x.55))
+ z = z.42
+ z.1 = x.54^x.59
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 321. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^inv(x.55)>, x.52)
+ skC = inv(x.59)
+ z = z.42
+ z.1 = x.54^inv((x.55*x.59))
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 322. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^inv(x.55)>, x.52)
+ skC = (x.55*x.59)
+ z = z.42
+ z.1 = x.54^x.59
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 323. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = (x.57*inv(x.56))
+ z = z.42
+ z.1 = x.54^x.55
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 324. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^(x.55*inv((skC.39*x.56)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*inv((skC.39*x.56)))>, x.52)
+ skC = skC.39
+ z = z.42
+ z.1 = x.54^(x.55*inv(x.56))
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 325. IDc = IDc.31
+ certC = cert(x.49, x.50, z.42)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.57*inv(x.55))
+ z = z.42
+ z.1 = x.54^inv(x.56)
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.42, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 326. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^x.55
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^x.55>, x.51)
+ skC = inv((x.55*x.59))
+ z = z.42
+ z.1 = x.54^inv(x.59)
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 327. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^x.55
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^x.55>, x.51)
+ skC = (x.59*inv(x.55))
+ z = z.42
+ z.1 = x.54^x.59
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 328. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^inv(x.55)>, x.51)
+ skC = inv(x.59)
+ z = z.42
+ z.1 = x.54^inv((x.55*x.59))
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 329. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^inv(x.55)>, x.51)
+ skC = (x.55*x.59)
+ z = z.42
+ z.1 = x.54^x.59
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 330. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*x.56*inv(x.57))>, x.51)
+ skC = (x.57*inv(x.56))
+ z = z.42
+ z.1 = x.54^x.55
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 331. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^(x.55*inv((skC.39*x.56)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*inv((skC.39*x.56)))>, x.51)
+ skC = skC.39
+ z = z.42
+ z.1 = x.54^(x.55*inv(x.56))
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 332. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), x.52, z.47)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.54^(x.55*inv((x.56*x.57)))>, x.51)
+ skC = (x.57*inv(x.55))
+ z = z.42
+ z.1 = x.54^inv(x.56)
+ z.2 = verify(x.52, <pk(x.51), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 333. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^x.54
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^x.54>, x.51)
+ skC = (x.58*inv((x.54*x.59)))
+ z = z.42
+ z.1 = x.53^(x.58*inv(x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 334. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^inv(x.54)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^inv(x.54)>, x.51)
+ skC = (x.58*inv(x.59))
+ z = z.42
+ z.1 = x.53^(x.58*inv((x.54*x.59)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 335. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^inv((x.54*x.55))>, x.51)
+ skC = (x.54*x.59)
+ z = z.42
+ z.1 = x.53^(x.59*inv(x.55))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 336. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^inv((x.54*x.55))>, x.51)
+ skC = (x.54*inv(x.59))
+ z = z.42
+ z.1 = x.53^inv((x.55*x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 337. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*x.55)>, x.51)
+ skC = inv((x.54*x.59))
+ z = z.42
+ z.1 = x.53^(x.55*inv(x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 338. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*x.55)>, x.51)
+ skC = (x.59*inv(x.54))
+ z = z.42
+ z.1 = x.53^(x.55*x.59)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 339. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*x.55*inv((x.56*x.57)))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*x.55*inv((x.56*x.57)))>, x.51)
+ skC = (x.57*inv(x.55))
+ z = z.42
+ z.1 = x.53^(x.54*inv(x.56))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 340. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv(x.55))>, x.51)
+ skC = inv(x.59)
+ z = z.42
+ z.1 = x.53^(x.54*inv((x.55*x.59)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 341. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv(x.55))>, x.51)
+ skC = inv((x.54*x.59))
+ z = z.42
+ z.1 = x.53^inv((x.55*x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 342. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.55*x.59)
+ z = z.42
+ z.1 = x.53^(x.54*x.59)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 343. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.55*x.59*inv(x.54))
+ z = z.42
+ z.1 = x.53^x.59
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 344. IDc = IDc.31
+ certC = cert(x.49, sign(<x.49, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.36
+ s1 = sign(<IDc.31, r1.36, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.55*inv((x.54*x.59)))
+ z = z.42
+ z.1 = x.53^inv(x.59)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 345. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^inv((x.53*x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.53*x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.59*inv((x.54*x.60)))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^inv((x.53*x.54))>, x.49)
+ z.5 = z.48
+
+ 346. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.53*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.54*x.59*inv(x.60))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54)>, x.49)
+ z.5 = z.48
+
+ 347. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.53*inv((x.55*x.60)))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>, x.49)
+ z.5 = z.48
+
+ 348. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60*inv(x.53))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.54*x.60)
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>, x.49)
+ z.5 = z.48
+
+ 349. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*inv((x.53*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.54*inv(x.60))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>, x.49)
+ z.5 = z.48
+
+ 350. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.59*inv((x.53*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.59*inv(x.60))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>, x.49)
+ z.5 = z.48
+
+ 351. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.53*x.59*inv((x.54*x.60)))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>, x.49)
+ z.5 = z.48
+
+ 352. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.53*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.59*inv((x.54*x.60)))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>, x.49)
+ z.5 = z.48
+
+ 353. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60)
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.53*x.60*inv(x.55))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 354. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60*inv(x.53))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.60*inv(x.55))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 355. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.52^(x.53*inv((x.55*x.60)))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 356. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, x.50, z.48)
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv((x.53*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.52^inv((x.55*x.60))
+ z.2 = verify(x.50, <x.49, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 357. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.59*inv((x.52*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.53*x.59*inv(x.60))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*x.53*inv(x.54))>, x.49)
+ z.5 = z.48
+
+ 358. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.52*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.53*x.59*inv((x.54*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*x.53*inv(x.54))>, x.49)
+ z.5 = z.48
+
+ 359. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60*inv(x.52))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.53*x.60*inv(x.55))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 360. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv((x.52*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.53*inv((x.55*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*x.53*inv((x.54*x.55)))>,
+ x.49)
+ z.5 = z.48
+
+ 361. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*inv((x.53*x.54)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.53*x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.52*x.59*inv((x.54*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*inv((x.53*x.54)))>,
+ x.49)
+ z.5 = z.48
+
+ 362. IDc = IDc.32
+ certC = certC.33
+ certT = cert(x.49, sign(<x.49, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.51^(x.52*inv((x.53*x.54)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.53*x.59*inv((x.52*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.51^(x.59*inv((x.54*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.51^(x.52*inv((x.53*x.54)))>,
+ x.49)
+ z.5 = z.48
+
+ 363. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^x.55
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^x.55>, x.51)
+ skC = (x.59*inv((x.55*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.59*inv(x.60))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 364. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^inv(x.55)>, x.51)
+ skC = (x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.59*inv((x.55*x.60)))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 365. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^inv((x.55*x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^inv((x.55*x.56))>, x.51)
+ skC = (x.55*x.60)
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.60*inv(x.56))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 366. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^inv((x.55*x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^inv((x.55*x.56))>, x.51)
+ skC = (x.55*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.54^inv((x.56*x.60))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 367. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*x.56)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56)>, x.51)
+ skC = inv((x.55*x.60))
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.56*inv(x.60))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 368. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*x.56)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56)>, x.51)
+ skC = (x.60*inv(x.55))
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.56*x.60)
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 369. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56*inv((x.57*x.58)))>, x.51)
+ skC = (x.58*inv(x.56))
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.55*inv(x.57))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 370. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.51)
+ skC = inv(x.60)
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.55*inv((x.56*x.60)))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 371. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.51)
+ skC = inv((x.55*x.60))
+ z = cert_id(certC.33)
+ z.1 = x.54^inv((x.56*x.60))
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 372. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.51)
+ skC = (x.56*x.60)
+ z = cert_id(certC.33)
+ z.1 = x.54^(x.55*x.60)
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 373. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.51)
+ skC = (x.56*x.60*inv(x.55))
+ z = cert_id(certC.33)
+ z.1 = x.54^x.60
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 374. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), x.52, z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.51)
+ skC = (x.56*inv((x.55*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.54^inv(x.60)
+ z.2 = verify(x.52, <pk(x.51), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 375. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^inv((x.54*x.55))>, x.51)
+ skC = (x.54*x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.59*inv((x.55*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 376. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*x.55)>, x.51)
+ skC = (x.59*inv((x.54*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.55*x.59*inv(x.60))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 377. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*x.55*inv(x.56))>, x.51)
+ skC = inv((x.55*x.60))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.54*inv((x.56*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 378. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*x.55*inv(x.56))>, x.51)
+ skC = (x.56*x.60*inv(x.54))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.55*x.60)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 379. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*x.55*inv(x.56))>, x.51)
+ skC = (x.56*inv((x.54*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.55*inv(x.60))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 380. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.55*x.59*inv((x.54*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.59*inv(x.60))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 381. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.59*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.54*x.59*inv((x.55*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 382. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ skC = (x.59*inv((x.54*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.59*inv((x.55*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 383. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv((x.55*x.56)))>, x.51)
+ skC = (x.55*x.60)
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.54*x.60*inv(x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 384. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv((x.55*x.56)))>, x.51)
+ skC = (x.55*x.60*inv(x.54))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.60*inv(x.56))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 385. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv((x.55*x.56)))>, x.51)
+ skC = (x.55*inv(x.60))
+ z = cert_id(certC.33)
+ z.1 = x.53^(x.54*inv((x.56*x.60)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 386. IDc = IDc.32
+ certC = certC.33
+ certT = cert(pk(x.51), sign(<pk(x.51), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.53^(x.54*inv((x.55*x.56)))>, x.51)
+ skC = (x.55*inv((x.54*x.60)))
+ z = cert_id(certC.33)
+ z.1 = x.53^inv((x.56*x.60))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.33),
+ <cert_pk(certC.33), cert_id(certC.33), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 387. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^x.54
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.54*x.60)))
+ z = z.43
+ z.1 = x.53^(x.59*inv(x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^x.54>, cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 388. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^inv(x.54)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv(x.60))
+ z = z.43
+ z.1 = x.53^(x.59*inv((x.54*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv(x.54)>, cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 389. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60)
+ z = z.43
+ z.1 = x.53^(x.60*inv(x.55))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv((x.54*x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 390. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv(x.60))
+ z = z.43
+ z.1 = x.53^inv((x.55*x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv((x.54*x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 391. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = z.43
+ z.1 = x.53^(x.55*inv(x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*x.55)>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 392. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.60*inv(x.54))
+ z = z.43
+ z.1 = x.53^(x.55*x.60)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*x.55)>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 393. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv(x.60)
+ z = z.43
+ z.1 = x.53^(x.54*inv((x.55*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 394. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = z.43
+ z.1 = x.53^inv((x.55*x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 395. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60)
+ z = z.43
+ z.1 = x.53^(x.54*x.60)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 396. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60*inv(x.54))
+ z = z.43
+ z.1 = x.53^x.60
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 397. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = certT.34
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*inv((x.54*x.60)))
+ z = z.43
+ z.1 = x.53^inv(x.60)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 398. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = cert(x.52, sign(<x.52, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^x.55
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.55*x.60))
+ z = z.43
+ z.1 = x.54^inv(x.60)
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^x.55>, x.52)
+ z.5 = z.48
+
+ 399. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = cert(x.52, sign(<x.52, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^x.55
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.60*inv(x.55))
+ z = z.43
+ z.1 = x.54^x.60
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^x.55>, x.52)
+ z.5 = z.48
+
+ 400. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = cert(x.52, sign(<x.52, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv(x.60)
+ z = z.43
+ z.1 = x.54^inv((x.55*x.60))
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^inv(x.55)>, x.52)
+ z.5 = z.48
+
+ 401. IDc = IDc.32
+ certC = cert(x.49, x.50, z.43)
+ certT = cert(x.52, sign(<x.52, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60)
+ z = z.43
+ z.1 = x.54^x.60
+ z.2 = true
+ z.3 = verify(x.50, <x.49, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^inv(x.55)>, x.52)
+ z.5 = z.48
+
+ 402. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^inv((x.53*x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.53*x.59*inv(x.60))
+ z = z.43
+ z.1 = x.52^(x.59*inv((x.54*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^inv((x.53*x.54))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 403. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*x.54)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.53*x.60)))
+ z = z.43
+ z.1 = x.52^(x.54*x.59*inv(x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54)>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 404. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = z.43
+ z.1 = x.52^(x.53*inv((x.55*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 405. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60*inv(x.53))
+ z = z.43
+ z.1 = x.52^(x.54*x.60)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 406. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*inv((x.53*x.60)))
+ z = z.43
+ z.1 = x.52^(x.54*inv(x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*x.54*inv(x.55))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 407. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.59*inv((x.53*x.60)))
+ z = z.43
+ z.1 = x.52^(x.59*inv(x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 408. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv(x.60))
+ z = z.43
+ z.1 = x.52^(x.53*x.59*inv((x.54*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 409. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv(x.54))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.53*x.60)))
+ z = z.43
+ z.1 = x.52^(x.59*inv((x.54*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv(x.54))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 410. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60)
+ z = z.43
+ z.1 = x.52^(x.53*x.60*inv(x.55))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 411. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60*inv(x.53))
+ z = z.43
+ z.1 = x.52^(x.60*inv(x.55))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 412. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv(x.60))
+ z = z.43
+ z.1 = x.52^(x.53*inv((x.55*x.60)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 413. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.34
+ pkTe = x.52^(x.53*inv((x.54*x.55)))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv((x.53*x.60)))
+ z = z.43
+ z.1 = x.52^inv((x.55*x.60))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.52^(x.53*inv((x.54*x.55)))>,
+ cert_pk(certT.34))
+ z.5 = cert_id(certT.34)
+
+ 414. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, x.52, z.48)
+ pkTe = x.54^x.55
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.55*x.60))
+ z = z.43
+ z.1 = x.54^inv(x.60)
+ z.2 = verify(x.52, <x.51, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^x.55>, x.51)
+ z.5 = z.48
+
+ 415. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, x.52, z.48)
+ pkTe = x.54^x.55
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.60*inv(x.55))
+ z = z.43
+ z.1 = x.54^x.60
+ z.2 = verify(x.52, <x.51, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^x.55>, x.51)
+ z.5 = z.48
+
+ 416. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, x.52, z.48)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv(x.60)
+ z = z.43
+ z.1 = x.54^inv((x.55*x.60))
+ z.2 = verify(x.52, <x.51, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^inv(x.55)>, x.51)
+ z.5 = z.48
+
+ 417. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, x.52, z.48)
+ pkTe = x.54^inv(x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60)
+ z = z.43
+ z.1 = x.54^x.60
+ z.2 = verify(x.52, <x.51, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.54^inv(x.55)>, x.51)
+ z.5 = z.48
+
+ 418. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^x.54
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv((x.54*x.60)))
+ z = z.43
+ z.1 = x.53^(x.59*inv(x.60))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^x.54>, x.51)
+ z.5 = z.48
+
+ 419. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^inv(x.54)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.59*inv(x.60))
+ z = z.43
+ z.1 = x.53^(x.59*inv((x.54*x.60)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv(x.54)>, x.51)
+ z.5 = z.48
+
+ 420. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*x.60)
+ z = z.43
+ z.1 = x.53^(x.60*inv(x.55))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv((x.54*x.55))>, x.51)
+ z.5 = z.48
+
+ 421. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^inv((x.54*x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.54*inv(x.60))
+ z = z.43
+ z.1 = x.53^inv((x.55*x.60))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^inv((x.54*x.55))>, x.51)
+ z.5 = z.48
+
+ 422. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = z.43
+ z.1 = x.53^(x.55*inv(x.60))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*x.55)>, x.51)
+ z.5 = z.48
+
+ 423. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*x.55)
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.60*inv(x.54))
+ z = z.43
+ z.1 = x.53^(x.55*x.60)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*x.55)>, x.51)
+ z.5 = z.48
+
+ 424. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv(x.60)
+ z = z.43
+ z.1 = x.53^(x.54*inv((x.55*x.60)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ z.5 = z.48
+
+ 425. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = inv((x.54*x.60))
+ z = z.43
+ z.1 = x.53^inv((x.55*x.60))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ z.5 = z.48
+
+ 426. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60)
+ z = z.43
+ z.1 = x.53^(x.54*x.60)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ z.5 = z.48
+
+ 427. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*x.60*inv(x.54))
+ z = z.43
+ z.1 = x.53^x.60
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ z.5 = z.48
+
+ 428. IDc = IDc.32
+ certC = cert(x.49, sign(<x.49, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.51, sign(<x.51, z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.53^(x.54*inv(x.55))
+ r1 = r1.37
+ s1 = s1.39
+ skC = (x.55*inv((x.54*x.60)))
+ z = z.43
+ z.1 = x.53^inv(x.60)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.32, r1.37, x.53^(x.54*inv(x.55))>, x.51)
+ z.5 = z.48
+
+ 429. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^x.57
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^x.57>, x.53)
+ skC = inv((x.57*x.61))
+ z = z.43
+ z.1 = x.56^inv(x.61)
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 430. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^x.57
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^x.57>, x.53)
+ skC = (x.61*inv(x.57))
+ z = z.43
+ z.1 = x.56^x.61
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 431. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^inv(x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^inv(x.57)>, x.53)
+ skC = inv(x.61)
+ z = z.43
+ z.1 = x.56^inv((x.57*x.61))
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 432. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^inv(x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^inv(x.57)>, x.53)
+ skC = (x.57*x.61)
+ z = z.43
+ z.1 = x.56^x.61
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 433. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = (x.59*inv(x.58))
+ z = z.43
+ z.1 = x.56^x.57
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 434. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^(x.57*inv((skC.40*x.58)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^(x.57*inv((skC.40*x.58)))>, x.53)
+ skC = skC.40
+ z = z.43
+ z.1 = x.56^(x.57*inv(x.58))
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 435. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), x.54, z.48)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.59*inv(x.57))
+ z = z.43
+ z.1 = x.56^inv(x.58)
+ z.2 = verify(x.54, <pk(x.53), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 436. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^x.56
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^x.56>, x.53)
+ skC = (x.60*inv((x.56*x.61)))
+ z = z.43
+ z.1 = x.55^(x.60*inv(x.61))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 437. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^inv(x.56)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv(x.56)>, x.53)
+ skC = (x.60*inv(x.61))
+ z = z.43
+ z.1 = x.55^(x.60*inv((x.56*x.61)))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 438. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv((x.56*x.57))>, x.53)
+ skC = (x.56*x.61)
+ z = z.43
+ z.1 = x.55^(x.61*inv(x.57))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 439. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv((x.56*x.57))>, x.53)
+ skC = (x.56*inv(x.61))
+ z = z.43
+ z.1 = x.55^inv((x.57*x.61))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 440. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57)>, x.53)
+ skC = inv((x.56*x.61))
+ z = z.43
+ z.1 = x.55^(x.57*inv(x.61))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 441. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57)>, x.53)
+ skC = (x.61*inv(x.56))
+ z = z.43
+ z.1 = x.55^(x.57*x.61)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 442. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.59*inv(x.57))
+ z = z.43
+ z.1 = x.55^(x.56*inv(x.58))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 443. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.53)
+ skC = inv(x.61)
+ z = z.43
+ z.1 = x.55^(x.56*inv((x.57*x.61)))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 444. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.53)
+ skC = inv((x.56*x.61))
+ z = z.43
+ z.1 = x.55^inv((x.57*x.61))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 445. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.53)
+ skC = (x.57*x.61)
+ z = z.43
+ z.1 = x.55^(x.56*x.61)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 446. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.53)
+ skC = (x.57*x.61*inv(x.56))
+ z = z.43
+ z.1 = x.55^x.61
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 447. IDc = IDc.32
+ certC = cert(x.50, x.51, z.43)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.53)
+ skC = (x.57*inv((x.56*x.61)))
+ z = z.43
+ z.1 = x.55^inv(x.61)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.43, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 448. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^x.56
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^x.56>, x.52)
+ skC = (x.60*inv((x.56*x.61)))
+ z = z.43
+ z.1 = x.55^(x.60*inv(x.61))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 449. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^inv(x.56)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv(x.56)>, x.52)
+ skC = (x.60*inv(x.61))
+ z = z.43
+ z.1 = x.55^(x.60*inv((x.56*x.61)))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 450. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv((x.56*x.57))>, x.52)
+ skC = (x.56*x.61)
+ z = z.43
+ z.1 = x.55^(x.61*inv(x.57))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 451. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^inv((x.56*x.57))>, x.52)
+ skC = (x.56*inv(x.61))
+ z = z.43
+ z.1 = x.55^inv((x.57*x.61))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 452. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57)>, x.52)
+ skC = inv((x.56*x.61))
+ z = z.43
+ z.1 = x.55^(x.57*inv(x.61))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 453. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57)>, x.52)
+ skC = (x.61*inv(x.56))
+ z = z.43
+ z.1 = x.55^(x.57*x.61)
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 454. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*x.57*inv((x.58*x.59)))>, x.52)
+ skC = (x.59*inv(x.57))
+ z = z.43
+ z.1 = x.55^(x.56*inv(x.58))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 455. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.52)
+ skC = inv(x.61)
+ z = z.43
+ z.1 = x.55^(x.56*inv((x.57*x.61)))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 456. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.52)
+ skC = inv((x.56*x.61))
+ z = z.43
+ z.1 = x.55^inv((x.57*x.61))
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 457. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.57*x.61)
+ z = z.43
+ z.1 = x.55^(x.56*x.61)
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 458. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.57*x.61*inv(x.56))
+ z = z.43
+ z.1 = x.55^x.61
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 459. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), x.53, z.48)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.57*inv((x.56*x.61)))
+ z = z.43
+ z.1 = x.55^inv(x.61)
+ z.2 = verify(x.53, <pk(x.52), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 460. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^inv((x.55*x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^inv((x.55*x.56))>, x.52)
+ skC = (x.55*x.60*inv(x.61))
+ z = z.43
+ z.1 = x.54^(x.60*inv((x.56*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 461. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*x.56)
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56)>, x.52)
+ skC = (x.60*inv((x.55*x.61)))
+ z = z.43
+ z.1 = x.54^(x.56*x.60*inv(x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 462. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = inv((x.56*x.61))
+ z = z.43
+ z.1 = x.54^(x.55*inv((x.57*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 463. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = (x.57*x.61*inv(x.55))
+ z = z.43
+ z.1 = x.54^(x.56*x.61)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 464. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = (x.57*inv((x.55*x.61)))
+ z = z.43
+ z.1 = x.54^(x.56*inv(x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 465. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.52)
+ skC = (x.56*x.60*inv((x.55*x.61)))
+ z = z.43
+ z.1 = x.54^(x.60*inv(x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 466. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.52)
+ skC = (x.60*inv(x.61))
+ z = z.43
+ z.1 = x.54^(x.55*x.60*inv((x.56*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 467. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv(x.56))>, x.52)
+ skC = (x.60*inv((x.55*x.61)))
+ z = z.43
+ z.1 = x.54^(x.60*inv((x.56*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 468. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*x.61)
+ z = z.43
+ z.1 = x.54^(x.55*x.61*inv(x.57))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 469. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*x.61*inv(x.55))
+ z = z.43
+ z.1 = x.54^(x.61*inv(x.57))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 470. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*inv(x.61))
+ z = z.43
+ z.1 = x.54^(x.55*inv((x.57*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 471. IDc = IDc.32
+ certC = cert(x.50, sign(<x.50, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.48, 'terminal'>, ca_sk), z.48)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.37
+ s1 = sign(<IDc.32, r1.37, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*inv((x.55*x.61)))
+ z = z.43
+ z.1 = x.54^inv((x.57*x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 472. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.61*inv((x.54*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.55*x.61*inv(x.62))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv(x.56))>, x.50)
+ z.5 = z.49
+
+ 473. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.54*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.55*x.61*inv((x.56*x.62)))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv(x.56))>, x.50)
+ z.5 = z.49
+
+ 474. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62*inv(x.54))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.55*x.62*inv(x.57))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv((x.56*x.57)))>,
+ x.50)
+ z.5 = z.49
+
+ 475. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv((x.54*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.55*inv((x.57*x.62)))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv((x.56*x.57)))>,
+ x.50)
+ z.5 = z.49
+
+ 476. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv(x.62))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.54*x.61*inv((x.56*x.62)))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*inv((x.55*x.56)))>,
+ x.50)
+ z.5 = z.49
+
+ 477. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, x.51, z.49)
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv((x.54*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.53^(x.61*inv((x.56*x.62)))
+ z.2 = verify(x.51, <x.50, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*inv((x.55*x.56)))>,
+ x.50)
+ z.5 = z.49
+
+ 478. IDc = IDc.33
+ certC = certC.34
+ certT = cert(x.50, sign(<x.50, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.52^(x.53*x.54*inv((x.55*x.56)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv((x.53*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.52^(x.54*x.61*inv((x.56*x.62)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.52^(x.53*x.54*inv((x.55*x.56)))>,
+ x.50)
+ z.5 = z.49
+
+ 479. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^inv((x.56*x.57))>, x.52)
+ skC = (x.56*x.61*inv(x.62))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.61*inv((x.57*x.62)))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 480. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57)>, x.52)
+ skC = (x.61*inv((x.56*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.57*x.61*inv(x.62))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 481. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv(x.58))>, x.52)
+ skC = inv((x.57*x.62))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.56*inv((x.58*x.62)))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 482. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv(x.58))>, x.52)
+ skC = (x.58*x.62*inv(x.56))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.57*x.62)
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 483. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv(x.58))>, x.52)
+ skC = (x.58*inv((x.56*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.57*inv(x.62))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 484. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.57*x.61*inv((x.56*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.61*inv(x.62))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 485. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.61*inv(x.62))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.56*x.61*inv((x.57*x.62)))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 486. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ skC = (x.61*inv((x.56*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.61*inv((x.57*x.62)))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 487. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*x.62)
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.56*x.62*inv(x.58))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 488. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*x.62*inv(x.56))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.62*inv(x.58))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 489. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*inv(x.62))
+ z = cert_id(certC.34)
+ z.1 = x.55^(x.56*inv((x.58*x.62)))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 490. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), x.53, z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*inv((x.56*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.55^inv((x.58*x.62))
+ z.2 = verify(x.53, <pk(x.52), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 491. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = (x.57*x.61*inv((x.55*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.56*x.61*inv(x.62))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 492. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ skC = (x.61*inv((x.55*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.56*x.61*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 493. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*x.62*inv(x.55))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.56*x.62*inv(x.58))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 494. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*x.56*inv((x.57*x.58)))>, x.52)
+ skC = (x.57*inv((x.55*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.56*inv((x.58*x.62)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 495. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*x.61*inv(x.62))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.55*x.61*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 496. IDc = IDc.33
+ certC = certC.34
+ certT = cert(pk(x.52), sign(<pk(x.52), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>, x.52)
+ skC = (x.56*x.61*inv((x.55*x.62)))
+ z = cert_id(certC.34)
+ z.1 = x.54^(x.61*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.34),
+ <cert_pk(certC.34), cert_id(certC.34), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 497. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^inv((x.55*x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^inv((x.55*x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 498. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*x.56)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.56*x.61*inv(x.62))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56)>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 499. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.54^(x.55*inv((x.57*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 500. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62*inv(x.55))
+ z = z.44
+ z.1 = x.54^(x.56*x.62)
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 501. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.56*inv(x.62))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 502. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.61*inv(x.62))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 503. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.55*x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 504. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 505. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62)
+ z = z.44
+ z.1 = x.54^(x.55*x.62*inv(x.57))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 506. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62*inv(x.55))
+ z = z.44
+ z.1 = x.54^(x.62*inv(x.57))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 507. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.55*inv((x.57*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 508. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = certT.35
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^inv((x.57*x.62))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 509. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, x.54, z.49)
+ pkTe = x.56^x.57
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.57*x.62))
+ z = z.44
+ z.1 = x.56^inv(x.62)
+ z.2 = verify(x.54, <x.53, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.56^x.57>, x.53)
+ z.5 = z.49
+
+ 510. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, x.54, z.49)
+ pkTe = x.56^x.57
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.62*inv(x.57))
+ z = z.44
+ z.1 = x.56^x.62
+ z.2 = verify(x.54, <x.53, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.56^x.57>, x.53)
+ z.5 = z.49
+
+ 511. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, x.54, z.49)
+ pkTe = x.56^inv(x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv(x.62)
+ z = z.44
+ z.1 = x.56^inv((x.57*x.62))
+ z.2 = verify(x.54, <x.53, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.56^inv(x.57)>, x.53)
+ z.5 = z.49
+
+ 512. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, x.54, z.49)
+ pkTe = x.56^inv(x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62)
+ z = z.44
+ z.1 = x.56^x.62
+ z.2 = verify(x.54, <x.53, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.56^inv(x.57)>, x.53)
+ z.5 = z.49
+
+ 513. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^x.56
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.56*x.62)))
+ z = z.44
+ z.1 = x.55^(x.61*inv(x.62))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^x.56>, x.53)
+ z.5 = z.49
+
+ 514. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^inv(x.56)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv(x.62))
+ z = z.44
+ z.1 = x.55^(x.61*inv((x.56*x.62)))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv(x.56)>, x.53)
+ z.5 = z.49
+
+ 515. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62)
+ z = z.44
+ z.1 = x.55^(x.62*inv(x.57))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv((x.56*x.57))>, x.53)
+ z.5 = z.49
+
+ 516. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv(x.62))
+ z = z.44
+ z.1 = x.55^inv((x.57*x.62))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv((x.56*x.57))>, x.53)
+ z.5 = z.49
+
+ 517. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.55^(x.57*inv(x.62))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*x.57)>, x.53)
+ z.5 = z.49
+
+ 518. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.62*inv(x.56))
+ z = z.44
+ z.1 = x.55^(x.57*x.62)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*x.57)>, x.53)
+ z.5 = z.49
+
+ 519. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv(x.62)
+ z = z.44
+ z.1 = x.55^(x.56*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.53)
+ z.5 = z.49
+
+ 520. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.55^inv((x.57*x.62))
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.53)
+ z.5 = z.49
+
+ 521. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62)
+ z = z.44
+ z.1 = x.55^(x.56*x.62)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.53)
+ z.5 = z.49
+
+ 522. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62*inv(x.56))
+ z = z.44
+ z.1 = x.55^x.62
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.53)
+ z.5 = z.49
+
+ 523. IDc = IDc.33
+ certC = cert(x.50, x.51, z.44)
+ certT = cert(x.53, sign(<x.53, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*inv((x.56*x.62)))
+ z = z.44
+ z.1 = x.55^inv(x.62)
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.53)
+ z.5 = z.49
+
+ 524. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.61*inv((x.54*x.62)))
+ z = z.44
+ z.1 = x.53^(x.55*x.61*inv(x.62))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv(x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 525. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.54*x.62)))
+ z = z.44
+ z.1 = x.53^(x.55*x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv(x.56))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 526. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62*inv(x.54))
+ z = z.44
+ z.1 = x.53^(x.55*x.62*inv(x.57))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 527. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv((x.54*x.62)))
+ z = z.44
+ z.1 = x.53^(x.55*inv((x.57*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*x.55*inv((x.56*x.57)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 528. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv(x.62))
+ z = z.44
+ z.1 = x.53^(x.54*x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*inv((x.55*x.56)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 529. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = certT.35
+ pkTe = x.53^(x.54*inv((x.55*x.56)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv((x.54*x.62)))
+ z = z.44
+ z.1 = x.53^(x.61*inv((x.56*x.62)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.53^(x.54*inv((x.55*x.56)))>,
+ cert_pk(certT.35))
+ z.5 = cert_id(certT.35)
+
+ 530. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^x.56
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.56*x.62)))
+ z = z.44
+ z.1 = x.55^(x.61*inv(x.62))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^x.56>, x.52)
+ z.5 = z.49
+
+ 531. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^inv(x.56)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv(x.62))
+ z = z.44
+ z.1 = x.55^(x.61*inv((x.56*x.62)))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv(x.56)>, x.52)
+ z.5 = z.49
+
+ 532. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62)
+ z = z.44
+ z.1 = x.55^(x.62*inv(x.57))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv((x.56*x.57))>, x.52)
+ z.5 = z.49
+
+ 533. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^inv((x.56*x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv(x.62))
+ z = z.44
+ z.1 = x.55^inv((x.57*x.62))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^inv((x.56*x.57))>, x.52)
+ z.5 = z.49
+
+ 534. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.55^(x.57*inv(x.62))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*x.57)>, x.52)
+ z.5 = z.49
+
+ 535. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*x.57)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.62*inv(x.56))
+ z = z.44
+ z.1 = x.55^(x.57*x.62)
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*x.57)>, x.52)
+ z.5 = z.49
+
+ 536. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv(x.62)
+ z = z.44
+ z.1 = x.55^(x.56*inv((x.57*x.62)))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 537. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.55^inv((x.57*x.62))
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 538. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62)
+ z = z.44
+ z.1 = x.55^(x.56*x.62)
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 539. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62*inv(x.56))
+ z = z.44
+ z.1 = x.55^x.62
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 540. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, x.53, z.49)
+ pkTe = x.55^(x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*inv((x.56*x.62)))
+ z = z.44
+ z.1 = x.55^inv(x.62)
+ z.2 = verify(x.53, <x.52, z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.55^(x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 541. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^inv((x.55*x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.55*x.61*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.61*inv((x.56*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^inv((x.55*x.56))>, x.52)
+ z.5 = z.49
+
+ 542. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56)
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.56*x.61*inv(x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56)>, x.52)
+ z.5 = z.49
+
+ 543. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = inv((x.56*x.62))
+ z = z.44
+ z.1 = x.54^(x.55*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 544. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*x.62*inv(x.55))
+ z = z.44
+ z.1 = x.54^(x.56*x.62)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 545. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*x.56*inv(x.57))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.57*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.56*inv(x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*x.56*inv(x.57))>, x.52)
+ z.5 = z.49
+
+ 546. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.61*inv(x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>, x.52)
+ z.5 = z.49
+
+ 547. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.55*x.61*inv((x.56*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>, x.52)
+ z.5 = z.49
+
+ 548. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv(x.56))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.61*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^(x.61*inv((x.56*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv(x.56))>, x.52)
+ z.5 = z.49
+
+ 549. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62)
+ z = z.44
+ z.1 = x.54^(x.55*x.62*inv(x.57))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ x.52)
+ z.5 = z.49
+
+ 550. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*x.62*inv(x.55))
+ z = z.44
+ z.1 = x.54^(x.62*inv(x.57))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ x.52)
+ z.5 = z.49
+
+ 551. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv(x.62))
+ z = z.44
+ z.1 = x.54^(x.55*inv((x.57*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ x.52)
+ z.5 = z.49
+
+ 552. IDc = IDc.33
+ certC = cert(x.50, sign(<x.50, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.52, sign(<x.52, z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.54^(x.55*inv((x.56*x.57)))
+ r1 = r1.38
+ s1 = s1.40
+ skC = (x.56*inv((x.55*x.62)))
+ z = z.44
+ z.1 = x.54^inv((x.57*x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.33, r1.38, x.54^(x.55*inv((x.56*x.57)))>,
+ x.52)
+ z.5 = z.49
+
+ 553. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^x.58
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^x.58>, x.54)
+ skC = (x.62*inv((x.58*x.63)))
+ z = z.44
+ z.1 = x.57^(x.62*inv(x.63))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 554. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^inv(x.58)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^inv(x.58)>, x.54)
+ skC = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.57^(x.62*inv((x.58*x.63)))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 555. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^inv((x.58*x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^inv((x.58*x.59))>, x.54)
+ skC = (x.58*x.63)
+ z = z.44
+ z.1 = x.57^(x.63*inv(x.59))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 556. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^inv((x.58*x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^inv((x.58*x.59))>, x.54)
+ skC = (x.58*inv(x.63))
+ z = z.44
+ z.1 = x.57^inv((x.59*x.63))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 557. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*x.59)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*x.59)>, x.54)
+ skC = inv((x.58*x.63))
+ z = z.44
+ z.1 = x.57^(x.59*inv(x.63))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 558. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*x.59)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*x.59)>, x.54)
+ skC = (x.63*inv(x.58))
+ z = z.44
+ z.1 = x.57^(x.59*x.63)
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 559. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.54)
+ skC = (x.61*inv(x.59))
+ z = z.44
+ z.1 = x.57^(x.58*inv(x.60))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 560. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*inv(x.59))>, x.54)
+ skC = inv(x.63)
+ z = z.44
+ z.1 = x.57^(x.58*inv((x.59*x.63)))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 561. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*inv(x.59))>, x.54)
+ skC = inv((x.58*x.63))
+ z = z.44
+ z.1 = x.57^inv((x.59*x.63))
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 562. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*inv(x.59))>, x.54)
+ skC = (x.59*x.63)
+ z = z.44
+ z.1 = x.57^(x.58*x.63)
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 563. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*inv(x.59))>, x.54)
+ skC = (x.59*x.63*inv(x.58))
+ z = z.44
+ z.1 = x.57^x.63
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 564. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), x.55, z.49)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.57^(x.58*inv(x.59))>, x.54)
+ skC = (x.59*inv((x.58*x.63)))
+ z = z.44
+ z.1 = x.57^inv(x.63)
+ z.2 = verify(x.55, <pk(x.54), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 565. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^inv((x.57*x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^inv((x.57*x.58))>, x.54)
+ skC = (x.57*x.62*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 566. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*x.58)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58)>, x.54)
+ skC = (x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.58*x.62*inv(x.63))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 567. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ skC = inv((x.58*x.63))
+ z = z.44
+ z.1 = x.56^(x.57*inv((x.59*x.63)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 568. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ skC = (x.59*x.63*inv(x.57))
+ z = z.44
+ z.1 = x.56^(x.58*x.63)
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 569. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ skC = (x.59*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.58*inv(x.63))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 570. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.54)
+ skC = (x.58*x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.62*inv(x.63))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 571. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.54)
+ skC = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.57*x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 572. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.54)
+ skC = (x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 573. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.54)
+ skC = (x.58*x.63)
+ z = z.44
+ z.1 = x.56^(x.57*x.63*inv(x.59))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 574. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.54)
+ skC = (x.58*x.63*inv(x.57))
+ z = z.44
+ z.1 = x.56^(x.63*inv(x.59))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 575. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.54)
+ skC = (x.58*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.57*inv((x.59*x.63)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 576. IDc = IDc.33
+ certC = cert(x.51, x.52, z.44)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.54)
+ skC = (x.58*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^inv((x.59*x.63))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.44, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 577. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^inv((x.57*x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^inv((x.57*x.58))>, x.53)
+ skC = (x.57*x.62*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.62*inv((x.58*x.63)))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 578. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*x.58)
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58)>, x.53)
+ skC = (x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.58*x.62*inv(x.63))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 579. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = inv((x.58*x.63))
+ z = z.44
+ z.1 = x.56^(x.57*inv((x.59*x.63)))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 580. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = (x.59*x.63*inv(x.57))
+ z = z.44
+ z.1 = x.56^(x.58*x.63)
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 581. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = (x.59*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.58*inv(x.63))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 582. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.53)
+ skC = (x.58*x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.62*inv(x.63))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 583. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.53)
+ skC = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.57*x.62*inv((x.58*x.63)))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 584. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv(x.58))>, x.53)
+ skC = (x.62*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^(x.62*inv((x.58*x.63)))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 585. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63)
+ z = z.44
+ z.1 = x.56^(x.57*x.63*inv(x.59))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 586. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63*inv(x.57))
+ z = z.44
+ z.1 = x.56^(x.63*inv(x.59))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 587. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*inv(x.63))
+ z = z.44
+ z.1 = x.56^(x.57*inv((x.59*x.63)))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 588. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), x.54, z.49)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*inv((x.57*x.63)))
+ z = z.44
+ z.1 = x.56^inv((x.59*x.63))
+ z.2 = verify(x.54, <pk(x.53), z.49, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 589. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv(x.58))>, x.53)
+ skC = (x.58*x.62*inv((x.56*x.63)))
+ z = z.44
+ z.1 = x.55^(x.57*x.62*inv(x.63))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 590. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv(x.58))>, x.53)
+ skC = (x.62*inv((x.56*x.63)))
+ z = z.44
+ z.1 = x.55^(x.57*x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 591. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63*inv(x.56))
+ z = z.44
+ z.1 = x.55^(x.57*x.63*inv(x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 592. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*inv((x.56*x.63)))
+ z = z.44
+ z.1 = x.55^(x.57*inv((x.59*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 593. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.53)
+ skC = (x.57*x.62*inv(x.63))
+ z = z.44
+ z.1 = x.55^(x.56*x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 594. IDc = IDc.33
+ certC = cert(x.51, sign(<x.51, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.49, 'terminal'>, ca_sk), z.49)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.38
+ s1 = sign(<IDc.33, r1.38, x.55^(x.56*inv((x.57*x.58)))>, x.53)
+ skC = (x.57*x.62*inv((x.56*x.63)))
+ z = z.44
+ z.1 = x.55^(x.62*inv((x.58*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 595. IDc = IDc.34
+ certC = certC.35
+ certT = cert(x.51, x.52, z.50)
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv((x.55*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.54^(x.56*x.63*inv((x.58*x.64)))
+ z.2 = verify(x.52, <x.51, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.54^(x.55*x.56*inv((x.57*x.58)))>,
+ x.51)
+ z.5 = z.50
+
+ 596. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = (x.59*x.63*inv((x.57*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.58*x.63*inv(x.64))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 597. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ skC = (x.63*inv((x.57*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.58*x.63*inv((x.59*x.64)))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 598. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*x.58*inv((x.59*x.60)))>, x.53)
+ skC = (x.59*x.64*inv(x.57))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.58*x.64*inv(x.60))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 599. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*x.58*inv((x.59*x.60)))>, x.53)
+ skC = (x.59*inv((x.57*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.58*inv((x.60*x.64)))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 600. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63*inv(x.64))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.57*x.63*inv((x.59*x.64)))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 601. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63*inv((x.57*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.56^(x.63*inv((x.59*x.64)))
+ z.2 = verify(x.54, <pk(x.53), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 602. IDc = IDc.34
+ certC = certC.35
+ certT = cert(pk(x.53), sign(<pk(x.53), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.55^(x.56*x.57*inv((x.58*x.59)))>, x.53)
+ skC = (x.58*x.63*inv((x.56*x.64)))
+ z = cert_id(certC.35)
+ z.1 = x.55^(x.57*x.63*inv((x.59*x.64)))
+ z.2 = true
+ z.3 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 603. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*x.63*inv(x.64))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv(x.58))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 604. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*x.63*inv((x.58*x.64)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv(x.58))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 605. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64*inv(x.56))
+ z = z.45
+ z.1 = x.55^(x.57*x.64*inv(x.59))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv((x.58*x.59)))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 606. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*inv((x.59*x.64)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv((x.58*x.59)))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 607. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv(x.64))
+ z = z.45
+ z.1 = x.55^(x.56*x.63*inv((x.58*x.64)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*inv((x.57*x.58)))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 608. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = certT.36
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.63*inv((x.58*x.64)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*inv((x.57*x.58)))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 609. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^x.58
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.58*x.64)))
+ z = z.45
+ z.1 = x.57^(x.63*inv(x.64))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^x.58>, x.54)
+ z.5 = z.50
+
+ 610. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^inv(x.58)
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv(x.64))
+ z = z.45
+ z.1 = x.57^(x.63*inv((x.58*x.64)))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^inv(x.58)>, x.54)
+ z.5 = z.50
+
+ 611. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^inv((x.58*x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64)
+ z = z.45
+ z.1 = x.57^(x.64*inv(x.59))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^inv((x.58*x.59))>, x.54)
+ z.5 = z.50
+
+ 612. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^inv((x.58*x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv(x.64))
+ z = z.45
+ z.1 = x.57^inv((x.59*x.64))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^inv((x.58*x.59))>, x.54)
+ z.5 = z.50
+
+ 613. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*x.59)
+ r1 = r1.39
+ s1 = s1.41
+ skC = inv((x.58*x.64))
+ z = z.45
+ z.1 = x.57^(x.59*inv(x.64))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*x.59)>, x.54)
+ z.5 = z.50
+
+ 614. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*x.59)
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.64*inv(x.58))
+ z = z.45
+ z.1 = x.57^(x.59*x.64)
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*x.59)>, x.54)
+ z.5 = z.50
+
+ 615. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = inv(x.64)
+ z = z.45
+ z.1 = x.57^(x.58*inv((x.59*x.64)))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 616. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = inv((x.58*x.64))
+ z = z.45
+ z.1 = x.57^inv((x.59*x.64))
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 617. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*x.64)
+ z = z.45
+ z.1 = x.57^(x.58*x.64)
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 618. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*x.64*inv(x.58))
+ z = z.45
+ z.1 = x.57^x.64
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 619. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, x.55, z.50)
+ pkTe = x.57^(x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*inv((x.58*x.64)))
+ z = z.45
+ z.1 = x.57^inv(x.64)
+ z.2 = verify(x.55, <x.54, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.57^(x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 620. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^inv((x.57*x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^inv((x.57*x.58))>, x.54)
+ z.5 = z.50
+
+ 621. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*x.58)
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.58*x.63*inv(x.64))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58)>, x.54)
+ z.5 = z.50
+
+ 622. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = inv((x.58*x.64))
+ z = z.45
+ z.1 = x.56^(x.57*inv((x.59*x.64)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 623. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*x.64*inv(x.57))
+ z = z.45
+ z.1 = x.56^(x.58*x.64)
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 624. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.58*inv(x.64))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.54)
+ z.5 = z.50
+
+ 625. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.63*inv(x.64))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.54)
+ z.5 = z.50
+
+ 626. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.57*x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.54)
+ z.5 = z.50
+
+ 627. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.54)
+ z.5 = z.50
+
+ 628. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64)
+ z = z.45
+ z.1 = x.56^(x.57*x.64*inv(x.59))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.54)
+ z.5 = z.50
+
+ 629. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64*inv(x.57))
+ z = z.45
+ z.1 = x.56^(x.64*inv(x.59))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.54)
+ z.5 = z.50
+
+ 630. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.57*inv((x.59*x.64)))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.54)
+ z.5 = z.50
+
+ 631. IDc = IDc.34
+ certC = cert(x.51, x.52, z.45)
+ certT = cert(x.54, sign(<x.54, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^inv((x.59*x.64))
+ z.2 = true
+ z.3 = verify(x.52, <x.51, z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.54)
+ z.5 = z.50
+
+ 632. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = certT.36
+ pkTe = x.54^(x.55*x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv((x.55*x.64)))
+ z = z.45
+ z.1 = x.54^(x.56*x.63*inv((x.58*x.64)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.54^(x.55*x.56*inv((x.57*x.58)))>,
+ cert_pk(certT.36))
+ z.5 = cert_id(certT.36)
+
+ 633. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^inv((x.57*x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.63*inv((x.58*x.64)))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^inv((x.57*x.58))>, x.53)
+ z.5 = z.50
+
+ 634. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*x.58)
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.58*x.63*inv(x.64))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58)>, x.53)
+ z.5 = z.50
+
+ 635. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = inv((x.58*x.64))
+ z = z.45
+ z.1 = x.56^(x.57*inv((x.59*x.64)))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ z.5 = z.50
+
+ 636. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*x.64*inv(x.57))
+ z = z.45
+ z.1 = x.56^(x.58*x.64)
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ z.5 = z.50
+
+ 637. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*x.58*inv(x.59))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.59*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.58*inv(x.64))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*x.58*inv(x.59))>, x.53)
+ z.5 = z.50
+
+ 638. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.63*inv(x.64))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.53)
+ z.5 = z.50
+
+ 639. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.57*x.63*inv((x.58*x.64)))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.53)
+ z.5 = z.50
+
+ 640. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^(x.63*inv((x.58*x.64)))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv(x.58))>, x.53)
+ z.5 = z.50
+
+ 641. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64)
+ z = z.45
+ z.1 = x.56^(x.57*x.64*inv(x.59))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 642. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64*inv(x.57))
+ z = z.45
+ z.1 = x.56^(x.64*inv(x.59))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 643. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv(x.64))
+ z = z.45
+ z.1 = x.56^(x.57*inv((x.59*x.64)))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 644. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, x.54, z.50)
+ pkTe = x.56^(x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv((x.57*x.64)))
+ z = z.45
+ z.1 = x.56^inv((x.59*x.64))
+ z.2 = verify(x.54, <x.53, z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.56^(x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 645. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*x.63*inv(x.64))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv(x.58))>, x.53)
+ z.5 = z.50
+
+ 646. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*x.57*inv(x.58))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv(x.58))>, x.53)
+ z.5 = z.50
+
+ 647. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*x.64*inv(x.56))
+ z = z.45
+ z.1 = x.55^(x.57*x.64*inv(x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 648. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*x.57*inv((x.58*x.59)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.58*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.57*inv((x.59*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*x.57*inv((x.58*x.59)))>,
+ x.53)
+ z.5 = z.50
+
+ 649. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv(x.64))
+ z = z.45
+ z.1 = x.55^(x.56*x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*inv((x.57*x.58)))>,
+ x.53)
+ z.5 = z.50
+
+ 650. IDc = IDc.34
+ certC = cert(x.51, sign(<x.51, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.53, sign(<x.53, z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.55^(x.56*inv((x.57*x.58)))
+ r1 = r1.39
+ s1 = s1.41
+ skC = (x.57*x.63*inv((x.56*x.64)))
+ z = z.45
+ z.1 = x.55^(x.63*inv((x.58*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.34, r1.39, x.55^(x.56*inv((x.57*x.58)))>,
+ x.53)
+ z.5 = z.50
+
+ 651. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^inv((x.59*x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^inv((x.59*x.60))>, x.55)
+ skC = (x.59*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.58^(x.64*inv((x.60*x.65)))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 652. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*x.60)
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*x.60)>, x.55)
+ skC = (x.64*inv((x.59*x.65)))
+ z = z.45
+ z.1 = x.58^(x.60*x.64*inv(x.65))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 653. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ skC = inv((x.60*x.65))
+ z = z.45
+ z.1 = x.58^(x.59*inv((x.61*x.65)))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 654. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ skC = (x.61*x.65*inv(x.59))
+ z = z.45
+ z.1 = x.58^(x.60*x.65)
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 655. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ skC = (x.61*inv((x.59*x.65)))
+ z = z.45
+ z.1 = x.58^(x.60*inv(x.65))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 656. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv(x.60))>, x.55)
+ skC = (x.60*x.64*inv((x.59*x.65)))
+ z = z.45
+ z.1 = x.58^(x.64*inv(x.65))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 657. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv(x.60))>, x.55)
+ skC = (x.64*inv(x.65))
+ z = z.45
+ z.1 = x.58^(x.59*x.64*inv((x.60*x.65)))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 658. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv(x.60))>, x.55)
+ skC = (x.64*inv((x.59*x.65)))
+ z = z.45
+ z.1 = x.58^(x.64*inv((x.60*x.65)))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 659. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*x.65)
+ z = z.45
+ z.1 = x.58^(x.59*x.65*inv(x.61))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 660. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*x.65*inv(x.59))
+ z = z.45
+ z.1 = x.58^(x.65*inv(x.61))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 661. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*inv(x.65))
+ z = z.45
+ z.1 = x.58^(x.59*inv((x.61*x.65)))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 662. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), x.56, z.50)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.58^(x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*inv((x.59*x.65)))
+ z = z.45
+ z.1 = x.58^inv((x.61*x.65))
+ z.2 = verify(x.56, <pk(x.55), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 663. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv(x.60))>, x.55)
+ skC = (x.60*x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*x.64*inv(x.65))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 664. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv(x.60))>, x.55)
+ skC = (x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*x.64*inv((x.60*x.65)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 665. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*x.65*inv(x.58))
+ z = z.45
+ z.1 = x.57^(x.59*x.65*inv(x.61))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 666. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.55)
+ skC = (x.60*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*inv((x.61*x.65)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 667. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*inv((x.59*x.60)))>, x.55)
+ skC = (x.59*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.57^(x.58*x.64*inv((x.60*x.65)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 668. IDc = IDc.34
+ certC = cert(x.52, x.53, z.45)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*inv((x.59*x.60)))>, x.55)
+ skC = (x.59*x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.64*inv((x.60*x.65)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 669. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv(x.60))>, x.54)
+ skC = (x.60*x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*x.64*inv(x.65))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 670. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv(x.60))>, x.54)
+ skC = (x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*x.64*inv((x.60*x.65)))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 671. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.54)
+ skC = (x.60*x.65*inv(x.58))
+ z = z.45
+ z.1 = x.57^(x.59*x.65*inv(x.61))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 672. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.54)
+ skC = (x.60*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.59*inv((x.61*x.65)))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 673. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*inv((x.59*x.60)))>, x.54)
+ skC = (x.59*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.57^(x.58*x.64*inv((x.60*x.65)))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 674. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), x.55, z.50)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.57^(x.58*inv((x.59*x.60)))>, x.54)
+ skC = (x.59*x.64*inv((x.58*x.65)))
+ z = z.45
+ z.1 = x.57^(x.64*inv((x.60*x.65)))
+ z.2 = verify(x.55, <pk(x.54), z.50, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 675. IDc = IDc.34
+ certC = cert(x.52, sign(<x.52, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.50, 'terminal'>, ca_sk), z.50)
+ pkTe = x.56^(x.57*x.58*inv((x.59*x.60)))
+ r1 = r1.39
+ s1 = sign(<IDc.34, r1.39, x.56^(x.57*x.58*inv((x.59*x.60)))>, x.54)
+ skC = (x.59*x.64*inv((x.57*x.65)))
+ z = z.45
+ z.1 = x.56^(x.58*x.64*inv((x.60*x.65)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 676. IDc = IDc.35
+ certC = certC.36
+ certT = cert(pk(x.54), x.55, z.51)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.57^(x.58*x.59*inv((x.60*x.61)))>, x.54)
+ skC = (x.60*x.65*inv((x.58*x.66)))
+ z = cert_id(certC.36)
+ z.1 = x.57^(x.59*x.65*inv((x.61*x.66)))
+ z.2 = verify(x.55, <pk(x.54), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.36),
+ <cert_pk(certC.36), cert_id(certC.36), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 677. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = certT.37
+ pkTe = x.56^(x.57*x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv((x.57*x.66)))
+ z = z.46
+ z.1 = x.56^(x.58*x.65*inv((x.60*x.66)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.56^(x.57*x.58*inv((x.59*x.60)))>,
+ cert_pk(certT.37))
+ z.5 = cert_id(certT.37)
+
+ 678. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^inv((x.59*x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv(x.66))
+ z = z.46
+ z.1 = x.58^(x.65*inv((x.60*x.66)))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^inv((x.59*x.60))>, x.55)
+ z.5 = z.51
+
+ 679. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*x.60)
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.65*inv((x.59*x.66)))
+ z = z.46
+ z.1 = x.58^(x.60*x.65*inv(x.66))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*x.60)>, x.55)
+ z.5 = z.51
+
+ 680. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.40
+ s1 = s1.42
+ skC = inv((x.60*x.66))
+ z = z.46
+ z.1 = x.58^(x.59*inv((x.61*x.66)))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ z.5 = z.51
+
+ 681. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.61*x.66*inv(x.59))
+ z = z.46
+ z.1 = x.58^(x.60*x.66)
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ z.5 = z.51
+
+ 682. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*x.60*inv(x.61))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.61*inv((x.59*x.66)))
+ z = z.46
+ z.1 = x.58^(x.60*inv(x.66))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*x.60*inv(x.61))>, x.55)
+ z.5 = z.51
+
+ 683. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.65*inv((x.59*x.66)))
+ z = z.46
+ z.1 = x.58^(x.65*inv(x.66))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv(x.60))>, x.55)
+ z.5 = z.51
+
+ 684. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.65*inv(x.66))
+ z = z.46
+ z.1 = x.58^(x.59*x.65*inv((x.60*x.66)))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv(x.60))>, x.55)
+ z.5 = z.51
+
+ 685. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.65*inv((x.59*x.66)))
+ z = z.46
+ z.1 = x.58^(x.65*inv((x.60*x.66)))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv(x.60))>, x.55)
+ z.5 = z.51
+
+ 686. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.66)
+ z = z.46
+ z.1 = x.58^(x.59*x.66*inv(x.61))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 687. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.66*inv(x.59))
+ z = z.46
+ z.1 = x.58^(x.66*inv(x.61))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 688. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*inv(x.66))
+ z = z.46
+ z.1 = x.58^(x.59*inv((x.61*x.66)))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 689. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, x.56, z.51)
+ pkTe = x.58^(x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*inv((x.59*x.66)))
+ z = z.46
+ z.1 = x.58^inv((x.61*x.66))
+ z.2 = verify(x.56, <x.55, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.58^(x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 690. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*x.65*inv(x.66))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv(x.60))>, x.55)
+ z.5 = z.51
+
+ 691. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*x.65*inv((x.60*x.66)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv(x.60))>, x.55)
+ z.5 = z.51
+
+ 692. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.66*inv(x.58))
+ z = z.46
+ z.1 = x.57^(x.59*x.66*inv(x.61))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 693. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*inv((x.61*x.66)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv((x.60*x.61)))>,
+ x.55)
+ z.5 = z.51
+
+ 694. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv(x.66))
+ z = z.46
+ z.1 = x.57^(x.58*x.65*inv((x.60*x.66)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*inv((x.59*x.60)))>,
+ x.55)
+ z.5 = z.51
+
+ 695. IDc = IDc.35
+ certC = cert(x.52, x.53, z.46)
+ certT = cert(x.55, sign(<x.55, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.65*inv((x.60*x.66)))
+ z.2 = true
+ z.3 = verify(x.53, <x.52, z.46, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*inv((x.59*x.60)))>,
+ x.55)
+ z.5 = z.51
+
+ 696. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*x.65*inv(x.66))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv(x.60))>, x.54)
+ z.5 = z.51
+
+ 697. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*x.59*inv(x.60))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*x.65*inv((x.60*x.66)))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv(x.60))>, x.54)
+ z.5 = z.51
+
+ 698. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*x.66*inv(x.58))
+ z = z.46
+ z.1 = x.57^(x.59*x.66*inv(x.61))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv((x.60*x.61)))>,
+ x.54)
+ z.5 = z.51
+
+ 699. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*x.59*inv((x.60*x.61)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.60*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.59*inv((x.61*x.66)))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*x.59*inv((x.60*x.61)))>,
+ x.54)
+ z.5 = z.51
+
+ 700. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv(x.66))
+ z = z.46
+ z.1 = x.57^(x.58*x.65*inv((x.60*x.66)))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*inv((x.59*x.60)))>,
+ x.54)
+ z.5 = z.51
+
+ 701. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, x.55, z.51)
+ pkTe = x.57^(x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv((x.58*x.66)))
+ z = z.46
+ z.1 = x.57^(x.65*inv((x.60*x.66)))
+ z.2 = verify(x.55, <x.54, z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.57^(x.58*inv((x.59*x.60)))>,
+ x.54)
+ z.5 = z.51
+
+ 702. IDc = IDc.35
+ certC = cert(x.52, sign(<x.52, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.54, sign(<x.54, z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.56^(x.57*x.58*inv((x.59*x.60)))
+ r1 = r1.40
+ s1 = s1.42
+ skC = (x.59*x.65*inv((x.57*x.66)))
+ z = z.46
+ z.1 = x.56^(x.58*x.65*inv((x.60*x.66)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.35, r1.40, x.56^(x.57*x.58*inv((x.59*x.60)))>,
+ x.54)
+ z.5 = z.51
+
+ 703. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*x.61*inv(x.62))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*x.61*inv(x.62))>, x.56)
+ skC = (x.62*x.66*inv((x.60*x.67)))
+ z = z.46
+ z.1 = x.59^(x.61*x.66*inv(x.67))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 704. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*x.61*inv(x.62))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*x.61*inv(x.62))>, x.56)
+ skC = (x.66*inv((x.60*x.67)))
+ z = z.46
+ z.1 = x.59^(x.61*x.66*inv((x.62*x.67)))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 705. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*x.61*inv((x.62*x.63)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*x.61*inv((x.62*x.63)))>, x.56)
+ skC = (x.62*x.67*inv(x.60))
+ z = z.46
+ z.1 = x.59^(x.61*x.67*inv(x.63))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 706. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*x.61*inv((x.62*x.63)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*x.61*inv((x.62*x.63)))>, x.56)
+ skC = (x.62*inv((x.60*x.67)))
+ z = z.46
+ z.1 = x.59^(x.61*inv((x.63*x.67)))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 707. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*inv((x.61*x.62)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*inv((x.61*x.62)))>, x.56)
+ skC = (x.61*x.66*inv(x.67))
+ z = z.46
+ z.1 = x.59^(x.60*x.66*inv((x.62*x.67)))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 708. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), x.57, z.51)
+ pkTe = x.59^(x.60*inv((x.61*x.62)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.59^(x.60*inv((x.61*x.62)))>, x.56)
+ skC = (x.61*x.66*inv((x.60*x.67)))
+ z = z.46
+ z.1 = x.59^(x.66*inv((x.62*x.67)))
+ z.2 = verify(x.57, <pk(x.56), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 709. IDc = IDc.35
+ certC = cert(x.53, x.54, z.46)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.51, 'terminal'>, ca_sk), z.51)
+ pkTe = x.58^(x.59*x.60*inv((x.61*x.62)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.58^(x.59*x.60*inv((x.61*x.62)))>, x.56)
+ skC = (x.61*x.66*inv((x.59*x.67)))
+ z = z.46
+ z.1 = x.58^(x.60*x.66*inv((x.62*x.67)))
+ z.2 = true
+ z.3 = verify(x.54, <x.53, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 710. IDc = IDc.35
+ certC = cert(x.53, sign(<x.53, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(pk(x.55), x.56, z.51)
+ pkTe = x.58^(x.59*x.60*inv((x.61*x.62)))
+ r1 = r1.40
+ s1 = sign(<IDc.35, r1.40, x.58^(x.59*x.60*inv((x.61*x.62)))>, x.55)
+ skC = (x.61*x.66*inv((x.59*x.67)))
+ z = z.46
+ z.1 = x.58^(x.60*x.66*inv((x.62*x.67)))
+ z.2 = verify(x.56, <pk(x.55), z.51, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 711. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*x.61*inv(x.62))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.62*x.67*inv((x.60*x.68)))
+ z = z.47
+ z.1 = x.59^(x.61*x.67*inv(x.68))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*x.61*inv(x.62))>, x.56)
+ z.5 = z.52
+
+ 712. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*x.61*inv(x.62))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.67*inv((x.60*x.68)))
+ z = z.47
+ z.1 = x.59^(x.61*x.67*inv((x.62*x.68)))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*x.61*inv(x.62))>, x.56)
+ z.5 = z.52
+
+ 713. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*x.61*inv((x.62*x.63)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.62*x.68*inv(x.60))
+ z = z.47
+ z.1 = x.59^(x.61*x.68*inv(x.63))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*x.61*inv((x.62*x.63)))>,
+ x.56)
+ z.5 = z.52
+
+ 714. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*x.61*inv((x.62*x.63)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.62*inv((x.60*x.68)))
+ z = z.47
+ z.1 = x.59^(x.61*inv((x.63*x.68)))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*x.61*inv((x.62*x.63)))>,
+ x.56)
+ z.5 = z.52
+
+ 715. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*inv((x.61*x.62)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.61*x.67*inv(x.68))
+ z = z.47
+ z.1 = x.59^(x.60*x.67*inv((x.62*x.68)))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*inv((x.61*x.62)))>,
+ x.56)
+ z.5 = z.52
+
+ 716. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, x.57, z.52)
+ pkTe = x.59^(x.60*inv((x.61*x.62)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.61*x.67*inv((x.60*x.68)))
+ z = z.47
+ z.1 = x.59^(x.67*inv((x.62*x.68)))
+ z.2 = verify(x.57, <x.56, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.59^(x.60*inv((x.61*x.62)))>,
+ x.56)
+ z.5 = z.52
+
+ 717. IDc = IDc.36
+ certC = cert(x.53, x.54, z.47)
+ certT = cert(x.56, sign(<x.56, z.52, 'terminal'>, ca_sk), z.52)
+ pkTe = x.58^(x.59*x.60*inv((x.61*x.62)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.61*x.67*inv((x.59*x.68)))
+ z = z.47
+ z.1 = x.58^(x.60*x.67*inv((x.62*x.68)))
+ z.2 = true
+ z.3 = verify(x.54, <x.53, z.47, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.58^(x.59*x.60*inv((x.61*x.62)))>,
+ x.56)
+ z.5 = z.52
+
+ 718. IDc = IDc.36
+ certC = cert(x.53, sign(<x.53, z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(x.55, x.56, z.52)
+ pkTe = x.58^(x.59*x.60*inv((x.61*x.62)))
+ r1 = r1.41
+ s1 = s1.43
+ skC = (x.61*x.67*inv((x.59*x.68)))
+ z = z.47
+ z.1 = x.58^(x.60*x.67*inv((x.62*x.68)))
+ z.2 = verify(x.56, <x.55, z.52, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.36, r1.41, x.58^(x.59*x.60*inv((x.61*x.62)))>,
+ x.55)
+ z.5 = z.52
+
+ 719. IDc = IDc.36
+ certC = cert(x.54, x.55, z.47)
+ certT = cert(pk(x.57), x.58, z.52)
+ pkTe = x.60^(x.61*x.62*inv((x.63*x.64)))
+ r1 = r1.41
+ s1 = sign(<IDc.36, r1.41, x.60^(x.61*x.62*inv((x.63*x.64)))>, x.57)
+ skC = (x.63*x.68*inv((x.61*x.69)))
+ z = z.47
+ z.1 = x.60^(x.62*x.68*inv((x.64*x.69)))
+ z.2 = verify(x.58, <pk(x.57), z.52, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.54, z.47, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 720. IDc = IDc.37
+ certC = cert(x.54, x.55, z.48)
+ certT = cert(x.57, x.58, z.53)
+ pkTe = x.60^(x.61*x.62*inv((x.63*x.64)))
+ r1 = r1.42
+ s1 = s1.44
+ skC = (x.63*x.69*inv((x.61*x.70)))
+ z = z.48
+ z.1 = x.60^(x.62*x.69*inv((x.64*x.70)))
+ z.2 = verify(x.58, <x.57, z.53, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.54, z.48, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.37, r1.42, x.60^(x.61*x.62*inv((x.63*x.64)))>,
+ x.57)
+ z.5 = z.53
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag> ), In( <skTe, T> )
+ ]
+ --[
+ Eq( T, cert_id(certT) ),
+ Eq( tag, mac(pkTe, kdf_mac(cert_pk(certC)^skTe, r2)) ),
+ Eq( pkTe, pkTe2 ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(s1, <IDc, r1, pkTe>, cert_pk(certT)), true ),
+ ValidTrans( T, 'terminal', cert_id(certC) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag> ), In( <skTe, T> )
+ ]
+ --[
+ Eq( T, z ), Eq( tag, mac(pkTe, kdf_mac(z.1, r2)) ), Eq( pkTe, pkTe2 ),
+ Eq( z.2, true ), Eq( z.3, true ), Eq( z.4, true ),
+ ValidTrans( T, 'terminal', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.20
+ certC = certC.22
+ certT = certT.23
+ pkTe = pkTe.24
+ r1 = r1.26
+ s1 = s1.28
+ skTe = skTe.29
+ z = cert_id(certT.23)
+ z.1 = cert_pk(certC.22)^skTe.29
+ z.2 = verify(cert_sig(certT.23),
+ <cert_pk(certT.23), cert_id(certT.23), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.22),
+ <cert_pk(certC.22), cert_id(certC.22), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.28, <IDc.20, r1.26, pkTe.24>, cert_pk(certT.23))
+ z.5 = cert_id(certC.22)
+
+ 2. IDc = IDc.20
+ certC = certC.22
+ certT = certT.23
+ pkTe = pkTe.24
+ r1 = r1.26
+ s1 = s1.28
+ skTe = one
+ z = cert_id(certT.23)
+ z.1 = cert_pk(certC.22)
+ z.2 = verify(cert_sig(certT.23),
+ <cert_pk(certT.23), cert_id(certT.23), 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.22),
+ <cert_pk(certC.22), cert_id(certC.22), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.28, <IDc.20, r1.26, pkTe.24>, cert_pk(certT.23))
+ z.5 = cert_id(certC.22)
+
+ 3. IDc = IDc.21
+ certC = cert(DH_neutral, sign(<DH_neutral, z.38, 'chip'>, ca_sk), z.38)
+ certT = certT.24
+ pkTe = pkTe.25
+ r1 = r1.27
+ s1 = s1.29
+ z = cert_id(certT.24)
+ z.1 = DH_neutral
+ z.2 = verify(cert_sig(certT.24),
+ <cert_pk(certT.24), cert_id(certT.24), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.29, <IDc.21, r1.27, pkTe.25>, cert_pk(certT.24))
+ z.5 = z.38
+
+ 4. IDc = IDc.22
+ certC = certC.24
+ certT = cert(x.40, sign(<x.40, z.33, 'terminal'>, ca_sk), z.33)
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skTe = skTe.31
+ z = z.33
+ z.1 = cert_pk(certC.24)^skTe.31
+ z.2 = true
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.22, r1.28, pkTe.26>, x.40)
+ z.5 = cert_id(certC.24)
+
+ 5. IDc = IDc.22
+ certC = certC.24
+ certT = cert(x.40, sign(<x.40, z.33, 'terminal'>, ca_sk), z.33)
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skTe = one
+ z = z.33
+ z.1 = cert_pk(certC.24)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.24),
+ <cert_pk(certC.24), cert_id(certC.24), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.22, r1.28, pkTe.26>, x.40)
+ z.5 = cert_id(certC.24)
+
+ 6. IDc = IDc.22
+ certC = cert(z.34, sign(<z.34, z.39, 'chip'>, ca_sk), z.39)
+ certT = certT.25
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skTe = one
+ z = cert_id(certT.25)
+ z.1 = z.34
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.30, <IDc.22, r1.28, pkTe.26>, cert_pk(certT.25))
+ z.5 = z.39
+
+ 7. IDc = IDc.22
+ certC = cert(x.40, sign(<x.40, z.39, 'chip'>, ca_sk), z.39)
+ certT = certT.25
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ skTe = skTe.31
+ z = cert_id(certT.25)
+ z.1 = x.40^skTe.31
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.30, <IDc.22, r1.28, pkTe.26>, cert_pk(certT.25))
+ z.5 = z.39
+
+ 8. IDc = IDc.22
+ certC = cert(DH_neutral, x.40, z.39)
+ certT = certT.25
+ pkTe = pkTe.26
+ r1 = r1.28
+ s1 = s1.30
+ z = cert_id(certT.25)
+ z.1 = DH_neutral
+ z.2 = verify(cert_sig(certT.25),
+ <cert_pk(certT.25), cert_id(certT.25), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.40, <DH_neutral, z.39, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.30, <IDc.22, r1.28, pkTe.26>, cert_pk(certT.25))
+ z.5 = z.39
+
+ 9. IDc = IDc.23
+ certC = certC.25
+ certT = cert(x.41, x.42, z.34)
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = skTe.32
+ z = z.34
+ z.1 = cert_pk(certC.25)^skTe.32
+ z.2 = verify(x.42, <x.41, z.34, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, x.41)
+ z.5 = cert_id(certC.25)
+
+ 10. IDc = IDc.23
+ certC = certC.25
+ certT = cert(x.41, x.42, z.34)
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = one
+ z = z.34
+ z.1 = cert_pk(certC.25)
+ z.2 = verify(x.42, <x.41, z.34, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.25),
+ <cert_pk(certC.25), cert_id(certC.25), 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, x.41)
+ z.5 = cert_id(certC.25)
+
+ 11. IDc = IDc.23
+ certC = cert(z.35, x.42, z.40)
+ certT = certT.26
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = one
+ z = cert_id(certT.26)
+ z.1 = z.35
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.42, <z.35, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, cert_pk(certT.26))
+ z.5 = z.40
+
+ 12. IDc = IDc.23
+ certC = cert(x.41, x.42, z.40)
+ certT = certT.26
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = skTe.32
+ z = cert_id(certT.26)
+ z.1 = x.41^skTe.32
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.42, <x.41, z.40, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, cert_pk(certT.26))
+ z.5 = z.40
+
+ 13. IDc = IDc.23
+ certC = cert(DH_neutral, sign(<DH_neutral, z.40, 'chip'>, ca_sk), z.40)
+ certT = cert(x.42, sign(<x.42, z.34, 'terminal'>, ca_sk), z.34)
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ z = z.34
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, x.42)
+ z.5 = z.40
+
+ 14. IDc = IDc.23
+ certC = cert(z.35^x.42, sign(<z.35^x.42, z.40, 'chip'>, ca_sk), z.40)
+ certT = certT.26
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = inv(x.42)
+ z = cert_id(certT.26)
+ z.1 = z.35
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, cert_pk(certT.26))
+ z.5 = z.40
+
+ 15. IDc = IDc.23
+ certC = cert(z.35^inv(skTe.32),
+ sign(<z.35^inv(skTe.32), z.40, 'chip'>, ca_sk), z.40)
+ certT = certT.26
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = skTe.32
+ z = cert_id(certT.26)
+ z.1 = z.35
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, cert_pk(certT.26))
+ z.5 = z.40
+
+ 16. IDc = IDc.23
+ certC = cert(x.41^x.42, sign(<x.41^x.42, z.40, 'chip'>, ca_sk), z.40)
+ certT = certT.26
+ pkTe = pkTe.27
+ r1 = r1.29
+ s1 = s1.31
+ skTe = skTe.32
+ z = cert_id(certT.26)
+ z.1 = x.41^(skTe.32*x.42)
+ z.2 = verify(cert_sig(certT.26),
+ <cert_pk(certT.26), cert_id(certT.26), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.31, <IDc.23, r1.29, pkTe.27>, cert_pk(certT.26))
+ z.5 = z.40
+
+ 17. IDc = IDc.24
+ certC = cert(z.36, sign(<z.36, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(x.44, sign(<x.44, z.35, 'terminal'>, ca_sk), z.35)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = one
+ z = z.35
+ z.1 = z.36
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, x.44)
+ z.5 = z.41
+
+ 18. IDc = IDc.24
+ certC = cert(x.42, sign(<x.42, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(x.44, sign(<x.44, z.35, 'terminal'>, ca_sk), z.35)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = skTe.33
+ z = z.35
+ z.1 = x.42^skTe.33
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, x.44)
+ z.5 = z.41
+
+ 19. IDc = IDc.24
+ certC = cert(DH_neutral, x.42, z.41)
+ certT = cert(x.44, sign(<x.44, z.35, 'terminal'>, ca_sk), z.35)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ z = z.35
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(x.42, <DH_neutral, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, x.44)
+ z.5 = z.41
+
+ 20. IDc = IDc.24
+ certC = cert(DH_neutral, sign(<DH_neutral, z.41, 'chip'>, ca_sk), z.41)
+ certT = cert(x.43, x.44, z.35)
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ z = z.35
+ z.1 = DH_neutral
+ z.2 = verify(x.44, <x.43, z.35, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, x.43)
+ z.5 = z.41
+
+ 21. IDc = IDc.24
+ certC = cert(z.36^x.43, x.44, z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = inv(x.43)
+ z = cert_id(certT.27)
+ z.1 = z.36
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <z.36^x.43, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 22. IDc = IDc.24
+ certC = cert(z.36^inv(skTe.33), x.44, z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = skTe.33
+ z = cert_id(certT.27)
+ z.1 = z.36
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <z.36^inv(skTe.33), z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 23. IDc = IDc.24
+ certC = cert(z.36^(x.43*inv(x.44)),
+ sign(<z.36^(x.43*inv(x.44)), z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = (x.44*inv(x.43))
+ z = cert_id(certT.27)
+ z.1 = z.36
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 24. IDc = IDc.24
+ certC = cert(x.42^x.43, x.44, z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = skTe.33
+ z = cert_id(certT.27)
+ z.1 = x.42^(skTe.33*x.43)
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.44, <x.42^x.43, z.41, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 25. IDc = IDc.24
+ certC = cert(x.42^inv((skTe.33*x.43)),
+ sign(<x.42^inv((skTe.33*x.43)), z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = skTe.33
+ z = cert_id(certT.27)
+ z.1 = x.42^inv(x.43)
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 26. IDc = IDc.24
+ certC = cert(x.42^(x.43*x.44),
+ sign(<x.42^(x.43*x.44), z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = inv(x.43)
+ z = cert_id(certT.27)
+ z.1 = x.42^x.44
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 27. IDc = IDc.24
+ certC = cert(x.42^(x.43*inv(skTe.33)),
+ sign(<x.42^(x.43*inv(skTe.33)), z.41, 'chip'>, ca_sk), z.41)
+ certT = certT.27
+ pkTe = pkTe.28
+ r1 = r1.30
+ s1 = s1.32
+ skTe = skTe.33
+ z = cert_id(certT.27)
+ z.1 = x.42^x.43
+ z.2 = verify(cert_sig(certT.27),
+ <cert_pk(certT.27), cert_id(certT.27), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.32, <IDc.24, r1.30, pkTe.28>, cert_pk(certT.27))
+ z.5 = z.41
+
+ 28. IDc = IDc.25
+ certC = cert(z.37, x.44, z.42)
+ certT = cert(x.46, sign(<x.46, z.36, 'terminal'>, ca_sk), z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = one
+ z = z.36
+ z.1 = z.37
+ z.2 = true
+ z.3 = verify(x.44, <z.37, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 29. IDc = IDc.25
+ certC = cert(z.37, sign(<z.37, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.45, x.46, z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = one
+ z = z.36
+ z.1 = z.37
+ z.2 = verify(x.46, <x.45, z.36, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.45)
+ z.5 = z.42
+
+ 30. IDc = IDc.25
+ certC = cert(x.43, x.44, z.42)
+ certT = cert(x.46, sign(<x.46, z.36, 'terminal'>, ca_sk), z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = z.36
+ z.1 = x.43^skTe.34
+ z.2 = true
+ z.3 = verify(x.44, <x.43, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 31. IDc = IDc.25
+ certC = cert(x.43, sign(<x.43, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.45, x.46, z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = z.36
+ z.1 = x.43^skTe.34
+ z.2 = verify(x.46, <x.45, z.36, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.45)
+ z.5 = z.42
+
+ 32. IDc = IDc.25
+ certC = cert(DH_neutral, x.43, z.42)
+ certT = cert(x.45, x.46, z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ z = z.36
+ z.1 = DH_neutral
+ z.2 = verify(x.46, <x.45, z.36, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.43, <DH_neutral, z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.45)
+ z.5 = z.42
+
+ 33. IDc = IDc.25
+ certC = cert(z.37^x.44, sign(<z.37^x.44, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.46, sign(<x.46, z.36, 'terminal'>, ca_sk), z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = inv(x.44)
+ z = z.36
+ z.1 = z.37
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 34. IDc = IDc.25
+ certC = cert(z.37^inv(skTe.34),
+ sign(<z.37^inv(skTe.34), z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.46, sign(<x.46, z.36, 'terminal'>, ca_sk), z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = z.36
+ z.1 = z.37
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 35. IDc = IDc.25
+ certC = cert(z.37^(x.44*inv(x.45)), x.46, z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = (x.45*inv(x.44))
+ z = cert_id(certT.28)
+ z.1 = z.37
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <z.37^(x.44*inv(x.45)), z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 36. IDc = IDc.25
+ certC = cert(x.43^x.44, sign(<x.43^x.44, z.42, 'chip'>, ca_sk), z.42)
+ certT = cert(x.46, sign(<x.46, z.36, 'terminal'>, ca_sk), z.36)
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = z.36
+ z.1 = x.43^(skTe.34*x.44)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, x.46)
+ z.5 = z.42
+
+ 37. IDc = IDc.25
+ certC = cert(x.43^inv((skTe.34*x.44)), x.46, z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = cert_id(certT.28)
+ z.1 = x.43^inv(x.44)
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.43^inv((skTe.34*x.44)), z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 38. IDc = IDc.25
+ certC = cert(x.43^(x.44*x.45), x.46, z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = inv(x.44)
+ z = cert_id(certT.28)
+ z.1 = x.43^x.45
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.43^(x.44*x.45), z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 39. IDc = IDc.25
+ certC = cert(x.43^(x.44*x.45*inv(x.46)),
+ sign(<x.43^(x.44*x.45*inv(x.46)), z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = (x.46*inv(x.45))
+ z = cert_id(certT.28)
+ z.1 = x.43^x.44
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 40. IDc = IDc.25
+ certC = cert(x.43^(x.44*inv(skTe.34)), x.46, z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = cert_id(certT.28)
+ z.1 = x.43^x.44
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.46, <x.43^(x.44*inv(skTe.34)), z.42, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 41. IDc = IDc.25
+ certC = cert(x.43^(x.44*inv((skTe.34*x.45))),
+ sign(<x.43^(x.44*inv((skTe.34*x.45))), z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = skTe.34
+ z = cert_id(certT.28)
+ z.1 = x.43^(x.44*inv(x.45))
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 42. IDc = IDc.25
+ certC = cert(x.43^(x.44*inv((x.45*x.46))),
+ sign(<x.43^(x.44*inv((x.45*x.46))), z.42, 'chip'>, ca_sk), z.42)
+ certT = certT.28
+ pkTe = pkTe.29
+ r1 = r1.31
+ s1 = s1.33
+ skTe = (x.46*inv(x.44))
+ z = cert_id(certT.28)
+ z.1 = x.43^inv(x.45)
+ z.2 = verify(cert_sig(certT.28),
+ <cert_pk(certT.28), cert_id(certT.28), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.33, <IDc.25, r1.31, pkTe.29>, cert_pk(certT.28))
+ z.5 = z.42
+
+ 43. IDc = IDc.26
+ certC = cert(z.38, x.45, z.43)
+ certT = cert(x.47, x.48, z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = one
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(x.48, <x.47, z.37, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <z.38, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.47)
+ z.5 = z.43
+
+ 44. IDc = IDc.26
+ certC = cert(x.44, x.45, z.43)
+ certT = cert(x.47, x.48, z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = x.44^skTe.35
+ z.2 = verify(x.48, <x.47, z.37, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.45, <x.44, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.47)
+ z.5 = z.43
+
+ 45. IDc = IDc.26
+ certC = cert(z.38^x.45, x.46, z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = inv(x.45)
+ z = z.37
+ z.1 = z.38
+ z.2 = true
+ z.3 = verify(x.46, <z.38^x.45, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 46. IDc = IDc.26
+ certC = cert(z.38^x.45, sign(<z.38^x.45, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.47, x.48, z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = inv(x.45)
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(x.48, <x.47, z.37, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.47)
+ z.5 = z.43
+
+ 47. IDc = IDc.26
+ certC = cert(z.38^inv(skTe.35), x.46, z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = z.38
+ z.2 = true
+ z.3 = verify(x.46, <z.38^inv(skTe.35), z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 48. IDc = IDc.26
+ certC = cert(z.38^inv(skTe.35),
+ sign(<z.38^inv(skTe.35), z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.47, x.48, z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = z.38
+ z.2 = verify(x.48, <x.47, z.37, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.47)
+ z.5 = z.43
+
+ 49. IDc = IDc.26
+ certC = cert(z.38^(x.45*inv(x.46)),
+ sign(<z.38^(x.45*inv(x.46)), z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = (x.46*inv(x.45))
+ z = z.37
+ z.1 = z.38
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 50. IDc = IDc.26
+ certC = cert(x.44^x.45, x.46, z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = x.44^(skTe.35*x.45)
+ z.2 = true
+ z.3 = verify(x.46, <x.44^x.45, z.43, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 51. IDc = IDc.26
+ certC = cert(x.44^x.45, sign(<x.44^x.45, z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.47, x.48, z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = x.44^(skTe.35*x.45)
+ z.2 = verify(x.48, <x.47, z.37, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.47)
+ z.5 = z.43
+
+ 52. IDc = IDc.26
+ certC = cert(x.44^inv((skTe.35*x.45)),
+ sign(<x.44^inv((skTe.35*x.45)), z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = x.44^inv(x.45)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 53. IDc = IDc.26
+ certC = cert(x.44^(x.45*x.46),
+ sign(<x.44^(x.45*x.46), z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = inv(x.45)
+ z = z.37
+ z.1 = x.44^x.46
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 54. IDc = IDc.26
+ certC = cert(x.44^(x.45*x.46*inv(x.47)), x.48, z.43)
+ certT = certT.29
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = (x.47*inv(x.46))
+ z = cert_id(certT.29)
+ z.1 = x.44^x.45
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.44^(x.45*x.46*inv(x.47)), z.43, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, cert_pk(certT.29))
+ z.5 = z.43
+
+ 55. IDc = IDc.26
+ certC = cert(x.44^(x.45*x.46*inv((x.47*x.48))),
+ sign(<x.44^(x.45*x.46*inv((x.47*x.48))), z.43, 'chip'>, ca_sk), z.43)
+ certT = certT.29
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = (x.48*inv(x.46))
+ z = cert_id(certT.29)
+ z.1 = x.44^(x.45*inv(x.47))
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, cert_pk(certT.29))
+ z.5 = z.43
+
+ 56. IDc = IDc.26
+ certC = cert(x.44^(x.45*inv(skTe.35)),
+ sign(<x.44^(x.45*inv(skTe.35)), z.43, 'chip'>, ca_sk), z.43)
+ certT = cert(x.48, sign(<x.48, z.37, 'terminal'>, ca_sk), z.37)
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = z.37
+ z.1 = x.44^x.45
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, x.48)
+ z.5 = z.43
+
+ 57. IDc = IDc.26
+ certC = cert(x.44^(x.45*inv((skTe.35*x.46))), x.48, z.43)
+ certT = certT.29
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = skTe.35
+ z = cert_id(certT.29)
+ z.1 = x.44^(x.45*inv(x.46))
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.44^(x.45*inv((skTe.35*x.46))), z.43, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, cert_pk(certT.29))
+ z.5 = z.43
+
+ 58. IDc = IDc.26
+ certC = cert(x.44^(x.45*inv((x.46*x.47))), x.48, z.43)
+ certT = certT.29
+ pkTe = pkTe.30
+ r1 = r1.32
+ s1 = s1.34
+ skTe = (x.47*inv(x.45))
+ z = cert_id(certT.29)
+ z.1 = x.44^inv(x.46)
+ z.2 = verify(cert_sig(certT.29),
+ <cert_pk(certT.29), cert_id(certT.29), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.48, <x.44^(x.45*inv((x.46*x.47))), z.43, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.34, <IDc.26, r1.32, pkTe.30>, cert_pk(certT.29))
+ z.5 = z.43
+
+ 59. IDc = IDc.27
+ certC = cert(DH_neutral, sign(<DH_neutral, z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(pk(x.48), sign(<pk(x.48), z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = sign(<IDc.27, r1.33, pkTe.31>, x.48)
+ z = z.38
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.44
+
+ 60. IDc = IDc.27
+ certC = cert(z.39^x.46, x.47, z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = inv(x.46)
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <z.39^x.46, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 61. IDc = IDc.27
+ certC = cert(z.39^inv(skTe.36), x.47, z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <z.39^inv(skTe.36), z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 62. IDc = IDc.27
+ certC = cert(z.39^(x.46*inv(x.47)), x.48, z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = (x.47*inv(x.46))
+ z = z.38
+ z.1 = z.39
+ z.2 = true
+ z.3 = verify(x.48, <z.39^(x.46*inv(x.47)), z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 63. IDc = IDc.27
+ certC = cert(z.39^(x.46*inv(x.47)),
+ sign(<z.39^(x.46*inv(x.47)), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = (x.47*inv(x.46))
+ z = z.38
+ z.1 = z.39
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 64. IDc = IDc.27
+ certC = cert(x.45^x.46, x.47, z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^(skTe.36*x.46)
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.47, <x.45^x.46, z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 65. IDc = IDc.27
+ certC = cert(x.45^inv((skTe.36*x.46)), x.48, z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^inv(x.46)
+ z.2 = true
+ z.3 = verify(x.48, <x.45^inv((skTe.36*x.46)), z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 66. IDc = IDc.27
+ certC = cert(x.45^inv((skTe.36*x.46)),
+ sign(<x.45^inv((skTe.36*x.46)), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^inv(x.46)
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 67. IDc = IDc.27
+ certC = cert(x.45^(x.46*x.47), x.48, z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = inv(x.46)
+ z = z.38
+ z.1 = x.45^x.47
+ z.2 = true
+ z.3 = verify(x.48, <x.45^(x.46*x.47), z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 68. IDc = IDc.27
+ certC = cert(x.45^(x.46*x.47),
+ sign(<x.45^(x.46*x.47), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = inv(x.46)
+ z = z.38
+ z.1 = x.45^x.47
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 69. IDc = IDc.27
+ certC = cert(x.45^(x.46*x.47*inv(x.48)),
+ sign(<x.45^(x.46*x.47*inv(x.48)), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = (x.48*inv(x.47))
+ z = z.38
+ z.1 = x.45^x.46
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 70. IDc = IDc.27
+ certC = cert(x.45^(x.46*x.47*inv((x.48*x.49))), x.50, z.44)
+ certT = certT.30
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = (x.49*inv(x.47))
+ z = cert_id(certT.30)
+ z.1 = x.45^(x.46*inv(x.48))
+ z.2 = verify(cert_sig(certT.30),
+ <cert_pk(certT.30), cert_id(certT.30), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.50, <x.45^(x.46*x.47*inv((x.48*x.49))), z.44, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, cert_pk(certT.30))
+ z.5 = z.44
+
+ 71. IDc = IDc.27
+ certC = cert(x.45^(x.46*inv(skTe.36)), x.48, z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^x.46
+ z.2 = true
+ z.3 = verify(x.48, <x.45^(x.46*inv(skTe.36)), z.44, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 72. IDc = IDc.27
+ certC = cert(x.45^(x.46*inv(skTe.36)),
+ sign(<x.45^(x.46*inv(skTe.36)), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.49, x.50, z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^x.46
+ z.2 = verify(x.50, <x.49, z.38, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.49)
+ z.5 = z.44
+
+ 73. IDc = IDc.27
+ certC = cert(x.45^(x.46*inv((skTe.36*x.47))),
+ sign(<x.45^(x.46*inv((skTe.36*x.47))), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = skTe.36
+ z = z.38
+ z.1 = x.45^(x.46*inv(x.47))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 74. IDc = IDc.27
+ certC = cert(x.45^(x.46*inv((x.47*x.48))),
+ sign(<x.45^(x.46*inv((x.47*x.48))), z.44, 'chip'>, ca_sk), z.44)
+ certT = cert(x.50, sign(<x.50, z.38, 'terminal'>, ca_sk), z.38)
+ pkTe = pkTe.31
+ r1 = r1.33
+ s1 = s1.35
+ skTe = (x.48*inv(x.46))
+ z = z.38
+ z.1 = x.45^inv(x.47)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.35, <IDc.27, r1.33, pkTe.31>, x.50)
+ z.5 = z.44
+
+ 75. IDc = IDc.28
+ certC = certC.30
+ certT = cert(pk(x.49), sign(<pk(x.49), z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.28, r1.34, pkTe.32>, x.49)
+ skTe = skTe.37
+ z = z.39
+ z.1 = cert_pk(certC.30)^skTe.37
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = cert_id(certC.30)
+
+ 76. IDc = IDc.28
+ certC = certC.30
+ certT = cert(pk(x.49), sign(<pk(x.49), z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.28, r1.34, pkTe.32>, x.49)
+ skTe = one
+ z = z.39
+ z.1 = cert_pk(certC.30)
+ z.2 = true
+ z.3 = verify(cert_sig(certC.30),
+ <cert_pk(certC.30), cert_id(certC.30), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = cert_id(certC.30)
+
+ 77. IDc = IDc.28
+ certC = cert(z.40, sign(<z.40, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.28, r1.34, pkTe.32>, x.50)
+ skTe = one
+ z = z.39
+ z.1 = z.40
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 78. IDc = IDc.28
+ certC = cert(DH_neutral, x.48, z.45)
+ certT = cert(pk(x.50), sign(<pk(x.50), z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.28, r1.34, pkTe.32>, x.50)
+ z = z.39
+ z.1 = DH_neutral
+ z.2 = true
+ z.3 = verify(x.48, <DH_neutral, z.45, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.45
+
+ 79. IDc = IDc.28
+ certC = cert(DH_neutral, sign(<DH_neutral, z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(pk(x.49), x.50, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = sign(<IDc.28, r1.34, pkTe.32>, x.49)
+ z = z.39
+ z.1 = DH_neutral
+ z.2 = verify(x.50, <pk(x.49), z.39, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.45
+
+ 80. IDc = IDc.28
+ certC = cert(z.40^(x.47*inv(x.48)), x.49, z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.48*inv(x.47))
+ z = z.39
+ z.1 = z.40
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <z.40^(x.47*inv(x.48)), z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 81. IDc = IDc.28
+ certC = cert(x.46^inv((skTe.37*x.47)), x.49, z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = skTe.37
+ z = z.39
+ z.1 = x.46^inv(x.47)
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.46^inv((skTe.37*x.47)), z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 82. IDc = IDc.28
+ certC = cert(x.46^(x.47*x.48), x.49, z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = inv(x.47)
+ z = z.39
+ z.1 = x.46^x.48
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.46^(x.47*x.48), z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 83. IDc = IDc.28
+ certC = cert(x.46^(x.47*x.48*inv(x.49)), x.50, z.45)
+ certT = cert(x.52, sign(<x.52, z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.49*inv(x.48))
+ z = z.39
+ z.1 = x.46^x.47
+ z.2 = true
+ z.3 = verify(x.50, <x.46^(x.47*x.48*inv(x.49)), z.45, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.52)
+ z.5 = z.45
+
+ 84. IDc = IDc.28
+ certC = cert(x.46^(x.47*x.48*inv(x.49)),
+ sign(<x.46^(x.47*x.48*inv(x.49)), z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.49*inv(x.48))
+ z = z.39
+ z.1 = x.46^x.47
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 85. IDc = IDc.28
+ certC = cert(x.46^(x.47*x.48*inv((x.49*x.50))),
+ sign(<x.46^(x.47*x.48*inv((x.49*x.50))), z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.52, sign(<x.52, z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.50*inv(x.48))
+ z = z.39
+ z.1 = x.46^(x.47*inv(x.49))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.52)
+ z.5 = z.45
+
+ 86. IDc = IDc.28
+ certC = cert(x.46^(x.47*inv(skTe.37)), x.49, z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = skTe.37
+ z = z.39
+ z.1 = x.46^x.47
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <x.46^(x.47*inv(skTe.37)), z.45, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 87. IDc = IDc.28
+ certC = cert(x.46^(x.47*inv((skTe.37*x.48))), x.50, z.45)
+ certT = cert(x.52, sign(<x.52, z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = skTe.37
+ z = z.39
+ z.1 = x.46^(x.47*inv(x.48))
+ z.2 = true
+ z.3 = verify(x.50, <x.46^(x.47*inv((skTe.37*x.48))), z.45, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.52)
+ z.5 = z.45
+
+ 88. IDc = IDc.28
+ certC = cert(x.46^(x.47*inv((skTe.37*x.48))),
+ sign(<x.46^(x.47*inv((skTe.37*x.48))), z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = skTe.37
+ z = z.39
+ z.1 = x.46^(x.47*inv(x.48))
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 89. IDc = IDc.28
+ certC = cert(x.46^(x.47*inv((x.48*x.49))), x.50, z.45)
+ certT = cert(x.52, sign(<x.52, z.39, 'terminal'>, ca_sk), z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.49*inv(x.47))
+ z = z.39
+ z.1 = x.46^inv(x.48)
+ z.2 = true
+ z.3 = verify(x.50, <x.46^(x.47*inv((x.48*x.49))), z.45, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.52)
+ z.5 = z.45
+
+ 90. IDc = IDc.28
+ certC = cert(x.46^(x.47*inv((x.48*x.49))),
+ sign(<x.46^(x.47*inv((x.48*x.49))), z.45, 'chip'>, ca_sk), z.45)
+ certT = cert(x.51, x.52, z.39)
+ pkTe = pkTe.32
+ r1 = r1.34
+ s1 = s1.36
+ skTe = (x.49*inv(x.47))
+ z = z.39
+ z.1 = x.46^inv(x.48)
+ z.2 = verify(x.52, <x.51, z.39, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.36, <IDc.28, r1.34, pkTe.32>, x.51)
+ z.5 = z.45
+
+ 91. IDc = IDc.29
+ certC = certC.31
+ certT = cert(pk(x.50), x.51, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.50)
+ skTe = skTe.38
+ z = z.40
+ z.1 = cert_pk(certC.31)^skTe.38
+ z.2 = verify(x.51, <pk(x.50), z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = cert_id(certC.31)
+
+ 92. IDc = IDc.29
+ certC = certC.31
+ certT = cert(pk(x.50), x.51, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.50)
+ skTe = one
+ z = z.40
+ z.1 = cert_pk(certC.31)
+ z.2 = verify(x.51, <pk(x.50), z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(cert_sig(certC.31),
+ <cert_pk(certC.31), cert_id(certC.31), 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = cert_id(certC.31)
+
+ 93. IDc = IDc.29
+ certC = cert(z.41, x.50, z.46)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.52)
+ skTe = one
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = verify(x.50, <z.41, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 94. IDc = IDc.29
+ certC = cert(z.41, sign(<z.41, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(pk(x.51), x.52, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.51)
+ skTe = one
+ z = z.40
+ z.1 = z.41
+ z.2 = verify(x.52, <pk(x.51), z.40, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 95. IDc = IDc.29
+ certC = cert(x.49, sign(<x.49, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(pk(x.51), sign(<pk(x.51), z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.51)
+ skTe = skTe.38
+ z = z.40
+ z.1 = x.49^skTe.38
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 96. IDc = IDc.29
+ certC = cert(DH_neutral, x.49, z.46)
+ certT = cert(pk(x.51), x.52, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.51)
+ z = z.40
+ z.1 = DH_neutral
+ z.2 = verify(x.52, <pk(x.51), z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.49, <DH_neutral, z.46, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.46
+
+ 97. IDc = IDc.29
+ certC = cert(z.41^x.50, sign(<z.41^x.50, z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.52)
+ skTe = inv(x.50)
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 98. IDc = IDc.29
+ certC = cert(z.41^inv(skTe.38),
+ sign(<z.41^inv(skTe.38), z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(pk(x.52), sign(<pk(x.52), z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = sign(<IDc.29, r1.35, pkTe.33>, x.52)
+ skTe = skTe.38
+ z = z.40
+ z.1 = z.41
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.46
+
+ 99. IDc = IDc.29
+ certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.46)
+ certT = cert(x.53, x.54, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = s1.37
+ skTe = (x.50*inv(x.49))
+ z = z.40
+ z.1 = x.47^x.48
+ z.2 = verify(x.54, <x.53, z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.47^(x.48*x.49*inv(x.50)), z.46, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.29, r1.35, pkTe.33>, x.53)
+ z.5 = z.46
+
+ 100. IDc = IDc.29
+ certC = cert(x.47^(x.48*x.49*inv((x.50*x.51))), x.52, z.46)
+ certT = cert(x.54, sign(<x.54, z.40, 'terminal'>, ca_sk), z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = s1.37
+ skTe = (x.51*inv(x.49))
+ z = z.40
+ z.1 = x.47^(x.48*inv(x.50))
+ z.2 = true
+ z.3 = verify(x.52, <x.47^(x.48*x.49*inv((x.50*x.51))), z.46, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.29, r1.35, pkTe.33>, x.54)
+ z.5 = z.46
+
+ 101. IDc = IDc.29
+ certC = cert(x.47^(x.48*x.49*inv((x.50*x.51))),
+ sign(<x.47^(x.48*x.49*inv((x.50*x.51))), z.46, 'chip'>, ca_sk), z.46)
+ certT = cert(x.53, x.54, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = s1.37
+ skTe = (x.51*inv(x.49))
+ z = z.40
+ z.1 = x.47^(x.48*inv(x.50))
+ z.2 = verify(x.54, <x.53, z.40, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.37, <IDc.29, r1.35, pkTe.33>, x.53)
+ z.5 = z.46
+
+ 102. IDc = IDc.29
+ certC = cert(x.47^(x.48*inv((skTe.38*x.49))), x.51, z.46)
+ certT = cert(x.53, x.54, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = s1.37
+ skTe = skTe.38
+ z = z.40
+ z.1 = x.47^(x.48*inv(x.49))
+ z.2 = verify(x.54, <x.53, z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.47^(x.48*inv((skTe.38*x.49))), z.46, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.29, r1.35, pkTe.33>, x.53)
+ z.5 = z.46
+
+ 103. IDc = IDc.29
+ certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.46)
+ certT = cert(x.53, x.54, z.40)
+ pkTe = pkTe.33
+ r1 = r1.35
+ s1 = s1.37
+ skTe = (x.50*inv(x.48))
+ z = z.40
+ z.1 = x.47^inv(x.49)
+ z.2 = verify(x.54, <x.53, z.40, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.47^(x.48*inv((x.49*x.50))), z.46, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.37, <IDc.29, r1.35, pkTe.33>, x.53)
+ z.5 = z.46
+
+ 104. IDc = IDc.30
+ certC = cert(z.42, x.51, z.47)
+ certT = cert(pk(x.53), x.54, z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.53)
+ skTe = one
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.54, <pk(x.53), z.41, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <z.42, z.47, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 105. IDc = IDc.30
+ certC = cert(x.50, x.51, z.47)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.53)
+ skTe = skTe.39
+ z = z.41
+ z.1 = x.50^skTe.39
+ z.2 = true
+ z.3 = verify(x.51, <x.50, z.47, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 106. IDc = IDc.30
+ certC = cert(x.50, sign(<x.50, z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.52), x.53, z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.52)
+ skTe = skTe.39
+ z = z.41
+ z.1 = x.50^skTe.39
+ z.2 = verify(x.53, <pk(x.52), z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 107. IDc = IDc.30
+ certC = cert(z.42^x.51, x.52, z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = inv(x.51)
+ z = z.41
+ z.1 = z.42
+ z.2 = true
+ z.3 = verify(x.52, <z.42^x.51, z.47, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 108. IDc = IDc.30
+ certC = cert(z.42^x.51, sign(<z.42^x.51, z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.53), x.54, z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.53)
+ skTe = inv(x.51)
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.54, <pk(x.53), z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 109. IDc = IDc.30
+ certC = cert(z.42^inv(skTe.39), x.52, z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = skTe.39
+ z = z.41
+ z.1 = z.42
+ z.2 = true
+ z.3 = verify(x.52, <z.42^inv(skTe.39), z.47, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.47
+
+ 110. IDc = IDc.30
+ certC = cert(z.42^inv(skTe.39),
+ sign(<z.42^inv(skTe.39), z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.53), x.54, z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.53)
+ skTe = skTe.39
+ z = z.41
+ z.1 = z.42
+ z.2 = verify(x.54, <pk(x.53), z.41, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 111. IDc = IDc.30
+ certC = cert(z.42^(x.51*inv(x.52)),
+ sign(<z.42^(x.51*inv(x.52)), z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = (x.52*inv(x.51))
+ z = z.41
+ z.1 = z.42
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 112. IDc = IDc.30
+ certC = cert(x.48^x.49, sign(<x.48^x.49, z.47, 'chip'>, ca_sk), z.47)
+ certT = certT.33
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = s1.38
+ skTe = inv((x.49*x.57))
+ z = cert_id(certT.33)
+ z.1 = x.48^inv(x.57)
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.30, r1.36, pkTe.34>, cert_pk(certT.33))
+ z.5 = z.47
+
+ 113. IDc = IDc.30
+ certC = cert(x.48^x.49, sign(<x.48^x.49, z.47, 'chip'>, ca_sk), z.47)
+ certT = certT.33
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = s1.38
+ skTe = (x.57*inv(x.49))
+ z = cert_id(certT.33)
+ z.1 = x.48^x.57
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.30, r1.36, pkTe.34>, cert_pk(certT.33))
+ z.5 = z.47
+
+ 114. IDc = IDc.30
+ certC = cert(x.48^inv(x.49), sign(<x.48^inv(x.49), z.47, 'chip'>, ca_sk),
+ z.47)
+ certT = certT.33
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = s1.38
+ skTe = inv(x.57)
+ z = cert_id(certT.33)
+ z.1 = x.48^inv((x.49*x.57))
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.30, r1.36, pkTe.34>, cert_pk(certT.33))
+ z.5 = z.47
+
+ 115. IDc = IDc.30
+ certC = cert(x.48^inv(x.49), sign(<x.48^inv(x.49), z.47, 'chip'>, ca_sk),
+ z.47)
+ certT = certT.33
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = s1.38
+ skTe = (x.49*x.57)
+ z = cert_id(certT.33)
+ z.1 = x.48^x.57
+ z.2 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.38, <IDc.30, r1.36, pkTe.34>, cert_pk(certT.33))
+ z.5 = z.47
+
+ 116. IDc = IDc.30
+ certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.47)
+ certT = cert(x.55, x.56, z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = s1.38
+ skTe = (x.52*inv(x.50))
+ z = z.41
+ z.1 = x.48^(x.49*inv(x.51))
+ z.2 = verify(x.56, <x.55, z.41, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.48^(x.49*x.50*inv((x.51*x.52))), z.47, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.38, <IDc.30, r1.36, pkTe.34>, x.55)
+ z.5 = z.47
+
+ 117. IDc = IDc.30
+ certC = cert(x.50^x.51, sign(<x.50^x.51, z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.53), sign(<pk(x.53), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.53)
+ skTe = skTe.39
+ z = z.41
+ z.1 = x.50^(skTe.39*x.51)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 118. IDc = IDc.30
+ certC = cert(x.50^inv((skTe.39*x.51)),
+ sign(<x.50^inv((skTe.39*x.51)), z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = skTe.39
+ z = z.41
+ z.1 = x.50^inv(x.51)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 119. IDc = IDc.30
+ certC = cert(x.50^(x.51*x.52),
+ sign(<x.50^(x.51*x.52), z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = inv(x.51)
+ z = z.41
+ z.1 = x.50^x.52
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 120. IDc = IDc.30
+ certC = cert(x.50^(x.51*inv(skTe.39)),
+ sign(<x.50^(x.51*inv(skTe.39)), z.47, 'chip'>, ca_sk), z.47)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.41, 'terminal'>, ca_sk), z.41)
+ pkTe = pkTe.34
+ r1 = r1.36
+ s1 = sign(<IDc.30, r1.36, pkTe.34>, x.54)
+ skTe = skTe.39
+ z = z.41
+ z.1 = x.50^x.51
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.47
+
+ 121. IDc = IDc.31
+ certC = cert(x.51, x.52, z.48)
+ certT = cert(pk(x.54), x.55, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^skTe.40
+ z.2 = verify(x.55, <pk(x.54), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.51, z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 122. IDc = IDc.31
+ certC = cert(z.43^x.52, x.53, z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = inv(x.52)
+ z = z.42
+ z.1 = z.43
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <z.43^x.52, z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 123. IDc = IDc.31
+ certC = cert(z.43^inv(skTe.40), x.53, z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = skTe.40
+ z = z.42
+ z.1 = z.43
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <z.43^inv(skTe.40), z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 124. IDc = IDc.31
+ certC = cert(z.43^(x.52*inv(x.53)), x.54, z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = (x.53*inv(x.52))
+ z = z.42
+ z.1 = z.43
+ z.2 = true
+ z.3 = verify(x.54, <z.43^(x.52*inv(x.53)), z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 125. IDc = IDc.31
+ certC = cert(z.43^(x.52*inv(x.53)),
+ sign(<z.43^(x.52*inv(x.53)), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = (x.53*inv(x.52))
+ z = z.42
+ z.1 = z.43
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 126. IDc = IDc.31
+ certC = cert(x.49^x.50, x.51, z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv((x.50*x.59))
+ z = cert_id(certT.34)
+ z.1 = x.49^inv(x.59)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.49^x.50, z.48, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 127. IDc = IDc.31
+ certC = cert(x.49^x.50, x.51, z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.59*inv(x.50))
+ z = cert_id(certT.34)
+ z.1 = x.49^x.59
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.49^x.50, z.48, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 128. IDc = IDc.31
+ certC = cert(x.49^x.50, sign(<x.49^x.50, z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.58*inv((x.50*x.59)))
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.58*inv(x.59))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 129. IDc = IDc.31
+ certC = cert(x.49^x.50, sign(<x.49^x.50, z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(x.52, sign(<x.52, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv((x.50*x.59))
+ z = z.42
+ z.1 = x.49^inv(x.59)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, x.52)
+ z.5 = z.48
+
+ 130. IDc = IDc.31
+ certC = cert(x.49^x.50, sign(<x.49^x.50, z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(x.52, sign(<x.52, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.59*inv(x.50))
+ z = z.42
+ z.1 = x.49^x.59
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, x.52)
+ z.5 = z.48
+
+ 131. IDc = IDc.31
+ certC = cert(x.49^inv(x.50), x.51, z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv(x.59)
+ z = cert_id(certT.34)
+ z.1 = x.49^inv((x.50*x.59))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.49^inv(x.50), z.48, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 132. IDc = IDc.31
+ certC = cert(x.49^inv(x.50), x.51, z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.50*x.59)
+ z = cert_id(certT.34)
+ z.1 = x.49^x.59
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.51, <x.49^inv(x.50), z.48, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 133. IDc = IDc.31
+ certC = cert(x.49^inv(x.50), sign(<x.49^inv(x.50), z.48, 'chip'>, ca_sk),
+ z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.58*inv(x.59))
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.58*inv((x.50*x.59)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 134. IDc = IDc.31
+ certC = cert(x.49^inv(x.50), sign(<x.49^inv(x.50), z.48, 'chip'>, ca_sk),
+ z.48)
+ certT = cert(x.52, sign(<x.52, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv(x.59)
+ z = z.42
+ z.1 = x.49^inv((x.50*x.59))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, x.52)
+ z.5 = z.48
+
+ 135. IDc = IDc.31
+ certC = cert(x.49^inv(x.50), sign(<x.49^inv(x.50), z.48, 'chip'>, ca_sk),
+ z.48)
+ certT = cert(x.52, sign(<x.52, z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.50*x.59)
+ z = z.42
+ z.1 = x.49^x.59
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, x.52)
+ z.5 = z.48
+
+ 136. IDc = IDc.31
+ certC = cert(x.49^inv((x.50*x.51)),
+ sign(<x.49^inv((x.50*x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.50*x.59)
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.59*inv(x.51))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 137. IDc = IDc.31
+ certC = cert(x.49^inv((x.50*x.51)),
+ sign(<x.49^inv((x.50*x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.50*inv(x.59))
+ z = cert_id(certT.34)
+ z.1 = x.49^inv((x.51*x.59))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 138. IDc = IDc.31
+ certC = cert(x.49^(x.50*x.51),
+ sign(<x.49^(x.50*x.51), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv((x.50*x.59))
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.51*inv(x.59))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 139. IDc = IDc.31
+ certC = cert(x.49^(x.50*x.51),
+ sign(<x.49^(x.50*x.51), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.59*inv(x.50))
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.51*x.59)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 140. IDc = IDc.31
+ certC = cert(x.49^(x.50*inv(x.51)),
+ sign(<x.49^(x.50*inv(x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv(x.59)
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.50*inv((x.51*x.59)))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 141. IDc = IDc.31
+ certC = cert(x.49^(x.50*inv(x.51)),
+ sign(<x.49^(x.50*inv(x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = inv((x.50*x.59))
+ z = cert_id(certT.34)
+ z.1 = x.49^inv((x.51*x.59))
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 142. IDc = IDc.31
+ certC = cert(x.49^(x.50*inv(x.51)),
+ sign(<x.49^(x.50*inv(x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.51*x.59)
+ z = cert_id(certT.34)
+ z.1 = x.49^(x.50*x.59)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 143. IDc = IDc.31
+ certC = cert(x.49^(x.50*inv(x.51)),
+ sign(<x.49^(x.50*inv(x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.51*x.59*inv(x.50))
+ z = cert_id(certT.34)
+ z.1 = x.49^x.59
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 144. IDc = IDc.31
+ certC = cert(x.49^(x.50*inv(x.51)),
+ sign(<x.49^(x.50*inv(x.51)), z.48, 'chip'>, ca_sk), z.48)
+ certT = certT.34
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = s1.39
+ skTe = (x.51*inv((x.50*x.59)))
+ z = cert_id(certT.34)
+ z.1 = x.49^inv(x.59)
+ z.2 = verify(cert_sig(certT.34),
+ <cert_pk(certT.34), cert_id(certT.34), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.39, <IDc.31, r1.37, pkTe.35>, cert_pk(certT.34))
+ z.5 = z.48
+
+ 145. IDc = IDc.31
+ certC = cert(x.51^x.52, x.53, z.48)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^(skTe.40*x.52)
+ z.2 = true
+ z.3 = verify(x.53, <x.51^x.52, z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 146. IDc = IDc.31
+ certC = cert(x.51^x.52, sign(<x.51^x.52, z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.54), x.55, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^(skTe.40*x.52)
+ z.2 = verify(x.55, <pk(x.54), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 147. IDc = IDc.31
+ certC = cert(x.51^x.52, sign(<x.51^x.52, z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = inv((x.52*x.60))
+ z = z.42
+ z.1 = x.51^inv(x.60)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 148. IDc = IDc.31
+ certC = cert(x.51^x.52, sign(<x.51^x.52, z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = (x.60*inv(x.52))
+ z = z.42
+ z.1 = x.51^x.60
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 149. IDc = IDc.31
+ certC = cert(x.51^inv(x.52), sign(<x.51^inv(x.52), z.48, 'chip'>, ca_sk),
+ z.48)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = inv(x.60)
+ z = z.42
+ z.1 = x.51^inv((x.52*x.60))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 150. IDc = IDc.31
+ certC = cert(x.51^inv(x.52), sign(<x.51^inv(x.52), z.48, 'chip'>, ca_sk),
+ z.48)
+ certT = cert(pk(x.54), sign(<pk(x.54), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.54)
+ skTe = (x.52*x.60)
+ z = z.42
+ z.1 = x.51^x.60
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 151. IDc = IDc.31
+ certC = cert(x.51^inv((skTe.40*x.52)), x.54, z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^inv(x.52)
+ z.2 = true
+ z.3 = verify(x.54, <x.51^inv((skTe.40*x.52)), z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 152. IDc = IDc.31
+ certC = cert(x.51^inv((skTe.40*x.52)),
+ sign(<x.51^inv((skTe.40*x.52)), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^inv(x.52)
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 153. IDc = IDc.31
+ certC = cert(x.51^(x.52*x.53), x.54, z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = inv(x.52)
+ z = z.42
+ z.1 = x.51^x.53
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*x.53), z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 154. IDc = IDc.31
+ certC = cert(x.51^(x.52*x.53),
+ sign(<x.51^(x.52*x.53), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = inv(x.52)
+ z = z.42
+ z.1 = x.51^x.53
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 155. IDc = IDc.31
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = (x.54*inv(x.53))
+ z = z.42
+ z.1 = x.51^x.52
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 156. IDc = IDc.31
+ certC = cert(x.51^(x.52*inv(skTe.40)), x.54, z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^x.52
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(skTe.40)), z.48, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.48
+
+ 157. IDc = IDc.31
+ certC = cert(x.51^(x.52*inv(skTe.40)),
+ sign(<x.51^(x.52*inv(skTe.40)), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.55), x.56, z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.55)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^x.52
+ z.2 = verify(x.56, <pk(x.55), z.42, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 158. IDc = IDc.31
+ certC = cert(x.51^(x.52*inv((skTe.40*x.53))),
+ sign(<x.51^(x.52*inv((skTe.40*x.53))), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = skTe.40
+ z = z.42
+ z.1 = x.51^(x.52*inv(x.53))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 159. IDc = IDc.31
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.48, 'chip'>, ca_sk), z.48)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.42, 'terminal'>, ca_sk), z.42)
+ pkTe = pkTe.35
+ r1 = r1.37
+ s1 = sign(<IDc.31, r1.37, pkTe.35>, x.56)
+ skTe = (x.54*inv(x.52))
+ z = z.42
+ z.1 = x.51^inv(x.53)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.48
+
+ 160. IDc = IDc.32
+ certC = cert(z.44^(x.53*inv(x.54)), x.55, z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = (x.54*inv(x.53))
+ z = z.43
+ z.1 = z.44
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <z.44^(x.53*inv(x.54)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 161. IDc = IDc.32
+ certC = cert(x.50^x.51, x.52, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.60*inv(x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.50^x.51, z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 162. IDc = IDc.32
+ certC = cert(x.50^x.51, x.52, z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = z.43
+ z.1 = x.50^inv(x.61)
+ z.2 = true
+ z.3 = verify(x.52, <x.50^x.51, z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 163. IDc = IDc.32
+ certC = cert(x.50^x.51, x.52, z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.61*inv(x.51))
+ z = z.43
+ z.1 = x.50^x.61
+ z.2 = true
+ z.3 = verify(x.52, <x.50^x.51, z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 164. IDc = IDc.32
+ certC = cert(x.50^x.51, sign(<x.50^x.51, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.53, x.54, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = z.43
+ z.1 = x.50^inv(x.61)
+ z.2 = verify(x.54, <x.53, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 165. IDc = IDc.32
+ certC = cert(x.50^x.51, sign(<x.50^x.51, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.53, x.54, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.61*inv(x.51))
+ z = z.43
+ z.1 = x.50^x.61
+ z.2 = verify(x.54, <x.53, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 166. IDc = IDc.32
+ certC = cert(x.50^x.51, sign(<x.50^x.51, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.53, sign(<x.53, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv((x.51*x.61)))
+ z = z.43
+ z.1 = x.50^(x.60*inv(x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 167. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), x.52, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv(x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.60*inv((x.51*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.52, <x.50^inv(x.51), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 168. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), x.52, z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv(x.61)
+ z = z.43
+ z.1 = x.50^inv((x.51*x.61))
+ z.2 = true
+ z.3 = verify(x.52, <x.50^inv(x.51), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 169. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), x.52, z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*x.61)
+ z = z.43
+ z.1 = x.50^x.61
+ z.2 = true
+ z.3 = verify(x.52, <x.50^inv(x.51), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 170. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), sign(<x.50^inv(x.51), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(x.53, x.54, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv(x.61)
+ z = z.43
+ z.1 = x.50^inv((x.51*x.61))
+ z.2 = verify(x.54, <x.53, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 171. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), sign(<x.50^inv(x.51), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(x.53, x.54, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*x.61)
+ z = z.43
+ z.1 = x.50^x.61
+ z.2 = verify(x.54, <x.53, z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 172. IDc = IDc.32
+ certC = cert(x.50^inv(x.51), sign(<x.50^inv(x.51), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(x.53, sign(<x.53, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv(x.61))
+ z = z.43
+ z.1 = x.50^(x.60*inv((x.51*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.53)
+ z.5 = z.49
+
+ 173. IDc = IDc.32
+ certC = cert(x.50^inv((x.51*x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*x.61)
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.61*inv(x.52))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^inv((x.51*x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 174. IDc = IDc.32
+ certC = cert(x.50^inv((x.51*x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*inv(x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^inv((x.52*x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^inv((x.51*x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 175. IDc = IDc.32
+ certC = cert(x.50^inv((x.51*x.52)),
+ sign(<x.50^inv((x.51*x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*x.60*inv(x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.60*inv((x.52*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 176. IDc = IDc.32
+ certC = cert(x.50^inv((x.51*x.52)),
+ sign(<x.50^inv((x.51*x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*x.61)
+ z = z.43
+ z.1 = x.50^(x.61*inv(x.52))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 177. IDc = IDc.32
+ certC = cert(x.50^inv((x.51*x.52)),
+ sign(<x.50^inv((x.51*x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.51*inv(x.61))
+ z = z.43
+ z.1 = x.50^inv((x.52*x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 178. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.52*inv(x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*x.52), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 179. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.61*inv(x.51))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.52*x.61)
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*x.52), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 180. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52),
+ sign(<x.50^(x.51*x.52), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.52*x.60*inv(x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 181. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52),
+ sign(<x.50^(x.51*x.52), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = z.43
+ z.1 = x.50^(x.52*inv(x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 182. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52),
+ sign(<x.50^(x.51*x.52), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.61*inv(x.51))
+ z = z.43
+ z.1 = x.50^(x.52*x.61)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 183. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52*inv(x.53)),
+ sign(<x.50^(x.51*x.52*inv(x.53)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.52*x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*inv((x.53*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 184. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52*inv(x.53)),
+ sign(<x.50^(x.51*x.52*inv(x.53)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.53*x.61*inv(x.51))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.52*x.61)
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 185. IDc = IDc.32
+ certC = cert(x.50^(x.51*x.52*inv(x.53)),
+ sign(<x.50^(x.51*x.52*inv(x.53)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.53*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.52*inv(x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 186. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv(x.61)
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*inv((x.52*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*inv(x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 187. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^inv((x.52*x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*inv(x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 188. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61)
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*x.61)
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*inv(x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 189. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61*inv(x.51))
+ z = cert_id(certT.35)
+ z.1 = x.50^x.61
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*inv(x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 190. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)), x.53, z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^inv(x.61)
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.50^(x.51*inv(x.52)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 191. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.60*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.60*inv(x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 192. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv(x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*x.60*inv((x.52*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 193. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.60*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.60*inv((x.52*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 194. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv(x.61)
+ z = z.43
+ z.1 = x.50^(x.51*inv((x.52*x.61)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 195. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = inv((x.51*x.61))
+ z = z.43
+ z.1 = x.50^inv((x.52*x.61))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 196. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61)
+ z = z.43
+ z.1 = x.50^(x.51*x.61)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 197. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61*inv(x.51))
+ z = z.43
+ z.1 = x.50^x.61
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 198. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv(x.52)),
+ sign(<x.50^(x.51*inv(x.52)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(x.54, sign(<x.54, z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*inv((x.51*x.61)))
+ z = z.43
+ z.1 = x.50^inv(x.61)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, x.54)
+ z.5 = z.49
+
+ 199. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv((x.52*x.53))),
+ sign(<x.50^(x.51*inv((x.52*x.53))), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61)
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*x.61*inv(x.53))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 200. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv((x.52*x.53))),
+ sign(<x.50^(x.51*inv((x.52*x.53))), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*x.61*inv(x.51))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.61*inv(x.53))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 201. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv((x.52*x.53))),
+ sign(<x.50^(x.51*inv((x.52*x.53))), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*inv(x.61))
+ z = cert_id(certT.35)
+ z.1 = x.50^(x.51*inv((x.53*x.61)))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 202. IDc = IDc.32
+ certC = cert(x.50^(x.51*inv((x.52*x.53))),
+ sign(<x.50^(x.51*inv((x.52*x.53))), z.49, 'chip'>, ca_sk), z.49)
+ certT = certT.35
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = s1.40
+ skTe = (x.52*inv((x.51*x.61)))
+ z = cert_id(certT.35)
+ z.1 = x.50^inv((x.53*x.61))
+ z.2 = verify(cert_sig(certT.35),
+ <cert_pk(certT.35), cert_id(certT.35), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.40, <IDc.32, r1.38, pkTe.36>, cert_pk(certT.35))
+ z.5 = z.49
+
+ 203. IDc = IDc.32
+ certC = cert(x.52^x.53, x.54, z.49)
+ certT = cert(pk(x.56), x.57, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = skTe.41
+ z = z.43
+ z.1 = x.52^(skTe.41*x.53)
+ z.2 = verify(x.57, <pk(x.56), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.52^x.53, z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 204. IDc = IDc.32
+ certC = cert(x.52^x.53, x.54, z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = inv((x.53*x.62))
+ z = z.43
+ z.1 = x.52^inv(x.62)
+ z.2 = true
+ z.3 = verify(x.54, <x.52^x.53, z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 205. IDc = IDc.32
+ certC = cert(x.52^x.53, x.54, z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.62*inv(x.53))
+ z = z.43
+ z.1 = x.52^x.62
+ z.2 = true
+ z.3 = verify(x.54, <x.52^x.53, z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 206. IDc = IDc.32
+ certC = cert(x.52^x.53, sign(<x.52^x.53, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.55), x.56, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = inv((x.53*x.62))
+ z = z.43
+ z.1 = x.52^inv(x.62)
+ z.2 = verify(x.56, <pk(x.55), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 207. IDc = IDc.32
+ certC = cert(x.52^x.53, sign(<x.52^x.53, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.55), x.56, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = (x.62*inv(x.53))
+ z = z.43
+ z.1 = x.52^x.62
+ z.2 = verify(x.56, <pk(x.55), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 208. IDc = IDc.32
+ certC = cert(x.52^x.53, sign(<x.52^x.53, z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = (x.61*inv((x.53*x.62)))
+ z = z.43
+ z.1 = x.52^(x.61*inv(x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 209. IDc = IDc.32
+ certC = cert(x.52^inv(x.53), x.54, z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = inv(x.62)
+ z = z.43
+ z.1 = x.52^inv((x.53*x.62))
+ z.2 = true
+ z.3 = verify(x.54, <x.52^inv(x.53), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 210. IDc = IDc.32
+ certC = cert(x.52^inv(x.53), x.54, z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.53*x.62)
+ z = z.43
+ z.1 = x.52^x.62
+ z.2 = true
+ z.3 = verify(x.54, <x.52^inv(x.53), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 211. IDc = IDc.32
+ certC = cert(x.52^inv(x.53), sign(<x.52^inv(x.53), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(pk(x.55), x.56, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = inv(x.62)
+ z = z.43
+ z.1 = x.52^inv((x.53*x.62))
+ z.2 = verify(x.56, <pk(x.55), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 212. IDc = IDc.32
+ certC = cert(x.52^inv(x.53), sign(<x.52^inv(x.53), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(pk(x.55), x.56, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = (x.53*x.62)
+ z = z.43
+ z.1 = x.52^x.62
+ z.2 = verify(x.56, <pk(x.55), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 213. IDc = IDc.32
+ certC = cert(x.52^inv(x.53), sign(<x.52^inv(x.53), z.49, 'chip'>, ca_sk),
+ z.49)
+ certT = cert(pk(x.55), sign(<pk(x.55), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.55)
+ skTe = (x.61*inv(x.62))
+ z = z.43
+ z.1 = x.52^(x.61*inv((x.53*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 214. IDc = IDc.32
+ certC = cert(x.52^inv((skTe.41*x.53)), x.55, z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = skTe.41
+ z = z.43
+ z.1 = x.52^inv(x.53)
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^inv((skTe.41*x.53)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 215. IDc = IDc.32
+ certC = cert(x.52^inv((x.53*x.54)),
+ sign(<x.52^inv((x.53*x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.53*x.62)
+ z = z.43
+ z.1 = x.52^(x.62*inv(x.54))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 216. IDc = IDc.32
+ certC = cert(x.52^inv((x.53*x.54)),
+ sign(<x.52^inv((x.53*x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.53*inv(x.62))
+ z = z.43
+ z.1 = x.52^inv((x.54*x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 217. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54), x.55, z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = inv(x.53)
+ z = z.43
+ z.1 = x.52^x.54
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*x.54), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 218. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54),
+ sign(<x.52^(x.53*x.54), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = inv((x.53*x.62))
+ z = z.43
+ z.1 = x.52^(x.54*inv(x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 219. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54),
+ sign(<x.52^(x.53*x.54), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.62*inv(x.53))
+ z = z.43
+ z.1 = x.52^(x.54*x.62)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 220. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.49)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.58)
+ skTe = (x.55*inv(x.54))
+ z = z.43
+ z.1 = x.52^x.53
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.49, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 221. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = (x.55*inv(x.54))
+ z = z.43
+ z.1 = x.52^x.53
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 222. IDc = IDc.32
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))),
+ sign(<x.52^(x.53*x.54*inv((x.55*x.56))), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.58)
+ skTe = (x.56*inv(x.54))
+ z = z.43
+ z.1 = x.52^(x.53*inv(x.55))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 223. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(skTe.41)), x.55, z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = skTe.41
+ z = z.43
+ z.1 = x.52^x.53
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(skTe.41)), z.49, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 224. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = inv(x.62)
+ z = z.43
+ z.1 = x.52^(x.53*inv((x.54*x.62)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 225. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = inv((x.53*x.62))
+ z = z.43
+ z.1 = x.52^inv((x.54*x.62))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 226. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.54*x.62)
+ z = z.43
+ z.1 = x.52^(x.53*x.62)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 227. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.54*x.62*inv(x.53))
+ z = z.43
+ z.1 = x.52^x.62
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 228. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.56), sign(<pk(x.56), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.56)
+ skTe = (x.54*inv((x.53*x.62)))
+ z = z.43
+ z.1 = x.52^inv(x.62)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 229. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv((skTe.41*x.54))), x.56, z.49)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.58)
+ skTe = skTe.41
+ z = z.43
+ z.1 = x.52^(x.53*inv(x.54))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((skTe.41*x.54))), z.49, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 230. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv((skTe.41*x.54))),
+ sign(<x.52^(x.53*inv((skTe.41*x.54))), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = skTe.41
+ z = z.43
+ z.1 = x.52^(x.53*inv(x.54))
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 231. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.49)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.43, 'terminal'>, ca_sk), z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.58)
+ skTe = (x.55*inv(x.53))
+ z = z.43
+ z.1 = x.52^inv(x.54)
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.49, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.49
+
+ 232. IDc = IDc.32
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.49, 'chip'>, ca_sk), z.49)
+ certT = cert(pk(x.57), x.58, z.43)
+ pkTe = pkTe.36
+ r1 = r1.38
+ s1 = sign(<IDc.32, r1.38, pkTe.36>, x.57)
+ skTe = (x.55*inv(x.53))
+ z = z.43
+ z.1 = x.52^inv(x.54)
+ z.2 = verify(x.58, <pk(x.57), z.43, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.49
+
+ 233. IDc = IDc.33
+ certC = cert(x.51^x.52, x.53, z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.52*x.63))
+ z = z.44
+ z.1 = x.51^inv(x.63)
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.51^x.52, z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 234. IDc = IDc.33
+ certC = cert(x.51^x.52, x.53, z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^x.63
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.51^x.52, z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 235. IDc = IDc.33
+ certC = cert(x.51^x.52, x.53, z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.62*inv(x.63))
+ z.2 = true
+ z.3 = verify(x.53, <x.51^x.52, z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 236. IDc = IDc.33
+ certC = cert(x.51^x.52, sign(<x.51^x.52, z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.54, x.55, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.62*inv(x.63))
+ z.2 = verify(x.55, <x.54, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.54)
+ z.5 = z.50
+
+ 237. IDc = IDc.33
+ certC = cert(x.51^inv(x.52), x.53, z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv(x.63)
+ z = z.44
+ z.1 = x.51^inv((x.52*x.63))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.51^inv(x.52), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 238. IDc = IDc.33
+ certC = cert(x.51^inv(x.52), x.53, z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*x.63)
+ z = z.44
+ z.1 = x.51^x.63
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.53, <x.51^inv(x.52), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 239. IDc = IDc.33
+ certC = cert(x.51^inv(x.52), x.53, z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.51^(x.62*inv((x.52*x.63)))
+ z.2 = true
+ z.3 = verify(x.53, <x.51^inv(x.52), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 240. IDc = IDc.33
+ certC = cert(x.51^inv(x.52), sign(<x.51^inv(x.52), z.50, 'chip'>, ca_sk),
+ z.50)
+ certT = cert(x.54, x.55, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.51^(x.62*inv((x.52*x.63)))
+ z.2 = verify(x.55, <x.54, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.54)
+ z.5 = z.50
+
+ 241. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)), x.54, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*x.62*inv(x.63))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.62*inv((x.53*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.51^inv((x.52*x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 242. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*x.63)
+ z = z.44
+ z.1 = x.51^(x.63*inv(x.53))
+ z.2 = true
+ z.3 = verify(x.54, <x.51^inv((x.52*x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 243. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*inv(x.63))
+ z = z.44
+ z.1 = x.51^inv((x.53*x.63))
+ z.2 = true
+ z.3 = verify(x.54, <x.51^inv((x.52*x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 244. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)),
+ sign(<x.51^inv((x.52*x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*x.63)
+ z = z.44
+ z.1 = x.51^(x.63*inv(x.53))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 245. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)),
+ sign(<x.51^inv((x.52*x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*inv(x.63))
+ z = z.44
+ z.1 = x.51^inv((x.53*x.63))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 246. IDc = IDc.33
+ certC = cert(x.51^inv((x.52*x.53)),
+ sign(<x.51^inv((x.52*x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.52*x.62*inv(x.63))
+ z = z.44
+ z.1 = x.51^(x.62*inv((x.53*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 247. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53), x.54, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*x.62*inv(x.63))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.51^(x.52*x.53), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 248. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.52*x.63))
+ z = z.44
+ z.1 = x.51^(x.53*inv(x.63))
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*x.53), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 249. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^(x.53*x.63)
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*x.53), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 250. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53),
+ sign(<x.51^(x.52*x.53), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.52*x.63))
+ z = z.44
+ z.1 = x.51^(x.53*inv(x.63))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 251. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53),
+ sign(<x.51^(x.52*x.53), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^(x.53*x.63)
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 252. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53),
+ sign(<x.51^(x.52*x.53), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.53*x.62*inv(x.63))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 253. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.53*x.63))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.52*inv((x.54*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 254. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*x.63*inv(x.52))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*x.63)
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 255. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*inv(x.63))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 256. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*x.62*inv(x.63))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 257. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*x.62*inv((x.54*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 258. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.53*x.63))
+ z = z.44
+ z.1 = x.51^(x.52*inv((x.54*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 259. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^(x.53*x.63)
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 260. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv(x.54)),
+ sign(<x.51^(x.52*x.53*inv(x.54)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.53*inv(x.63))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 261. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv((x.54*x.55))),
+ sign(<x.51^(x.52*x.53*inv((x.54*x.55))), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*x.63*inv(x.52))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*x.63*inv(x.55))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 262. IDc = IDc.33
+ certC = cert(x.51^(x.52*x.53*inv((x.54*x.55))),
+ sign(<x.51^(x.52*x.53*inv((x.54*x.55))), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.54*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.53*inv((x.55*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 263. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.62*inv(x.63))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 264. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv(x.63))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.52*x.62*inv((x.53*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 265. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.62*inv((x.53*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 266. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv(x.63)
+ z = z.44
+ z.1 = x.51^(x.52*inv((x.53*x.63)))
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 267. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.52*x.63))
+ z = z.44
+ z.1 = x.51^inv((x.53*x.63))
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 268. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63)
+ z = z.44
+ z.1 = x.51^(x.52*x.63)
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 269. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^x.63
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 270. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)), x.54, z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^inv(x.63)
+ z.2 = true
+ z.3 = verify(x.54, <x.51^(x.52*inv(x.53)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 271. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv(x.63)
+ z = z.44
+ z.1 = x.51^(x.52*inv((x.53*x.63)))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 272. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = inv((x.52*x.63))
+ z = z.44
+ z.1 = x.51^inv((x.53*x.63))
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 273. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63)
+ z = z.44
+ z.1 = x.51^(x.52*x.63)
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 274. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^x.63
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 275. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, x.56, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^inv(x.63)
+ z.2 = verify(x.56, <x.55, z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 276. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.62*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.62*inv(x.63))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 277. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv(x.63))
+ z = z.44
+ z.1 = x.51^(x.52*x.62*inv((x.53*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 278. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv(x.53)),
+ sign(<x.51^(x.52*inv(x.53)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.55, sign(<x.55, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.62*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^(x.62*inv((x.53*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.55)
+ z.5 = z.50
+
+ 279. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63)
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.52*x.63*inv(x.54))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 280. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63*inv(x.52))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.63*inv(x.54))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 281. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv(x.63))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.52*inv((x.54*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 282. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))), x.55, z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^inv((x.54*x.63))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 283. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.62*inv(x.63))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.52*x.62*inv((x.54*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 284. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = certT.36
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.62*inv((x.52*x.63)))
+ z = cert_id(certT.36)
+ z.1 = x.51^(x.62*inv((x.54*x.63)))
+ z.2 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, cert_pk(certT.36))
+ z.5 = z.50
+
+ 285. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63)
+ z = z.44
+ z.1 = x.51^(x.52*x.63*inv(x.54))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 286. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*x.63*inv(x.52))
+ z = z.44
+ z.1 = x.51^(x.63*inv(x.54))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 287. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv(x.63))
+ z = z.44
+ z.1 = x.51^(x.52*inv((x.54*x.63)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 288. IDc = IDc.33
+ certC = cert(x.51^(x.52*inv((x.53*x.54))),
+ sign(<x.51^(x.52*inv((x.53*x.54))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(x.56, sign(<x.56, z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = s1.41
+ skTe = (x.53*inv((x.52*x.63)))
+ z = z.44
+ z.1 = x.51^inv((x.54*x.63))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.41, <IDc.33, r1.39, pkTe.37>, x.56)
+ z.5 = z.50
+
+ 289. IDc = IDc.33
+ certC = cert(x.53^x.54, x.55, z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = inv((x.54*x.64))
+ z = z.44
+ z.1 = x.53^inv(x.64)
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.53^x.54, z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 290. IDc = IDc.33
+ certC = cert(x.53^x.54, x.55, z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^x.64
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.53^x.54, z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 291. IDc = IDc.33
+ certC = cert(x.53^x.54, x.55, z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.63*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.63*inv(x.64))
+ z.2 = true
+ z.3 = verify(x.55, <x.53^x.54, z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 292. IDc = IDc.33
+ certC = cert(x.53^x.54, sign(<x.53^x.54, z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.56), x.57, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.56)
+ skTe = (x.63*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.63*inv(x.64))
+ z.2 = verify(x.57, <pk(x.56), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 293. IDc = IDc.33
+ certC = cert(x.53^inv(x.54), x.55, z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = inv(x.64)
+ z = z.44
+ z.1 = x.53^inv((x.54*x.64))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.53^inv(x.54), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 294. IDc = IDc.33
+ certC = cert(x.53^inv(x.54), x.55, z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.54*x.64)
+ z = z.44
+ z.1 = x.53^x.64
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.53^inv(x.54), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 295. IDc = IDc.33
+ certC = cert(x.53^inv(x.54), x.55, z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.63*inv(x.64))
+ z = z.44
+ z.1 = x.53^(x.63*inv((x.54*x.64)))
+ z.2 = true
+ z.3 = verify(x.55, <x.53^inv(x.54), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 296. IDc = IDc.33
+ certC = cert(x.53^inv(x.54), sign(<x.53^inv(x.54), z.50, 'chip'>, ca_sk),
+ z.50)
+ certT = cert(pk(x.56), x.57, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.56)
+ skTe = (x.63*inv(x.64))
+ z = z.44
+ z.1 = x.53^(x.63*inv((x.54*x.64)))
+ z.2 = verify(x.57, <pk(x.56), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 297. IDc = IDc.33
+ certC = cert(x.53^inv((x.54*x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.54*x.64)
+ z = z.44
+ z.1 = x.53^(x.64*inv(x.55))
+ z.2 = true
+ z.3 = verify(x.56, <x.53^inv((x.54*x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 298. IDc = IDc.33
+ certC = cert(x.53^inv((x.54*x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.54*inv(x.64))
+ z = z.44
+ z.1 = x.53^inv((x.55*x.64))
+ z.2 = true
+ z.3 = verify(x.56, <x.53^inv((x.54*x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 299. IDc = IDc.33
+ certC = cert(x.53^inv((x.54*x.55)),
+ sign(<x.53^inv((x.54*x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.54*x.64)
+ z = z.44
+ z.1 = x.53^(x.64*inv(x.55))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 300. IDc = IDc.33
+ certC = cert(x.53^inv((x.54*x.55)),
+ sign(<x.53^inv((x.54*x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.54*inv(x.64))
+ z = z.44
+ z.1 = x.53^inv((x.55*x.64))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 301. IDc = IDc.33
+ certC = cert(x.53^inv((x.54*x.55)),
+ sign(<x.53^inv((x.54*x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.54*x.63*inv(x.64))
+ z = z.44
+ z.1 = x.53^(x.63*inv((x.55*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 302. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = inv((x.54*x.64))
+ z = z.44
+ z.1 = x.53^(x.55*inv(x.64))
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*x.55), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 303. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^(x.55*x.64)
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*x.55), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 304. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55),
+ sign(<x.53^(x.54*x.55), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = inv((x.54*x.64))
+ z = z.44
+ z.1 = x.53^(x.55*inv(x.64))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 305. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55),
+ sign(<x.53^(x.54*x.55), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^(x.55*x.64)
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 306. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55),
+ sign(<x.53^(x.54*x.55), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.63*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.55*x.63*inv(x.64))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 307. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.50)
+ certT = cert(pk(x.59), x.60, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.59)
+ skTe = (x.56*inv(x.55))
+ z = z.44
+ z.1 = x.53^x.54
+ z.2 = verify(x.60, <pk(x.59), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 308. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv(x.56)),
+ sign(<x.53^(x.54*x.55*inv(x.56)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = inv((x.55*x.64))
+ z = z.44
+ z.1 = x.53^(x.54*inv((x.56*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 309. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv(x.56)),
+ sign(<x.53^(x.54*x.55*inv(x.56)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.56*x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^(x.55*x.64)
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 310. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv(x.56)),
+ sign(<x.53^(x.54*x.55*inv(x.56)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.56*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.55*inv(x.64))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 311. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))), x.58, z.50)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.60)
+ skTe = (x.57*inv(x.55))
+ z = z.44
+ z.1 = x.53^(x.54*inv(x.56))
+ z.2 = true
+ z.3 = verify(x.58, <x.53^(x.54*x.55*inv((x.56*x.57))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 312. IDc = IDc.33
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))),
+ sign(<x.53^(x.54*x.55*inv((x.56*x.57))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.59), x.60, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.59)
+ skTe = (x.57*inv(x.55))
+ z = z.44
+ z.1 = x.53^(x.54*inv(x.56))
+ z.2 = verify(x.60, <pk(x.59), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 313. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = inv(x.64)
+ z = z.44
+ z.1 = x.53^(x.54*inv((x.55*x.64)))
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 314. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = inv((x.54*x.64))
+ z = z.44
+ z.1 = x.53^inv((x.55*x.64))
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 315. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*x.64)
+ z = z.44
+ z.1 = x.53^(x.54*x.64)
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 316. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^x.64
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 317. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^inv(x.64)
+ z.2 = true
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.50, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 318. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = inv(x.64)
+ z = z.44
+ z.1 = x.53^(x.54*inv((x.55*x.64)))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 319. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = inv((x.54*x.64))
+ z = z.44
+ z.1 = x.53^inv((x.55*x.64))
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 320. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.55*x.64)
+ z = z.44
+ z.1 = x.53^(x.54*x.64)
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 321. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.55*x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^x.64
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 322. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), x.58, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.55*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^inv(x.64)
+ z.2 = verify(x.58, <pk(x.57), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 323. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.55*x.63*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.63*inv(x.64))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 324. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.63*inv(x.64))
+ z = z.44
+ z.1 = x.53^(x.54*x.63*inv((x.55*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 325. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv(x.55)),
+ sign(<x.53^(x.54*inv(x.55)), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.57), sign(<pk(x.57), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.57)
+ skTe = (x.63*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^(x.63*inv((x.55*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 326. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((skTe.42*x.55))), x.57, z.50)
+ certT = cert(pk(x.59), x.60, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.59)
+ skTe = skTe.42
+ z = z.44
+ z.1 = x.53^(x.54*inv(x.55))
+ z.2 = verify(x.60, <pk(x.59), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((skTe.42*x.55))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 327. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.50)
+ certT = cert(pk(x.59), x.60, z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.59)
+ skTe = (x.56*inv(x.54))
+ z = z.44
+ z.1 = x.53^inv(x.55)
+ z.2 = verify(x.60, <pk(x.59), z.44, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.50, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.50
+
+ 328. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*x.64)
+ z = z.44
+ z.1 = x.53^(x.54*x.64*inv(x.56))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 329. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*x.64*inv(x.54))
+ z = z.44
+ z.1 = x.53^(x.64*inv(x.56))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 330. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*inv(x.64))
+ z = z.44
+ z.1 = x.53^(x.54*inv((x.56*x.64)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 331. IDc = IDc.33
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.50, 'chip'>, ca_sk), z.50)
+ certT = cert(pk(x.58), sign(<pk(x.58), z.44, 'terminal'>, ca_sk), z.44)
+ pkTe = pkTe.37
+ r1 = r1.39
+ s1 = sign(<IDc.33, r1.39, pkTe.37>, x.58)
+ skTe = (x.55*inv((x.54*x.64)))
+ z = z.44
+ z.1 = x.53^inv((x.56*x.64))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.50
+
+ 332. IDc = IDc.34
+ certC = cert(x.52^x.53, x.54, z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv(x.65))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.52^x.53, z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 333. IDc = IDc.34
+ certC = cert(x.52^inv(x.53), x.54, z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.53*x.65)))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.54, <x.52^inv(x.53), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 334. IDc = IDc.34
+ certC = cert(x.52^inv((x.53*x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.53*x.65)
+ z = z.45
+ z.1 = x.52^(x.65*inv(x.54))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^inv((x.53*x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 335. IDc = IDc.34
+ certC = cert(x.52^inv((x.53*x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.53*inv(x.65))
+ z = z.45
+ z.1 = x.52^inv((x.54*x.65))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^inv((x.53*x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 336. IDc = IDc.34
+ certC = cert(x.52^inv((x.53*x.54)), x.55, z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.53*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.54*x.65)))
+ z.2 = true
+ z.3 = verify(x.55, <x.52^inv((x.53*x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 337. IDc = IDc.34
+ certC = cert(x.52^inv((x.53*x.54)),
+ sign(<x.52^inv((x.53*x.54)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.53*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.54*x.65)))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 338. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = inv((x.53*x.65))
+ z = z.45
+ z.1 = x.52^(x.54*inv(x.65))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*x.54), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 339. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.54*x.65)
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*x.54), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 340. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54), x.55, z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*x.64*inv(x.65))
+ z.2 = true
+ z.3 = verify(x.55, <x.52^(x.53*x.54), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 341. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54),
+ sign(<x.52^(x.53*x.54), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*x.64*inv(x.65))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 342. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.64*inv((x.53*x.65)))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.54*x.64*inv(x.65))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 343. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.54*x.64*inv((x.55*x.65)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 344. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = inv((x.54*x.65))
+ z = z.45
+ z.1 = x.52^(x.53*inv((x.55*x.65)))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 345. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.54*x.65)
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 346. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*inv(x.65))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 347. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = inv((x.54*x.65))
+ z = z.45
+ z.1 = x.52^(x.53*inv((x.55*x.65)))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 348. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.54*x.65)
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 349. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*inv(x.65))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 350. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*x.64*inv(x.65))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 351. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv(x.55)),
+ sign(<x.52^(x.53*x.54*inv(x.55)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*x.64*inv((x.55*x.65)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 352. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))), x.57, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.65*inv(x.53))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.54*x.65*inv(x.56))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.52^(x.53*x.54*inv((x.55*x.56))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 353. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))), x.57, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*inv((x.53*x.65)))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.54*inv((x.56*x.65)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.52^(x.53*x.54*inv((x.55*x.56))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 354. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))),
+ sign(<x.52^(x.53*x.54*inv((x.55*x.56))), z.51, 'chip'>, ca_sk), z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.64*inv((x.53*x.65)))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.54*x.64*inv((x.56*x.65)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 355. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))),
+ sign(<x.52^(x.53*x.54*inv((x.55*x.56))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.54*x.65*inv(x.56))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 356. IDc = IDc.34
+ certC = cert(x.52^(x.53*x.54*inv((x.55*x.56))),
+ sign(<x.52^(x.53*x.54*inv((x.55*x.56))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.55*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.54*inv((x.56*x.65)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 357. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = inv(x.65)
+ z = z.45
+ z.1 = x.52^(x.53*inv((x.54*x.65)))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 358. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = inv((x.53*x.65))
+ z = z.45
+ z.1 = x.52^inv((x.54*x.65))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 359. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65)
+ z = z.45
+ z.1 = x.52^(x.53*x.65)
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 360. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^x.65
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 361. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^inv(x.65)
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 362. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv(x.65))
+ z.2 = true
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 363. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.53*x.64*inv((x.54*x.65)))
+ z.2 = true
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 364. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)), x.55, z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.54*x.65)))
+ z.2 = true
+ z.3 = verify(x.55, <x.52^(x.53*inv(x.54)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 365. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv(x.65))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 366. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.53*x.64*inv((x.54*x.65)))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 367. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv(x.54)),
+ sign(<x.52^(x.53*inv(x.54)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.56, x.57, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.54*x.65)))
+ z.2 = verify(x.57, <x.56, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.56)
+ z.5 = z.51
+
+ 368. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv(x.65))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.53*x.64*inv((x.55*x.65)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 369. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = certT.37
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv((x.53*x.65)))
+ z = cert_id(certT.37)
+ z.1 = x.52^(x.64*inv((x.55*x.65)))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, cert_pk(certT.37))
+ z.5 = z.51
+
+ 370. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65)
+ z = z.45
+ z.1 = x.52^(x.53*x.65*inv(x.55))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 371. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.65*inv(x.55))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 372. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.53*inv((x.55*x.65)))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 373. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))), x.56, z.51)
+ certT = cert(x.58, sign(<x.58, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^inv((x.55*x.65))
+ z.2 = true
+ z.3 = verify(x.56, <x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.58)
+ z.5 = z.51
+
+ 374. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65)
+ z = z.45
+ z.1 = x.52^(x.53*x.65*inv(x.55))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 375. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.65*inv(x.53))
+ z = z.45
+ z.1 = x.52^(x.65*inv(x.55))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 376. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.53*inv((x.55*x.65)))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 377. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, x.58, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^inv((x.55*x.65))
+ z.2 = verify(x.58, <x.57, z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 378. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv(x.65))
+ z = z.45
+ z.1 = x.52^(x.53*x.64*inv((x.55*x.65)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 379. IDc = IDc.34
+ certC = cert(x.52^(x.53*inv((x.54*x.55))),
+ sign(<x.52^(x.53*inv((x.54*x.55))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(x.57, sign(<x.57, z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = s1.42
+ skTe = (x.54*x.64*inv((x.53*x.65)))
+ z = z.45
+ z.1 = x.52^(x.64*inv((x.55*x.65)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.42, <IDc.34, r1.40, pkTe.38>, x.57)
+ z.5 = z.51
+
+ 380. IDc = IDc.34
+ certC = cert(x.54^x.55, x.56, z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv(x.66))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.54^x.55, z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 381. IDc = IDc.34
+ certC = cert(x.54^inv(x.55), x.56, z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.55*x.66)))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.54^inv(x.55), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 382. IDc = IDc.34
+ certC = cert(x.54^inv((x.55*x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.55*x.66)
+ z = z.45
+ z.1 = x.54^(x.66*inv(x.56))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^inv((x.55*x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 383. IDc = IDc.34
+ certC = cert(x.54^inv((x.55*x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.55*inv(x.66))
+ z = z.45
+ z.1 = x.54^inv((x.56*x.66))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^inv((x.55*x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 384. IDc = IDc.34
+ certC = cert(x.54^inv((x.55*x.56)), x.57, z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.55*x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.56*x.66)))
+ z.2 = true
+ z.3 = verify(x.57, <x.54^inv((x.55*x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 385. IDc = IDc.34
+ certC = cert(x.54^inv((x.55*x.56)),
+ sign(<x.54^inv((x.55*x.56)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.55*x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.56*x.66)))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 386. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = inv((x.55*x.66))
+ z = z.45
+ z.1 = x.54^(x.56*inv(x.66))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*x.56), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 387. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.56*x.66)
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*x.56), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 388. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56), x.57, z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*x.65*inv(x.66))
+ z.2 = true
+ z.3 = verify(x.57, <x.54^(x.55*x.56), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 389. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56),
+ sign(<x.54^(x.55*x.56), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*x.65*inv(x.66))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 390. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = inv((x.56*x.66))
+ z = z.45
+ z.1 = x.54^(x.55*inv((x.57*x.66)))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 391. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.57*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.56*x.66)
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 392. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.57*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*inv(x.66))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 393. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)),
+ sign(<x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = inv((x.56*x.66))
+ z = z.45
+ z.1 = x.54^(x.55*inv((x.57*x.66)))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 394. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)),
+ sign(<x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.57*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.56*x.66)
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 395. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)),
+ sign(<x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.57*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*inv(x.66))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 396. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)),
+ sign(<x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.57*x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*x.65*inv(x.66))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 397. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv(x.57)),
+ sign(<x.54^(x.55*x.56*inv(x.57)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*x.65*inv((x.57*x.66)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 398. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))), x.59, z.51)
+ certT = cert(pk(x.61), x.62, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.61)
+ skTe = (x.58*inv(x.56))
+ z = z.45
+ z.1 = x.54^(x.55*inv(x.57))
+ z.2 = verify(x.62, <pk(x.61), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.54^(x.55*x.56*inv((x.57*x.58))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 399. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))),
+ sign(<x.54^(x.55*x.56*inv((x.57*x.58))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.57*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.56*x.66*inv(x.58))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 400. IDc = IDc.34
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))),
+ sign(<x.54^(x.55*x.56*inv((x.57*x.58))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.57*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.56*inv((x.58*x.66)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 401. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = inv(x.66)
+ z = z.45
+ z.1 = x.54^(x.55*inv((x.56*x.66)))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 402. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = inv((x.55*x.66))
+ z = z.45
+ z.1 = x.54^inv((x.56*x.66))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 403. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.66)
+ z = z.45
+ z.1 = x.54^(x.55*x.66)
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 404. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^x.66
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 405. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^inv(x.66)
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 406. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv(x.66))
+ z.2 = true
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 407. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.55*x.65*inv((x.56*x.66)))
+ z.2 = true
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 408. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)), x.57, z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.56*x.66)))
+ z.2 = true
+ z.3 = verify(x.57, <x.54^(x.55*inv(x.56)), z.51, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 409. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)),
+ sign(<x.54^(x.55*inv(x.56)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.56*x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv(x.66))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 410. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)),
+ sign(<x.54^(x.55*inv(x.56)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.55*x.65*inv((x.56*x.66)))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 411. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv(x.56)),
+ sign(<x.54^(x.55*inv(x.56)), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.58), x.59, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.58)
+ skTe = (x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.56*x.66)))
+ z.2 = verify(x.59, <pk(x.58), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 412. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.56*x.66)
+ z = z.45
+ z.1 = x.54^(x.55*x.66*inv(x.57))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 413. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.56*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.66*inv(x.57))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 414. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.56*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.55*inv((x.57*x.66)))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 415. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.51)
+ certT = cert(pk(x.60), sign(<pk(x.60), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.60)
+ skTe = (x.56*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^inv((x.57*x.66))
+ z.2 = true
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.51
+
+ 416. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.66)
+ z = z.45
+ z.1 = x.54^(x.55*x.66*inv(x.57))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 417. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.66*inv(x.55))
+ z = z.45
+ z.1 = x.54^(x.66*inv(x.57))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 418. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.55*inv((x.57*x.66)))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 419. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), x.60, z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^inv((x.57*x.66))
+ z.2 = verify(x.60, <pk(x.59), z.45, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 420. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.65*inv(x.66))
+ z = z.45
+ z.1 = x.54^(x.55*x.65*inv((x.57*x.66)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 421. IDc = IDc.34
+ certC = cert(x.54^(x.55*inv((x.56*x.57))),
+ sign(<x.54^(x.55*inv((x.56*x.57))), z.51, 'chip'>, ca_sk), z.51)
+ certT = cert(pk(x.59), sign(<pk(x.59), z.45, 'terminal'>, ca_sk), z.45)
+ pkTe = pkTe.38
+ r1 = r1.40
+ s1 = sign(<IDc.34, r1.40, pkTe.38>, x.59)
+ skTe = (x.56*x.65*inv((x.55*x.66)))
+ z = z.45
+ z.1 = x.54^(x.65*inv((x.57*x.66)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.51
+
+ 422. IDc = IDc.35
+ certC = cert(x.53^inv((x.54*x.55)), x.56, z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.54*x.66*inv(x.67))
+ z = z.46
+ z.1 = x.53^(x.66*inv((x.55*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.53^inv((x.54*x.55)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 423. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55), x.56, z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv(x.67))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.53^(x.54*x.55), z.52, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 424. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = inv((x.55*x.67))
+ z = z.46
+ z.1 = x.53^(x.54*inv((x.56*x.67)))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 425. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.67*inv(x.54))
+ z = z.46
+ z.1 = x.53^(x.55*x.67)
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 426. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*inv(x.67))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 427. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.52)
+ certT = cert(x.59, sign(<x.59, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv(x.67))
+ z.2 = true
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 428. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)), x.57, z.52)
+ certT = cert(x.59, sign(<x.59, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv((x.56*x.67)))
+ z.2 = true
+ z.3 = verify(x.57, <x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 429. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)),
+ sign(<x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv(x.67))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 430. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv(x.56)),
+ sign(<x.53^(x.54*x.55*inv(x.56)), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv((x.56*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 431. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))), x.58, z.52)
+ certT = certT.38
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.66*inv((x.54*x.67)))
+ z = cert_id(certT.38)
+ z.1 = x.53^(x.55*x.66*inv((x.57*x.67)))
+ z.2 = verify(cert_sig(certT.38),
+ <cert_pk(certT.38), cert_id(certT.38), 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, cert_pk(certT.38))
+ z.5 = z.52
+
+ 432. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))), x.58, z.52)
+ certT = cert(x.60, sign(<x.60, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.67*inv(x.54))
+ z = z.46
+ z.1 = x.53^(x.55*x.67*inv(x.57))
+ z.2 = true
+ z.3 = verify(x.58, <x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.60)
+ z.5 = z.52
+
+ 433. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))), x.58, z.52)
+ certT = cert(x.60, sign(<x.60, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*inv((x.57*x.67)))
+ z.2 = true
+ z.3 = verify(x.58, <x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.60)
+ z.5 = z.52
+
+ 434. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))),
+ sign(<x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.67*inv(x.54))
+ z = z.46
+ z.1 = x.53^(x.55*x.67*inv(x.57))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 435. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))),
+ sign(<x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*inv((x.57*x.67)))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 436. IDc = IDc.35
+ certC = cert(x.53^(x.54*x.55*inv((x.56*x.57))),
+ sign(<x.53^(x.54*x.55*inv((x.56*x.57))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.59, sign(<x.59, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.56*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.55*x.66*inv((x.57*x.67)))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 437. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.66*inv(x.67))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 438. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.66*inv(x.67))
+ z = z.46
+ z.1 = x.53^(x.54*x.66*inv((x.55*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 439. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv(x.55)), x.56, z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.66*inv((x.55*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.56, <x.53^(x.54*inv(x.55)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 440. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.67)
+ z = z.46
+ z.1 = x.53^(x.54*x.67*inv(x.56))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 441. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.67*inv(x.54))
+ z = z.46
+ z.1 = x.53^(x.67*inv(x.56))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 442. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*inv(x.67))
+ z = z.46
+ z.1 = x.53^(x.54*inv((x.56*x.67)))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 443. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, x.60, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^inv((x.56*x.67))
+ z.2 = verify(x.60, <x.59, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 444. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, sign(<x.59, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.66*inv(x.67))
+ z = z.46
+ z.1 = x.53^(x.54*x.66*inv((x.56*x.67)))
+ z.2 = true
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 445. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))), x.57, z.52)
+ certT = cert(x.59, sign(<x.59, z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.66*inv((x.56*x.67)))
+ z.2 = true
+ z.3 = verify(x.57, <x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.59)
+ z.5 = z.52
+
+ 446. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.66*inv(x.67))
+ z = z.46
+ z.1 = x.53^(x.54*x.66*inv((x.56*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 447. IDc = IDc.35
+ certC = cert(x.53^(x.54*inv((x.55*x.56))),
+ sign(<x.53^(x.54*inv((x.55*x.56))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(x.58, x.59, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = s1.43
+ skTe = (x.55*x.66*inv((x.54*x.67)))
+ z = z.46
+ z.1 = x.53^(x.66*inv((x.56*x.67)))
+ z.2 = verify(x.59, <x.58, z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.43, <IDc.35, r1.41, pkTe.39>, x.58)
+ z.5 = z.52
+
+ 448. IDc = IDc.35
+ certC = cert(x.55^inv((x.56*x.57)), x.58, z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.56*x.67*inv(x.68))
+ z = z.46
+ z.1 = x.55^(x.67*inv((x.57*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.55^inv((x.56*x.57)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 449. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57), x.58, z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv(x.68))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.55^(x.56*x.57), z.52, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 450. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = inv((x.57*x.68))
+ z = z.46
+ z.1 = x.55^(x.56*inv((x.58*x.68)))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 451. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*x.68*inv(x.56))
+ z = z.46
+ z.1 = x.55^(x.57*x.68)
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 452. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*inv(x.68))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 453. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)), x.59, z.52)
+ certT = cert(pk(x.61), sign(<pk(x.61), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv(x.68))
+ z.2 = true
+ z.3 = verify(x.59, <x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 454. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)), x.59, z.52)
+ certT = cert(pk(x.61), sign(<pk(x.61), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv((x.58*x.68)))
+ z.2 = true
+ z.3 = verify(x.59, <x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 455. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)),
+ sign(<x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.58*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv(x.68))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 456. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv(x.58)),
+ sign(<x.55^(x.56*x.57*inv(x.58)), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv((x.58*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 457. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.52)
+ certT = cert(pk(x.62), sign(<pk(x.62), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.62)
+ skTe = (x.58*x.68*inv(x.56))
+ z = z.46
+ z.1 = x.55^(x.57*x.68*inv(x.59))
+ z.2 = true
+ z.3 = verify(x.60, <x.55^(x.56*x.57*inv((x.58*x.59))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 458. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.52)
+ certT = cert(pk(x.62), sign(<pk(x.62), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.62)
+ skTe = (x.58*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*inv((x.59*x.68)))
+ z.2 = true
+ z.3 = verify(x.60, <x.55^(x.56*x.57*inv((x.58*x.59))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 459. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))),
+ sign(<x.55^(x.56*x.57*inv((x.58*x.59))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*x.68*inv(x.56))
+ z = z.46
+ z.1 = x.55^(x.57*x.68*inv(x.59))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 460. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))),
+ sign(<x.55^(x.56*x.57*inv((x.58*x.59))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*inv((x.59*x.68)))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 461. IDc = IDc.35
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))),
+ sign(<x.55^(x.56*x.57*inv((x.58*x.59))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.61), sign(<pk(x.61), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.58*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.57*x.67*inv((x.59*x.68)))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 462. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv(x.57)), x.58, z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.57*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.67*inv(x.68))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.55^(x.56*inv(x.57)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 463. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv(x.57)), x.58, z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.67*inv(x.68))
+ z = z.46
+ z.1 = x.55^(x.56*x.67*inv((x.57*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.55^(x.56*inv(x.57)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 464. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv(x.57)), x.58, z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.67*inv((x.57*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.55^(x.56*inv(x.57)), z.52, 'chip'>, pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 465. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*x.68)
+ z = z.46
+ z.1 = x.55^(x.56*x.68*inv(x.58))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 466. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*x.68*inv(x.56))
+ z = z.46
+ z.1 = x.55^(x.68*inv(x.58))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 467. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*inv(x.68))
+ z = z.46
+ z.1 = x.55^(x.56*inv((x.58*x.68)))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 468. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), x.62, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^inv((x.58*x.68))
+ z.2 = verify(x.62, <pk(x.61), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 469. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), sign(<pk(x.61), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*x.67*inv(x.68))
+ z = z.46
+ z.1 = x.55^(x.56*x.67*inv((x.58*x.68)))
+ z.2 = true
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 470. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))), x.59, z.52)
+ certT = cert(pk(x.61), sign(<pk(x.61), z.46, 'terminal'>, ca_sk), z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.61)
+ skTe = (x.57*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.67*inv((x.58*x.68)))
+ z.2 = true
+ z.3 = verify(x.59, <x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.52
+
+ 471. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))),
+ sign(<x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.57*x.67*inv(x.68))
+ z = z.46
+ z.1 = x.55^(x.56*x.67*inv((x.58*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 472. IDc = IDc.35
+ certC = cert(x.55^(x.56*inv((x.57*x.58))),
+ sign(<x.55^(x.56*inv((x.57*x.58))), z.52, 'chip'>, ca_sk), z.52)
+ certT = cert(pk(x.60), x.61, z.46)
+ pkTe = pkTe.39
+ r1 = r1.41
+ s1 = sign(<IDc.35, r1.41, pkTe.39>, x.60)
+ skTe = (x.57*x.67*inv((x.56*x.68)))
+ z = z.46
+ z.1 = x.55^(x.67*inv((x.58*x.68)))
+ z.2 = verify(x.61, <pk(x.60), z.46, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.52
+
+ 473. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.53)
+ certT = cert(x.60, x.61, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.57*x.68*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.56*x.68*inv(x.69))
+ z.2 = verify(x.61, <x.60, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.54^(x.55*x.56*inv(x.57)), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.60)
+ z.5 = z.53
+
+ 474. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.53)
+ certT = cert(x.60, x.61, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.68*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.56*x.68*inv((x.57*x.69)))
+ z.2 = verify(x.61, <x.60, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.54^(x.55*x.56*inv(x.57)), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.60)
+ z.5 = z.53
+
+ 475. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))), x.59, z.53)
+ certT = cert(x.61, x.62, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.57*x.69*inv(x.55))
+ z = z.47
+ z.1 = x.54^(x.56*x.69*inv(x.58))
+ z.2 = verify(x.62, <x.61, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.54^(x.55*x.56*inv((x.57*x.58))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.61)
+ z.5 = z.53
+
+ 476. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))), x.59, z.53)
+ certT = cert(x.61, x.62, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.57*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.56*inv((x.58*x.69)))
+ z.2 = verify(x.62, <x.61, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.59, <x.54^(x.55*x.56*inv((x.57*x.58))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.61)
+ z.5 = z.53
+
+ 477. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))), x.59, z.53)
+ certT = cert(x.61, sign(<x.61, z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.57*x.68*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.56*x.68*inv((x.58*x.69)))
+ z.2 = true
+ z.3 = verify(x.59, <x.54^(x.55*x.56*inv((x.57*x.58))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.61)
+ z.5 = z.53
+
+ 478. IDc = IDc.36
+ certC = cert(x.54^(x.55*x.56*inv((x.57*x.58))),
+ sign(<x.54^(x.55*x.56*inv((x.57*x.58))), z.53, 'chip'>, ca_sk), z.53)
+ certT = cert(x.60, x.61, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.57*x.68*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.56*x.68*inv((x.58*x.69)))
+ z.2 = verify(x.61, <x.60, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.60)
+ z.5 = z.53
+
+ 479. IDc = IDc.36
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.53)
+ certT = cert(x.60, x.61, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.56*x.68*inv(x.69))
+ z = z.47
+ z.1 = x.54^(x.55*x.68*inv((x.57*x.69)))
+ z.2 = verify(x.61, <x.60, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.60)
+ z.5 = z.53
+
+ 480. IDc = IDc.36
+ certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.53)
+ certT = cert(x.60, x.61, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = s1.44
+ skTe = (x.56*x.68*inv((x.55*x.69)))
+ z = z.47
+ z.1 = x.54^(x.68*inv((x.57*x.69)))
+ z.2 = verify(x.61, <x.60, z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.58, <x.54^(x.55*inv((x.56*x.57))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.44, <IDc.36, r1.42, pkTe.40>, x.60)
+ z.5 = z.53
+
+ 481. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv(x.59)), x.60, z.53)
+ certT = cert(pk(x.62), x.63, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.62)
+ skTe = (x.59*x.69*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.58*x.69*inv(x.70))
+ z.2 = verify(x.63, <pk(x.62), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.60, <x.56^(x.57*x.58*inv(x.59)), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 482. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv(x.59)), x.60, z.53)
+ certT = cert(pk(x.62), x.63, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.62)
+ skTe = (x.69*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.58*x.69*inv((x.59*x.70)))
+ z.2 = verify(x.63, <pk(x.62), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.60, <x.56^(x.57*x.58*inv(x.59)), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 483. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv((x.59*x.60))), x.61, z.53)
+ certT = cert(pk(x.63), x.64, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.63)
+ skTe = (x.59*x.70*inv(x.57))
+ z = z.47
+ z.1 = x.56^(x.58*x.70*inv(x.60))
+ z.2 = verify(x.64, <pk(x.63), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.61, <x.56^(x.57*x.58*inv((x.59*x.60))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 484. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv((x.59*x.60))), x.61, z.53)
+ certT = cert(pk(x.63), x.64, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.63)
+ skTe = (x.59*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.58*inv((x.60*x.70)))
+ z.2 = verify(x.64, <pk(x.63), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.61, <x.56^(x.57*x.58*inv((x.59*x.60))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 485. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv((x.59*x.60))), x.61, z.53)
+ certT = cert(pk(x.63), sign(<pk(x.63), z.47, 'terminal'>, ca_sk), z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.63)
+ skTe = (x.59*x.69*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.58*x.69*inv((x.60*x.70)))
+ z.2 = true
+ z.3 = verify(x.61, <x.56^(x.57*x.58*inv((x.59*x.60))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 486. IDc = IDc.36
+ certC = cert(x.56^(x.57*x.58*inv((x.59*x.60))),
+ sign(<x.56^(x.57*x.58*inv((x.59*x.60))), z.53, 'chip'>, ca_sk), z.53)
+ certT = cert(pk(x.62), x.63, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.62)
+ skTe = (x.59*x.69*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.58*x.69*inv((x.60*x.70)))
+ z.2 = verify(x.63, <pk(x.62), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.53
+
+ 487. IDc = IDc.36
+ certC = cert(x.56^(x.57*inv((x.58*x.59))), x.60, z.53)
+ certT = cert(pk(x.62), x.63, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.62)
+ skTe = (x.58*x.69*inv(x.70))
+ z = z.47
+ z.1 = x.56^(x.57*x.69*inv((x.59*x.70)))
+ z.2 = verify(x.63, <pk(x.62), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.60, <x.56^(x.57*inv((x.58*x.59))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 488. IDc = IDc.36
+ certC = cert(x.56^(x.57*inv((x.58*x.59))), x.60, z.53)
+ certT = cert(pk(x.62), x.63, z.47)
+ pkTe = pkTe.40
+ r1 = r1.42
+ s1 = sign(<IDc.36, r1.42, pkTe.40>, x.62)
+ skTe = (x.58*x.69*inv((x.57*x.70)))
+ z = z.47
+ z.1 = x.56^(x.69*inv((x.59*x.70)))
+ z.2 = verify(x.63, <pk(x.62), z.47, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.60, <x.56^(x.57*inv((x.58*x.59))), z.53, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.53
+
+ 489. IDc = IDc.37
+ certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.54)
+ certT = cert(x.62, x.63, z.48)
+ pkTe = pkTe.41
+ r1 = r1.43
+ s1 = s1.45
+ skTe = (x.58*x.70*inv((x.56*x.71)))
+ z = z.48
+ z.1 = x.55^(x.57*x.70*inv((x.59*x.71)))
+ z.2 = verify(x.63, <x.62, z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.60, <x.55^(x.56*x.57*inv((x.58*x.59))), z.54, 'chip'>,
+ pk(ca_sk))
+ z.4 = verify(s1.45, <IDc.37, r1.43, pkTe.41>, x.62)
+ z.5 = z.54
+
+ 490. IDc = IDc.37
+ certC = cert(x.57^(x.58*x.59*inv((x.60*x.61))), x.62, z.54)
+ certT = cert(pk(x.64), x.65, z.48)
+ pkTe = pkTe.41
+ r1 = r1.43
+ s1 = sign(<IDc.37, r1.43, pkTe.41>, x.64)
+ skTe = (x.60*x.71*inv((x.58*x.72)))
+ z = z.48
+ z.1 = x.57^(x.59*x.71*inv((x.61*x.72)))
+ z.2 = verify(x.65, <pk(x.64), z.48, 'terminal'>, pk(ca_sk))
+ z.3 = verify(x.62, <x.57^(x.58*x.59*inv((x.60*x.61))), z.54, 'chip'>,
+ pk(ca_sk))
+ z.4 = true
+ z.5 = z.54
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC,
+ ~id_c, ~r2>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.10 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.15 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c ) @ #vk.30 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.31 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.21 )
+ case CA_FINISH_C
+ solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.35 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.38 )
+ case CA_Sign_ltk
+ solve( !KU( ~id_c.1 ) @ #vk.41 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.42 )
+ case TA_CHALLENGE_C
+ solve( !KU( 'g'^~skTe ) @ #vk.22 )
+ case TA_INIT_T
+ solve( !KU( 'g'^~skTe.1 ) @ #vk.42 )
+ case TA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC,
+ ~id_c, ~r2>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), pkTe, id_c.1, r1.1, r2.1
+ ) ▶₁ #i2 )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2.1), kdf_mac(z, ~r2.1)>,
+ <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert('g'^~ltk.2, sign(<'g'^~ltk.2, $C, 'chip'>, ca_sk), $C), pkTe,
+ 'g'^~skC, ~id_c.1, ~r2.1>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, skTe.1, ~id_c.1,
+ cert('g'^~skC, sign(<'g'^~skC, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j2 )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe.1>, ~ltk.2) ) @ #vk.44 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.20 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c ) @ #vk.41 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2.1 ) @ #vk.46 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c.1 ) @ #vk.50 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.44 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.51 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
+ ) @ #vk.32 )
+ case CA_FINISH_C
+ solve( !KU( cert('g'^~ltk.1,
+ sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.43 )
+ case CA_Sign_ltk
+ solve( !KU( 'g'^~skTe ) @ #vk.22 )
+ case TA_INIT_T
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T)
+ ) @ #vk.48 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1,
+ kdf_mac('g'^(~skC*~skTe.1), ~r2.1))
+ ) @ #vk.49 )
+ case CA_FINISH_C
+ solve( !KU( cert('g'^~skC,
+ sign(<'g'^~skC, $C, 'chip'>, ca_sk),
+ $C)
+ ) @ #vk.50 )
+ case CA_Sign_ltk
+ solve( !KU( 'g'^~skTe.1 ) @ #vk.50 )
+ case TA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+ >,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe,
+ id_c, r1, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z),
+ 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+ >,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, ~skTe, id_c,
+ cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C)
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
+ case CA_FINISH_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
+ case c_sign
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C)
+ ) @ #vk.14 )
+ case CA_Sign_ltk
+ solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ solve( !KU( ~r2 ) @ #vk.10 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c.1 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.37 )
+ case TA_CHALLENGE_C
+ solve( !KU( 'g'^~skTe ) @ #vk.28 )
+ case CA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+ >,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe,
+ id_c, r1, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z),
+ 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+ >,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, ~skTe, id_c,
+ cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C)
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
+ case CA_FINISH_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C)
+ ) @ #vk.14 )
+ case CA_Sign_ltk
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.31 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.8 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c ) @ #vk.20 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.21 )
+ case TA_CHALLENGE_C
+ solve( !KU( 'g'^~skTe ) @ #vk.24 )
+ case TA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+ >,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, ~skTe, id_c,
+ cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B)
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
+ case CA_FINISH_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.14 )
+ case CA_INIT_C
+ by contradiction /* from formulas */
+ next
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.34 )
+ case CA_INIT_C
+ by contradiction /* from formulas */
+ next
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.14 )
+ case CA_INIT_C
+ by contradiction /* from formulas */
+ next
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.39 )
+ case CA_INIT_C
+ by contradiction /* from formulas */
+ next
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.43 )
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.13 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.22 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.48 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.52 )
+ qed
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.37 )
+ next
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.37 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.35 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.2 ) @ #vk.40 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.2 ) @ #vk.40 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.49 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.2 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.2 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.38 )
+ next
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.38 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.38 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.38 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.21 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.22 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.22 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.22 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.22 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.22 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.25 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.40 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.51 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.55 )
+ qed
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.39 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.40 )
+ next
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.40 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.38 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.3 ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.3 ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.52 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.3 ) @ #vk.44 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.3 ) @ #vk.44 )
+ case Corrupt_ltk
+ solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.40 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.41 )
+ next
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.41 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.41 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.41 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+ case c_mac
+ by contradiction /* cyclic */
+ qed
+ qed
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.24 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.25 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.25 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.25 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.25 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ solve( !KU( ~ltk ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.26 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
+ B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.4 )
+ case CA_FINISH_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.57 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.61 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.58 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.62 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.47 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.45 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.60 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.63 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.61 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.64 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.49 )
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.62 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.66 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.63 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.67 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.50 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.65 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.68 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.66 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.69 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.55 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.58 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.19 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.49 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.26 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.34 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.55 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.53 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.27 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.37 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.40 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
+ B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.4 )
+ case CA_FINISH_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.57 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.61 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.58 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.62 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.47 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.45 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.60 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.63 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.61 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.64 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.49 )
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.62 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.66 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.63 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.67 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.50 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.65 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.68 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.66 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.69 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.55 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.58 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.19 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.49 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.26 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.34 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.55 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.53 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* cyclic */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.27 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.37 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.40 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
+ B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.4 )
+ case CA_FINISH_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.57 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.61 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.58 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.62 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.47 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.45 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.60 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.63 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.61 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.64 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.49 )
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+ ) @ #vk.20 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.62 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.66 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.63 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.67 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.50 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.65 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.68 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.66 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.69 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.55 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.58 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.19 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.49 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.53 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.28 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.50 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.26 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.34 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+ case TA_RESPONSE_T
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.31 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.52 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.55 )
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.29 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+ ) @ #vk.53 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.56 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
+ case c_mac
+ solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+ sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+ ) @ #vk.27 )
+ case c_cert
+ solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+ ) @ #vk.37 )
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.40 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC,
+ ~id_c, ~r2>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC,
+ ~id_c, ~r2>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
+ ) @ #vk.42 )
+ case c_mac
+ solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.14 )
+ case Reveal_session
+ by contradiction /* cyclic */
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.48 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.52 )
+ next
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.49 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.49 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.1 ) @ #vk.49 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ by solve( !KU( ~skTe ) @ #vk.51 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf_enc
+ solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.40 )
+ next
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.37 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.37 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.1 ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ by solve( !KU( ~skTe ) @ #vk.39 )
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.38 )
+ case Corrupt_ltk
+ solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 )
+ case Reveal_session
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
+ ) @ #vk.46 )
+ case c_mac
+ solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.17 )
+ case Reveal_session
+ by contradiction /* cyclic */
+ next
+ case c_kdf_mac
+ solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.52 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.56 )
+ next
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.53 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.53 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.1 ) @ #vk.53 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ by solve( !KU( ~skTe ) @ #vk.55 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf_enc
+ solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.40 )
+ case CA_INIT_C
+ by solve( !KU( ~skTe ) @ #vk.44 )
+ next
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ next
+ case CA_Sign_ltk
+ by solve( !KU( ~skTe ) @ #vk.41 )
+ next
+ case Generate_chip_key_pair
+ by solve( !KU( ~skTe ) @ #vk.41 )
+ next
+ case TA_INIT_T
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_exp
+ by solve( !KU( ~skTe ) @ #vk.43 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), pkTe, id_c, r1
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !KU( ~iid ) @ #vk.6 )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₁ #i )
+ case Generate_chip_key_pair
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<IDc, r1, pkTe>, ~ltk) ) @ #vk.11 )
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.18 )
+ case Corrupt_ltk
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.15 )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( mac(pkTe, kdf_mac(pkTe^~ltk.2, r2)) ) @ #vk.18 )
+ case c_mac
+ solve( !KU( kdf_mac(pkTe^~ltk.2, r2) ) @ #vk.19 )
+ case c_kdf_mac
+ solve( !KU( pkTe^~ltk.2 ) @ #vk.20 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<IDc, r1, pkTe>, ~ltk) ) @ #vk.11 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.21 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ by contradiction /* from formulas */
+ next
+ case c_cert
+ solve( !KU( sign(<pk(x), T, 'terminal'>, ca_sk) ) @ #vk.20 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<IDc, r1, pkTe>, ~ltk) ) @ #vk.12 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case TA_INIT_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.23 )
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC,
+ ~id_c, ~r2>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+ cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 )
+ case c_kdf_enc
+ solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 )
+ case TA_INIT_T
+ solve( !KU( ~ltk.1 ) @ #vk.37 )
+ case Corrupt_ltk
+ solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 )
+ case c_kdf_mac
+ solve( !KU( ~r2 ) @ #vk.20 )
+ case CA_FINISH_C
+ solve( !KU( ~id_c ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.22 )
+ case CA_Sign_ltk
+ solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.26 )
+ case CA_FINISH_C
+ solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.43 )
+ case CA_Sign_ltk
+ solve( !KU( ~id_c.1 ) @ #vk.46 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( 'g'^~skTe ) @ #vk.27 )
+ case TA_INIT_T
+ solve( !KU( 'g'^~skTe.1 ) @ #vk.47 )
+ case TA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 54.21s
+
+ session_exist (exists-trace): verified (22 steps)
+ two_session_exist (exists-trace): verified (32 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): falsified - found trace (15 steps)
+ agreement_C (all-traces): verified (8 steps)
+ agreement_T (all-traces): falsified - found trace (14 steps)
+ aliveness (all-traces): verified (155 steps)
+ session_uniqueness (all-traces): verified (336 steps)
+ consistency (all-traces): verified (8 steps)
+ key_secrecy (all-traces): verified (54 steps)
+ chip_hiding (all-traces): verified (4 steps)
+ nonRepudiation_terminal (exists-trace): verified (12 steps)
+ nonRepudiation_chip (exists-trace): falsified - no trace found (15 steps)
+ pfs (all-traces): falsified - found trace (26 steps)
+
+==============================================================================
diff --git a/results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN b/results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..c4ac5bf2be983f5509bcf3935da4c0cdb3ce37fd
--- /dev/null
+++ b/results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN
@@ -0,0 +1,38 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Open Chains] Too many chain goals, stopping precomputation. Open Chains limits (can be changed with -c=): 10
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 3/5
+[Open Chains] Too many chain goals, stopping precomputation. Open Chains limits (can be changed with -c=): 10
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 3/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN b/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..244e4338ed9065bbf0246017bfde15a3f0f9871d
--- /dev/null
+++ b/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN
@@ -0,0 +1,5614 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory SigPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, pair/2, pk/1, sign/2,
+ snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+ --[ Eq( z, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.12
+ z = verify(cert_sig(certT.12),
+ <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14)
+ z = true
+
+ 3. certT = cert(x.14, x.15, x.16)
+ z = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ),
+ TAResponseT( <$T, iid>, id_c )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_COMPLETE_C:
+ [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
+ --[
+ Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ),
+ CompletedTA( $C, iid, cert_id(certT) )
+ ]->
+ [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
+ --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
+ [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+ variants (modulo AC)
+ 1. certT = certT.16
+ id_c = id_c.17
+ r1 = r1.19
+ s = s.20
+ z = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16))
+ z.1 = cert_id(certT.16)
+
+ 2. certT = cert(x.37, x.38, z.28)
+ id_c = id_c.21
+ r1 = r1.23
+ s = s.24
+ z = verify(s.24, <'TA', id_c.21, r1.23>, x.37)
+ z.1 = z.28
+
+ 3. certT = cert(pk(x.37), x.38, z.28)
+ id_c = id_c.21
+ r1 = r1.23
+ s = sign(<'TA', id_c.21, r1.23>, x.37)
+ z = true
+ z.1 = z.28
+ */
+
+rule (modulo E) CA_INIT_C:
+ [
+ Fr( ~r2 ), Fr( ~skCe ), TACompleteC( <$C, iid>, certT, id_c, r1 ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ -->
+ [
+ Out( <certC, ~r2, pk(~skCe), '4', 'c'> ), Out( iid ),
+ CAInitC( <$C, iid>, certT, id_c, r1, ~r2, ~skCe )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_INIT_T:
+ [
+ In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ),
+ TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[ Eq( verify_cert(certC, 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(certC)),
+ sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC)), pkCe,
+ encaps(~ke, pkCe)>,
+ ~skT),
+ encaps(~ke, pkCe), '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_INIT_T:
+ [
+ In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ),
+ TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[ Eq( z.1, true ) ]->
+ [
+ Out( <encaps(~k, z),
+ sign(<'CA', certT, certC, r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>,
+ ~skT),
+ encaps(~ke, pkCe), '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.20
+ z = cert_pk(certC.20)
+ z.1 = verify(cert_sig(certC.20),
+ <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
+
+ 2. certC = cert(z.46, sign(<z.46, x.77, 'chip'>, ca_sk), x.77)
+ z = z.46
+ z.1 = true
+
+ 3. certC = cert(z.47, x.78, x.79)
+ z = z.47
+ z.1 = verify(x.78, <z.47, x.79, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) CA_FINISH_C:
+ [
+ In( <cip, s, cipe, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( verify(s, <'CA', certT, certC, r2, cip, pk(skCe), cipe>,
+ cert_pk(certT)),
+ true
+ ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <
+ kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ '6', 'c'>
+ ),
+ CAFinishC( $C, cert_id(certT),
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_C:
+ [
+ In( <cip, s, cipe, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( z.3, true ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ '6', 'c'>
+ ),
+ CAFinishC( $C, z.2,
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.35
+ certC = certC.36
+ certT = certT.37
+ cip = cip.38
+ cipe = cipe.39
+ r2 = r2.43
+ s = s.44
+ skCe = skCe.45
+ z = decaps(cip.38, ~skC.35)
+ z.1 = decaps(cipe.39, skCe.45)
+ z.2 = cert_id(certT.37)
+ z.3 = verify(s.44,
+ <'CA', certT.37, certC.36, r2.43, cip.38, pk(skCe.45), cipe.39>,
+ cert_pk(certT.37))
+
+ 2. ~skC = ~skC.40
+ certC = certC.41
+ certT = certT.42
+ cip = encaps(z.55, pk(~skC.40))
+ cipe = cipe.44
+ r2 = r2.48
+ s = s.49
+ skCe = skCe.50
+ z = z.55
+ z.1 = decaps(cipe.44, skCe.50)
+ z.2 = cert_id(certT.42)
+ z.3 = verify(s.49,
+ <'CA', certT.42, certC.41, r2.48, encaps(z.55, pk(~skC.40)),
+ pk(skCe.50), cipe.44>,
+ cert_pk(certT.42))
+
+ 3. ~skC = ~skC.41
+ certC = certC.42
+ certT = certT.43
+ cip = cip.44
+ cipe = encaps(z.57, pk(skCe.51))
+ r2 = r2.49
+ s = s.50
+ skCe = skCe.51
+ z = decaps(cip.44, ~skC.41)
+ z.1 = z.57
+ z.2 = cert_id(certT.43)
+ z.3 = verify(s.50,
+ <'CA', certT.43, certC.42, r2.49, cip.44, pk(skCe.51),
+ encaps(z.57, pk(skCe.51))>,
+ cert_pk(certT.43))
+
+ 4. ~skC = ~skC.41
+ certC = certC.42
+ certT = certT.43
+ cip = encaps(z.56, pk(~skC.41))
+ cipe = encaps(z.57, pk(skCe.51))
+ r2 = r2.49
+ s = s.50
+ skCe = skCe.51
+ z = z.56
+ z.1 = z.57
+ z.2 = cert_id(certT.43)
+ z.3 = verify(s.50,
+ <'CA', certT.43, certC.42, r2.49, encaps(z.56, pk(~skC.41)),
+ pk(skCe.51), encaps(z.57, pk(skCe.51))>,
+ cert_pk(certT.43))
+
+ 5. ~skC = ~skC.158
+ certC = certC.159
+ certT = cert(x.312, x.313, z.177)
+ cip = cip.161
+ cipe = cipe.162
+ r2 = r2.166
+ s = s.167
+ skCe = skCe.168
+ z = decaps(cip.161, ~skC.158)
+ z.1 = decaps(cipe.162, skCe.168)
+ z.2 = z.177
+ z.3 = verify(s.167,
+ <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161,
+ pk(skCe.168), cipe.162>,
+ x.312)
+
+ 6. ~skC = ~skC.158
+ certC = certC.159
+ certT = cert(x.312, x.313, z.177)
+ cip = cip.161
+ cipe = encaps(z.174, pk(skCe.168))
+ r2 = r2.166
+ s = s.167
+ skCe = skCe.168
+ z = decaps(cip.161, ~skC.158)
+ z.1 = z.174
+ z.2 = z.177
+ z.3 = verify(s.167,
+ <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161,
+ pk(skCe.168), encaps(z.174, pk(skCe.168))>,
+ x.312)
+
+ 7. ~skC = ~skC.159
+ certC = certC.160
+ certT = cert(pk(x.314), x.315, z.178)
+ cip = cip.162
+ cipe = cipe.163
+ r2 = r2.167
+ s = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167,
+ cip.162, pk(skCe.169), cipe.163>,
+ x.314)
+ skCe = skCe.169
+ z = decaps(cip.162, ~skC.159)
+ z.1 = decaps(cipe.163, skCe.169)
+ z.2 = z.178
+ z.3 = true
+
+ 8. ~skC = ~skC.159
+ certC = certC.160
+ certT = cert(pk(x.314), x.315, z.178)
+ cip = cip.162
+ cipe = encaps(z.175, pk(skCe.169))
+ r2 = r2.167
+ s = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167,
+ cip.162, pk(skCe.169), encaps(z.175, pk(skCe.169))>,
+ x.314)
+ skCe = skCe.169
+ z = decaps(cip.162, ~skC.159)
+ z.1 = z.175
+ z.2 = z.178
+ z.3 = true
+
+ 9. ~skC = ~skC.160
+ certC = certC.161
+ certT = cert(x.316, x.317, z.179)
+ cip = encaps(z.175, pk(~skC.160))
+ cipe = cipe.164
+ r2 = r2.168
+ s = s.169
+ skCe = skCe.170
+ z = z.175
+ z.1 = decaps(cipe.164, skCe.170)
+ z.2 = z.179
+ z.3 = verify(s.169,
+ <'CA', cert(x.316, x.317, z.179), certC.161, r2.168,
+ encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>,
+ x.316)
+
+ 10. ~skC = ~skC.160
+ certC = certC.161
+ certT = cert(x.316, x.317, z.179)
+ cip = encaps(z.175, pk(~skC.160))
+ cipe = encaps(z.176, pk(skCe.170))
+ r2 = r2.168
+ s = s.169
+ skCe = skCe.170
+ z = z.175
+ z.1 = z.176
+ z.2 = z.179
+ z.3 = verify(s.169,
+ <'CA', cert(x.316, x.317, z.179), certC.161, r2.168,
+ encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>,
+ x.316)
+
+ 11. ~skC = ~skC.160
+ certC = certC.161
+ certT = cert(pk(x.316), x.317, z.179)
+ cip = encaps(z.175, pk(~skC.160))
+ cipe = cipe.164
+ r2 = r2.168
+ s = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168,
+ encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>,
+ x.316)
+ skCe = skCe.170
+ z = z.175
+ z.1 = decaps(cipe.164, skCe.170)
+ z.2 = z.179
+ z.3 = true
+
+ 12. ~skC = ~skC.160
+ certC = certC.161
+ certT = cert(pk(x.316), x.317, z.179)
+ cip = encaps(z.175, pk(~skC.160))
+ cipe = encaps(z.176, pk(skCe.170))
+ r2 = r2.168
+ s = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168,
+ encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>,
+ x.316)
+ skCe = skCe.170
+ z = z.175
+ z.1 = z.176
+ z.2 = z.179
+ z.3 = true
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( z, $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.18
+ z = cert_id(certC.18)
+
+ 2. certC = cert(x.44, x.45, z.31)
+ z = z.31
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( skCe ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(certC) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, cert_pk(certT)), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip, pkCe, cipe>,
+ cert_pk(certT)),
+ true
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>,
+ <decaps(cip, skC), decaps(cipe, skCe)>)
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( skCe ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <z.5, z.6>) ),
+ ValidTrans( C, 'chip', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.38
+ certC = certC.39
+ certT = certT.40
+ cip = cip.41
+ cipe = cipe.42
+ pkCe = pkCe.44
+ r1 = r1.45
+ r2 = r2.46
+ sC = sC.47
+ sT = sT.48
+ skC = skC.49
+ skCe = skCe.50
+ z = cert_id(certC.39)
+ z.1 = verify(cert_sig(certT.40),
+ <cert_pk(certT.40), cert_id(certT.40), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.39),
+ <cert_pk(certC.39), cert_id(certC.39), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.48, <'TA', IDc.38, r1.45>, cert_pk(certT.40))
+ z.4 = verify(sC.47,
+ <'CA', certT.40, certC.39, r2.46, cip.41, pkCe.44, cipe.42>,
+ cert_pk(certT.40))
+ z.5 = decaps(cip.41, skC.49)
+ z.6 = decaps(cipe.42, skCe.50)
+ z.7 = cert_id(certT.40)
+
+ 2. IDc = IDc.46
+ certC = certC.47
+ certT = certT.48
+ cip = encaps(z.66, pk(skC.57))
+ cipe = cipe.50
+ pkCe = pkCe.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ skC = skC.57
+ skCe = skCe.58
+ z = cert_id(certC.47)
+ z.1 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.47),
+ <cert_pk(certC.47), cert_id(certC.47), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.56, <'TA', IDc.46, r1.53>, cert_pk(certT.48))
+ z.4 = verify(sC.55,
+ <'CA', certT.48, certC.47, r2.54, encaps(z.66, pk(skC.57)), pkCe.52,
+ cipe.50>,
+ cert_pk(certT.48))
+ z.5 = z.66
+ z.6 = decaps(cipe.50, skCe.58)
+ z.7 = cert_id(certT.48)
+
+ 3. IDc = IDc.47
+ certC = certC.48
+ certT = certT.49
+ cip = cip.50
+ cipe = encaps(z.68, pk(skCe.59))
+ pkCe = pkCe.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(certC.48)
+ z.1 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.48),
+ <cert_pk(certC.48), cert_id(certC.48), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.47, r1.54>, cert_pk(certT.49))
+ z.4 = verify(sC.56,
+ <'CA', certT.49, certC.48, r2.55, cip.50, pkCe.53,
+ encaps(z.68, pk(skCe.59))>,
+ cert_pk(certT.49))
+ z.5 = decaps(cip.50, skC.58)
+ z.6 = z.68
+ z.7 = cert_id(certT.49)
+
+ 4. IDc = IDc.47
+ certC = certC.48
+ certT = certT.49
+ cip = encaps(z.67, pk(skC.58))
+ cipe = encaps(z.68, pk(skCe.59))
+ pkCe = pkCe.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(certC.48)
+ z.1 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.48),
+ <cert_pk(certC.48), cert_id(certC.48), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.47, r1.54>, cert_pk(certT.49))
+ z.4 = verify(sC.56,
+ <'CA', certT.49, certC.48, r2.55, encaps(z.67, pk(skC.58)), pkCe.53,
+ encaps(z.68, pk(skCe.59))>,
+ cert_pk(certT.49))
+ z.5 = z.67
+ z.6 = z.68
+ z.7 = cert_id(certT.49)
+
+ 5. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, cip.52, pkCe.55, cipe.53>,
+ x.95)
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = z.71
+
+ 6. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = cip.52
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, cip.52, pkCe.55, encaps(z.70, pk(skCe.61))>,
+ x.95)
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = z.70
+ z.7 = z.71
+
+ 7. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = encaps(z.69, pk(skC.60))
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, encaps(z.69, pk(skC.60)), pkCe.55, cipe.53>,
+ x.95)
+ z.5 = z.69
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = z.71
+
+ 8. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = encaps(z.69, pk(skC.60))
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, encaps(z.69, pk(skC.60)), pkCe.55,
+ encaps(z.70, pk(skCe.61))>,
+ x.95)
+ z.5 = z.69
+ z.6 = z.70
+ z.7 = z.71
+
+ 9. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, cip.52, pkCe.55, cipe.53>,
+ cert_pk(certT.51))
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = cert_id(certT.51)
+
+ 10. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = cip.52
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, cip.52, pkCe.55, encaps(z.70, pk(skCe.61))>,
+ cert_pk(certT.51))
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = z.70
+ z.7 = cert_id(certT.51)
+
+ 11. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = encaps(z.69, pk(skC.60))
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, encaps(z.69, pk(skC.60)), pkCe.55, cipe.53>,
+ cert_pk(certT.51))
+ z.5 = z.69
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = cert_id(certT.51)
+
+ 12. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = encaps(z.69, pk(skC.60))
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, encaps(z.69, pk(skC.60)), pkCe.55, encaps(z.70, pk(skCe.61))>,
+ cert_pk(certT.51))
+ z.5 = z.69
+ z.6 = z.70
+ z.7 = cert_id(certT.51)
+
+ 13. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58, cip.53, pkCe.56, cipe.54
+ >,
+ x.96)
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 14. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58, cip.53, pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ x.96)
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = z.72
+
+ 15. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ x.96)
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 16. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, encaps(z.71, pk(skCe.62))>,
+ x.96)
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = z.72
+
+ 17. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, cip.53, pkCe.56, cipe.54>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 18. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, cip.53, pkCe.56, encaps(z.71, pk(skCe.62))>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = z.72
+
+ 19. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 20. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, encaps(z.70, pk(skC.61)), pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = z.72
+
+ 21. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58, cip.53, pkCe.56, cipe.54
+ >,
+ cert_pk(certT.52))
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = cert_id(certT.52)
+
+ 22. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58, cip.53, pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ cert_pk(certT.52))
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = cert_id(certT.52)
+
+ 23. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ cert_pk(certT.52))
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = cert_id(certT.52)
+
+ 24. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, encaps(z.71, pk(skCe.62))>,
+ cert_pk(certT.52))
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = cert_id(certT.52)
+
+ 25. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 26. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 27. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 28. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 29. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, cipe.55>,
+ pk(x.99))
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 30. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, cipe.55>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 31. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, encaps(z.72, pk(skCe.63))>,
+ pk(x.99))
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 32. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 33. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ pk(x.99))
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 34. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 35. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57,
+ encaps(z.72, pk(skCe.63))>,
+ pk(x.99))
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 36. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57,
+ encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 37. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.99)
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 38. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 39. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 40. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 41. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 42. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 43. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 44. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 45. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60, cip.55, pkCe.58,
+ cipe.56>,
+ pk(x.100))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 46. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ cip.55, pkCe.58, cipe.56>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 47. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60, cip.55, pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ pk(x.100))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 48. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ cip.55, pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 49. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ pk(x.100))
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 50. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 51. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.100))
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 52. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 53. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, cipe.56>,
+ x.101)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 54. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, encaps(z.73, pk(skCe.64))
+ >,
+ x.101)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 55. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58, cipe.56
+ >,
+ x.101)
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 56. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ x.101)
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 57. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, cipe.56>,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 58. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, encaps(z.73, pk(skCe.64))
+ >,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 59. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58, cipe.56
+ >,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 60. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 61. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.100)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 62. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 63. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 64. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 65. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 66. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 67. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 68. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 69. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ pk(x.101))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 70. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 71. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.101))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 72. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 73. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ pk(x.101))
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 74. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 75. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.101))
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 76. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 77. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ x.102)
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 78. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 79. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ x.102)
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 80. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 81. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 82. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 83. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 84. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 85. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ pk(x.103))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 86. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 87. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ pk(x.103))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 88. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 89. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ pk(x.103))
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 90. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 91. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ pk(x.103))
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 92. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 93. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ pk(x.102))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 94. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 95. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ pk(x.102))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 96. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 97. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ pk(x.102))
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 98. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 99. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ pk(x.102))
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 100. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 101. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ cip.57, pkCe.60, cipe.58>,
+ pk(x.104))
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 102. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, cip.57, pkCe.60, cipe.58>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 103. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ cip.57, pkCe.60, encaps(z.75, pk(skCe.66))>,
+ pk(x.104))
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = z.75
+ z.7 = z.76
+
+ 104. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, cip.57, pkCe.60,
+ encaps(z.75, pk(skCe.66))>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = z.75
+ z.7 = z.76
+
+ 105. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ encaps(z.74, pk(skC.65)), pkCe.60, cipe.58>,
+ pk(x.104))
+ z.5 = z.74
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 106. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, encaps(z.74, pk(skC.65)), pkCe.60,
+ cipe.58>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.74
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 107. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ encaps(z.74, pk(skC.65)), pkCe.60, encaps(z.75, pk(skCe.66))>,
+ pk(x.104))
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = z.76
+
+ 108. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, encaps(z.74, pk(skC.65)), pkCe.60,
+ encaps(z.75, pk(skCe.66))>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = z.76
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( <k, ke> ), !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, pkT), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip, pkCe, cipe>, pkT), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', cert_id(certC) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( <k, ke> ), !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.39
+ certC = certC.41
+ certT = certT.42
+ cip = cip.43
+ cipe = cipe.44
+ pkCe = pkCe.48
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.41),
+ <cert_pk(certC.41), cert_id(certC.41), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.39, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', certT.42, certC.41, r2.51, cip.43, pkCe.48, cipe.44>, pkT.49)
+ z.5 = cert_id(certC.41)
+
+ 2. IDc = IDc.48
+ certC = certC.50
+ certT = cert(x.94, sign(<x.94, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.57
+ pkT = pkT.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ z = z.64
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.48, r1.59>, pkT.58)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.94, sign(<x.94, z.64, 'terminal'>, ca_sk), z.64),
+ certC.50, r2.60, cip.52, pkCe.57, cipe.53>,
+ pkT.58)
+ z.5 = cert_id(certC.50)
+
+ 3. IDc = IDc.48
+ certC = cert(x.94, sign(<x.94, z.70, 'chip'>, ca_sk), z.70)
+ certT = certT.51
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.57
+ pkT = pkT.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ z = cert_id(certT.51)
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.48, r1.59>, pkT.58)
+ z.4 = verify(sC.61,
+ <'CA', certT.51, cert(x.94, sign(<x.94, z.70, 'chip'>, ca_sk), z.70),
+ r2.60, cip.52, pkCe.57, cipe.53>,
+ pkT.58)
+ z.5 = z.70
+
+ 4. IDc = IDc.49
+ certC = certC.51
+ certT = cert(x.95, x.96, z.65)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.58
+ pkT = pkT.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ z = z.65
+ z.1 = verify(x.96, <x.95, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.49, r1.60>, pkT.59)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.95, x.96, z.65), certC.51, r2.61, cip.53, pkCe.58, cipe.54
+ >,
+ pkT.59)
+ z.5 = cert_id(certC.51)
+
+ 5. IDc = IDc.49
+ certC = cert(x.95, x.96, z.71)
+ certT = certT.52
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.58
+ pkT = pkT.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.71, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.49, r1.60>, pkT.59)
+ z.4 = verify(sC.62,
+ <'CA', certT.52, cert(x.95, x.96, z.71), r2.61, cip.53, pkCe.58, cipe.54
+ >,
+ pkT.59)
+ z.5 = z.71
+
+ 6. IDc = IDc.50
+ certC = cert(x.96, sign(<x.96, z.72, 'chip'>, ca_sk), z.72)
+ certT = cert(x.98, sign(<x.98, z.66, 'terminal'>, ca_sk), z.66)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.59
+ pkT = pkT.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sT.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.64, <'TA', IDc.50, r1.61>, pkT.60)
+ z.4 = verify(sC.63,
+ <'CA', cert(x.98, sign(<x.98, z.66, 'terminal'>, ca_sk), z.66),
+ cert(x.96, sign(<x.96, z.72, 'chip'>, ca_sk), z.72), r2.62, cip.54,
+ pkCe.59, cipe.55>,
+ pkT.60)
+ z.5 = z.72
+
+ 7. IDc = IDc.51
+ certC = cert(x.97, x.98, z.73)
+ certT = cert(x.100, sign(<x.100, z.67, 'terminal'>, ca_sk), z.67)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.60
+ pkT = pkT.61
+ r1 = r1.62
+ r2 = r2.63
+ sC = sC.64
+ sT = sT.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.98, <x.97, z.73, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.65, <'TA', IDc.51, r1.62>, pkT.61)
+ z.4 = verify(sC.64,
+ <'CA', cert(x.100, sign(<x.100, z.67, 'terminal'>, ca_sk), z.67),
+ cert(x.97, x.98, z.73), r2.63, cip.55, pkCe.60, cipe.56>,
+ pkT.61)
+ z.5 = z.73
+
+ 8. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.73, 'chip'>, ca_sk), z.73)
+ certT = cert(x.99, x.100, z.67)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.60
+ pkT = pkT.61
+ r1 = r1.62
+ r2 = r2.63
+ sC = sC.64
+ sT = sT.65
+ z = z.67
+ z.1 = verify(x.100, <x.99, z.67, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.65, <'TA', IDc.51, r1.62>, pkT.61)
+ z.4 = verify(sC.64,
+ <'CA', cert(x.99, x.100, z.67),
+ cert(x.97, sign(<x.97, z.73, 'chip'>, ca_sk), z.73), r2.63, cip.55,
+ pkCe.60, cipe.56>,
+ pkT.61)
+ z.5 = z.73
+
+ 9. IDc = IDc.52
+ certC = cert(x.98, x.99, z.74)
+ certT = cert(x.101, x.102, z.68)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.61
+ pkT = pkT.62
+ r1 = r1.63
+ r2 = r2.64
+ sC = sC.65
+ sT = sT.66
+ z = z.68
+ z.1 = verify(x.102, <x.101, z.68, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.99, <x.98, z.74, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.66, <'TA', IDc.52, r1.63>, pkT.62)
+ z.4 = verify(sC.65,
+ <'CA', cert(x.101, x.102, z.68), cert(x.98, x.99, z.74), r2.64, cip.56,
+ pkCe.61, cipe.57>,
+ pkT.62)
+ z.5 = z.74
+
+ 10. IDc = IDc.56
+ certC = certC.58
+ certT = certT.59
+ cip = cip.60
+ cipe = cipe.61
+ pkCe = pkCe.65
+ pkT = pk(x.110)
+ r1 = r1.67
+ r2 = r2.68
+ sC = sign(<'CA', certT.59, certC.58, r2.68, cip.60, pkCe.65, cipe.61>,
+ x.110)
+ sT = sT.70
+ z = cert_id(certT.59)
+ z.1 = verify(cert_sig(certT.59),
+ <cert_pk(certT.59), cert_id(certT.59), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.58),
+ <cert_pk(certC.58), cert_id(certC.58), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.70, <'TA', IDc.56, r1.67>, pk(x.110))
+ z.4 = true
+ z.5 = cert_id(certC.58)
+
+ 11. IDc = IDc.57
+ certC = certC.59
+ certT = cert(x.104, sign(<x.104, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.61
+ cipe = cipe.62
+ pkCe = pkCe.66
+ pkT = pk(x.112)
+ r1 = r1.68
+ r2 = r2.69
+ sC = sign(<'CA',
+ cert(x.104, sign(<x.104, z.73, 'terminal'>, ca_sk), z.73), certC.59,
+ r2.69, cip.61, pkCe.66, cipe.62>,
+ x.112)
+ sT = sT.71
+ z = z.73
+ z.1 = true
+ z.2 = verify(cert_sig(certC.59),
+ <cert_pk(certC.59), cert_id(certC.59), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.71, <'TA', IDc.57, r1.68>, pk(x.112))
+ z.4 = true
+ z.5 = cert_id(certC.59)
+
+ 12. IDc = IDc.57
+ certC = cert(x.103, sign(<x.103, z.79, 'chip'>, ca_sk), z.79)
+ certT = certT.60
+ cip = cip.61
+ cipe = cipe.62
+ pkCe = pkCe.66
+ pkT = pk(x.112)
+ r1 = r1.68
+ r2 = r2.69
+ sC = sign(<'CA', certT.60,
+ cert(x.103, sign(<x.103, z.79, 'chip'>, ca_sk), z.79), r2.69, cip.61,
+ pkCe.66, cipe.62>,
+ x.112)
+ sT = sT.71
+ z = cert_id(certT.60)
+ z.1 = verify(cert_sig(certT.60),
+ <cert_pk(certT.60), cert_id(certT.60), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.71, <'TA', IDc.57, r1.68>, pk(x.112))
+ z.4 = true
+ z.5 = z.79
+
+ 13. IDc = IDc.58
+ certC = certC.60
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sC.71
+ sT = sign(<'TA', IDc.58, r1.69>, x.114)
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.71,
+ <'CA', certT.61, certC.60, r2.70, cip.62, pkCe.67, cipe.63>, pk(x.114))
+ z.5 = cert_id(certC.60)
+
+ 14. IDc = IDc.58
+ certC = certC.60
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', certT.61, certC.60, r2.70, cip.62, pkCe.67, cipe.63>,
+ x.114)
+ sT = sign(<'TA', IDc.58, r1.69>, x.114)
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.60)
+
+ 15. IDc = IDc.58
+ certC = certC.60
+ certT = cert(x.105, x.106, z.74)
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', cert(x.105, x.106, z.74), certC.60, r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = z.74
+ z.1 = verify(x.106, <x.105, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = cert_id(certC.60)
+
+ 16. IDc = IDc.58
+ certC = cert(x.104, x.105, z.80)
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', certT.61, cert(x.104, x.105, z.80), r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.105, <x.104, z.80, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = z.80
+
+ 17. IDc = IDc.58
+ certC = cert(x.104, sign(<x.104, z.80, 'chip'>, ca_sk), z.80)
+ certT = cert(x.106, sign(<x.106, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA',
+ cert(x.106, sign(<x.106, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.104, sign(<x.104, z.80, 'chip'>, ca_sk), z.80), r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = z.74
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = z.80
+
+ 18. IDc = IDc.59
+ certC = certC.61
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sC.72
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = z.75
+ z.1 = true
+ z.2 = verify(cert_sig(certC.61),
+ <cert_pk(certC.61), cert_id(certC.61), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.72,
+ <'CA', cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75),
+ certC.61, r2.71, cip.63, pkCe.68, cipe.64>,
+ pk(x.116))
+ z.5 = cert_id(certC.61)
+
+ 19. IDc = IDc.59
+ certC = certC.61
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA',
+ cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75), certC.61,
+ r2.71, cip.63, pkCe.68, cipe.64>,
+ x.116)
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = z.75
+ z.1 = true
+ z.2 = verify(cert_sig(certC.61),
+ <cert_pk(certC.61), cert_id(certC.61), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.61)
+
+ 20. IDc = IDc.59
+ certC = cert(x.105, x.106, z.81)
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA',
+ cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.105, x.106, z.81), r2.71, cip.63, pkCe.68, cipe.64>,
+ x.116)
+ sT = sT.73
+ z = z.75
+ z.1 = true
+ z.2 = verify(x.106, <x.105, z.81, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.73, <'TA', IDc.59, r1.70>, pk(x.116))
+ z.4 = true
+ z.5 = z.81
+
+ 21. IDc = IDc.59
+ certC = cert(x.105, sign(<x.105, z.81, 'chip'>, ca_sk), z.81)
+ certT = cert(x.107, x.108, z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA', cert(x.107, x.108, z.75),
+ cert(x.105, sign(<x.105, z.81, 'chip'>, ca_sk), z.81), r2.71, cip.63,
+ pkCe.68, cipe.64>,
+ x.116)
+ sT = sT.73
+ z = z.75
+ z.1 = verify(x.108, <x.107, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.73, <'TA', IDc.59, r1.70>, pk(x.116))
+ z.4 = true
+ z.5 = z.81
+
+ 22. IDc = IDc.59
+ certC = cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81)
+ certT = certT.62
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sC.72
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = cert_id(certT.62)
+ z.1 = verify(cert_sig(certT.62),
+ <cert_pk(certT.62), cert_id(certT.62), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.72,
+ <'CA', certT.62, cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81),
+ r2.71, cip.63, pkCe.68, cipe.64>,
+ pk(x.116))
+ z.5 = z.81
+
+ 23. IDc = IDc.59
+ certC = cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81)
+ certT = certT.62
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA', certT.62,
+ cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81), r2.71, cip.63,
+ pkCe.68, cipe.64>,
+ x.116)
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = cert_id(certT.62)
+ z.1 = verify(cert_sig(certT.62),
+ <cert_pk(certT.62), cert_id(certT.62), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.81
+
+ 24. IDc = IDc.60
+ certC = certC.62
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.62),
+ <cert_pk(certC.62), cert_id(certC.62), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', cert(x.109, x.110, z.76), certC.62, r2.72, cip.64, pkCe.69,
+ cipe.65>,
+ pk(x.118))
+ z.5 = cert_id(certC.62)
+
+ 25. IDc = IDc.60
+ certC = certC.62
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', cert(x.109, x.110, z.76), certC.62, r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.62),
+ <cert_pk(certC.62), cert_id(certC.62), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.62)
+
+ 26. IDc = IDc.60
+ certC = cert(x.106, x.107, z.82)
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', cert(x.109, x.110, z.76), cert(x.106, x.107, z.82),
+ r2.72, cip.64, pkCe.69, cipe.65>,
+ x.118)
+ sT = sT.74
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.107, <x.106, z.82, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.74, <'TA', IDc.60, r1.71>, pk(x.118))
+ z.4 = true
+ z.5 = z.82
+
+ 27. IDc = IDc.60
+ certC = cert(x.108, x.109, z.82)
+ certT = certT.63
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = cert_id(certT.63)
+ z.1 = verify(cert_sig(certT.63),
+ <cert_pk(certT.63), cert_id(certT.63), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.109, <x.108, z.82, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', certT.63, cert(x.108, x.109, z.82), r2.72, cip.64, pkCe.69,
+ cipe.65>,
+ pk(x.118))
+ z.5 = z.82
+
+ 28. IDc = IDc.60
+ certC = cert(x.108, x.109, z.82)
+ certT = certT.63
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', certT.63, cert(x.108, x.109, z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = cert_id(certT.63)
+ z.1 = verify(cert_sig(certT.63),
+ <cert_pk(certT.63), cert_id(certT.63), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.109, <x.108, z.82, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.82
+
+ 29. IDc = IDc.60
+ certC = cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82)
+ certT = cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76),
+ cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ pk(x.118))
+ z.5 = z.82
+
+ 30. IDc = IDc.60
+ certC = cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82)
+ certT = cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA',
+ cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76),
+ cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.82
+
+ 31. IDc = IDc.61
+ certC = cert(x.109, x.110, z.83)
+ certT = cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sC.74
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = true
+ z.2 = verify(x.110, <x.109, z.83, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.74,
+ <'CA', cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77),
+ cert(x.109, x.110, z.83), r2.73, cip.65, pkCe.70, cipe.66>,
+ pk(x.120))
+ z.5 = z.83
+
+ 32. IDc = IDc.61
+ certC = cert(x.109, x.110, z.83)
+ certT = cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sign(<'CA',
+ cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77),
+ cert(x.109, x.110, z.83), r2.73, cip.65, pkCe.70, cipe.66>,
+ x.120)
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = true
+ z.2 = verify(x.110, <x.109, z.83, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.83
+
+ 33. IDc = IDc.61
+ certC = cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83)
+ certT = cert(x.111, x.112, z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sC.74
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = verify(x.112, <x.111, z.77, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.74,
+ <'CA', cert(x.111, x.112, z.77),
+ cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83), r2.73, cip.65,
+ pkCe.70, cipe.66>,
+ pk(x.120))
+ z.5 = z.83
+
+ 34. IDc = IDc.61
+ certC = cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83)
+ certT = cert(x.111, x.112, z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sign(<'CA', cert(x.111, x.112, z.77),
+ cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83), r2.73, cip.65,
+ pkCe.70, cipe.66>,
+ x.120)
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = verify(x.112, <x.111, z.77, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.83
+
+ 35. IDc = IDc.62
+ certC = cert(x.110, x.111, z.84)
+ certT = cert(x.113, x.114, z.78)
+ cip = cip.66
+ cipe = cipe.67
+ pkCe = pkCe.71
+ pkT = pk(x.122)
+ r1 = r1.73
+ r2 = r2.74
+ sC = sC.75
+ sT = sign(<'TA', IDc.62, r1.73>, x.122)
+ z = z.78
+ z.1 = verify(x.114, <x.113, z.78, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.111, <x.110, z.84, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.75,
+ <'CA', cert(x.113, x.114, z.78), cert(x.110, x.111, z.84), r2.74,
+ cip.66, pkCe.71, cipe.67>,
+ pk(x.122))
+ z.5 = z.84
+
+ 36. IDc = IDc.62
+ certC = cert(x.110, x.111, z.84)
+ certT = cert(x.113, x.114, z.78)
+ cip = cip.66
+ cipe = cipe.67
+ pkCe = pkCe.71
+ pkT = pk(x.122)
+ r1 = r1.73
+ r2 = r2.74
+ sC = sign(<'CA', cert(x.113, x.114, z.78), cert(x.110, x.111, z.84),
+ r2.74, cip.66, pkCe.71, cipe.67>,
+ x.122)
+ sT = sign(<'TA', IDc.62, r1.73>, x.122)
+ z = z.78
+ z.1 = verify(x.114, <x.113, z.78, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.111, <x.110, z.84, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.84
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.3 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.13 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.31 )
+ case CA_INIT_C
+ solve( !KU( ~id_c ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.21 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case CA_FINISH_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z)
+ ) @ #vk.44 )
+ case CA_Sign_ltk
+ solve( !KU( ~id_c.2 ) @ #vk.46 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( pk(~skCe) ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.26 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.29 )
+ case CA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1,
+ skCe.1
+ ) ▶₁ #i2 )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip, pk(~skCe.1), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip, pk(~skCe.1), cipe>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>, <z.1, cipe>, pk(~skCe.1)
+ ) ▶₁ #j2 )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.3 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1),
+ encaps(~ke.1, pk(~skCe.1))>,
+ ~ltk.1)
+ ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.52 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.46 )
+ case CA_INIT_C
+ solve( !KU( ~r2.1 ) @ #vk.58 )
+ case CA_INIT_C
+ solve( !KU( ~id_c ) @ #vk.62 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.63 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c.1 ) @ #vk.64 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.65 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.35 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe),
+ encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.39 )
+ case CA_FINISH_C
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.52 )
+ case CA_INIT_C
+ solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.68 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT.3),
+ sign(<pk(~skT.3), z, 'terminal'>,
+ ca_sk),
+ z)
+ ) @ #vk.70 )
+ case CA_Sign_ltk
+ solve( !KU( ~id_c.4 ) @ #vk.72 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.3 ) @ #vk.73 )
+ case TA_CHALLENGE_C
+ solve( !KU( pk(~skCe) ) @ #vk.61 )
+ case CA_INIT_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.38 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke, pk(~skCe))
+ ) @ #vk.41 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.68 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1),
+ $T,
+ 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<pk(~skC),
+ $C, 'chip'>,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1,
+ pk(~skC)),
+ pk(~skCe.1),
+ encaps(~ke.1,
+ pk(~skCe.1))
+ >,
+ <~k.1, ~ke.1>)
+ ) @ #vk.69 )
+ case CA_FINISH_C
+ solve( !KU( cert(pk(~skC),
+ sign(<pk(~skC), $C,
+ 'chip'>,
+ ca_sk),
+ $C)
+ ) @ #vk.70 )
+ case CA_INIT_C
+ solve( !KU( sign(<'TA', ~id_c.5,
+ ~r1.5>,
+ x)
+ ) @ #vk.76 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT.4),
+ sign(<
+ pk(~skT.4),
+ z,
+ 'terminal'
+ >,
+ ca_sk),
+ z)
+ ) @ #vk.78 )
+ case CA_Sign_ltk
+ solve( !KU( ~id_c.5 ) @ #vk.80 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.4 ) @ #vk.81 )
+ case TA_CHALLENGE_C
+ solve( !KU( pk(~skCe.1)
+ ) @ #vk.79 )
+ case CA_INIT_C
+ solve( !KU( encaps(~k.1,
+ pk(~skC))
+ ) @ #vk.78 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke.1,
+ pk(~skCe.1))
+ ) @ #vk.79 )
+ case CA_INIT_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.30 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.16 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.22 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.48 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.50 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~skT ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.30 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.16 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.30 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.16 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.32 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2,
+ ~skCe
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2,
+ ~skCe
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
+ <ke, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.3 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.13 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.48 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.50 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~skT ) @ #vk.37 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.42 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.51 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.53 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.53 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.54 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.4 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.4 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.50 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~skT ) @ #vk.38 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.6 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.51 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.53 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.53 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.54 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !KU( ~iid ) @ #vk.6 )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !KU( sign(<'CA',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(x.1, sign(<x.1, $A, 'chip'>, ca_sk), $A), r2, cip, pkCe, cipe>,
+ x)
+ ) @ #vk.17 )
+ case c_sign
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.2 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk ) @ #vk.28 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.13 )
+ case c_sign
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), r2,
+ cip, pkCe, cipe>,
+ <z, z.1>)
+ ) @ #vk.29 )
+ case c_kdf
+ solve( splitEqs(0) )
+ case split_case_3
+ solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.29 )
+ case c_encaps
+ solve( !KU( decaps(cipe, skCe) ) @ #vk.37 )
+ case c_decaps
+ solve( !KU( pk(~ltk.2) ) @ #vk.38 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Pk( T, pk(x.1), 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.7 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.4 )
+ case CA_INIT_T
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.4 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.50 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.52 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~skT ) @ #vk.38 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.53 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.54 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.55 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 138.92s
+
+ session_exist (exists-trace): verified (24 steps)
+ two_session_exist (exists-trace): verified (46 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (20 steps)
+ agreement_C (all-traces): verified (20 steps)
+ agreement_T (all-traces): verified (20 steps)
+ aliveness (all-traces): verified (21 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (35 steps)
+ key_secrecy (all-traces): verified (37 steps)
+ chip_hiding (all-traces): verified (4 steps)
+ nonRepudiation_terminal (exists-trace): verified (14 steps)
+ nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
+ pfs (all-traces): verified (27 steps)
+
+==============================================================================
diff --git a/results/Basic/two_session_exist.err.45214997 b/results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN
similarity index 86%
rename from results/Basic/two_session_exist.err.45214997
rename to results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN
index 1f61aae55c21ecd2bc906c49f8eb899cc6d49e2d..35cf59a4de87742e8526e575ef29d8946ab1831a 100644
--- a/results/Basic/two_session_exist.err.45214997
+++ b/results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN
@@ -30,3 +30,5 @@
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN b/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..222184394757fd79a12a23c2ead8c50c00eb01cb
--- /dev/null
+++ b/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN
@@ -0,0 +1,5341 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory KemPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, mac/2, pair/2, pk/1,
+ sdec/2, senc/2, sign/2, snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ sdec(senc(x.1, x.2), x.2) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1,
+ <~kTA, encaps(~kTA, cert_pk(certT))>
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
+ ]
+ --[ Eq( z.1, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.14
+ z = cert_pk(certT.14)
+ z.1 = verify(cert_sig(certT.14),
+ <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44)
+ z = z.27
+ z.1 = true
+
+ 3. certT = cert(z.28, x.45, x.46)
+ z = z.28
+ z.1 = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ),
+ TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
+ kdf(<'TENC', r1>, decaps(cTA, ~skT))
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <kdf(<'TCNF', r1>, z), '3', 't'> ),
+ TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z)
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skT = ~skT.14
+ cTA = cTA.15
+ z = decaps(cTA.15, ~skT.14)
+
+ 2. ~skT = ~skT.22
+ cTA = encaps(z.31, pk(~skT.22))
+ z = z.31
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+ ]
+ --[
+ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ),
+ CompletedTA( $C, iid, cert_id(certT) )
+ ]->
+ [
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
+ kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+ ]
+ --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]->
+ [
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
+ kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+ )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.16
+ z = cert_id(certT.16)
+
+ 2. certT = cert(x.26, x.27, z.21)
+ z = z.21
+ */
+
+rule (modulo E) CA_INIT_C:
+ [
+ !Cert( $C, certC, 'chip' ), Fr( ~r2 ), Fr( ~skCe ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC )
+ ]
+ -->
+ [
+ Out( <senc(<certC, ~r2, pk(~skCe)>, kTENC), '4', 'c'> ),
+ Out( senc(iid, kTENC) ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe
+ )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_INIT_T:
+ [
+ In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+ !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke )
+ ]
+ --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(fst(sdec(cCA, kTENC)))),
+ mac(<'CA', certT, fst(sdec(cCA, kTENC)), fst(snd(sdec(cCA, kTENC))),
+ encaps(~k, cert_pk(fst(sdec(cCA, kTENC)))), snd(snd(sdec(cCA, kTENC))),
+ encaps(~ke, snd(snd(sdec(cCA, kTENC))))>,
+ kTMAC),
+ encaps(~ke, snd(snd(sdec(cCA, kTENC)))), '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
+ fst(snd(sdec(cCA, kTENC))),
+ <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>,
+ <~ke, encaps(~ke, snd(snd(sdec(cCA, kTENC))))>,
+ snd(snd(sdec(cCA, kTENC)))
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_INIT_T:
+ [
+ In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+ !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke )
+ ]
+ --[ Eq( z.4, true ) ]->
+ [
+ Out( <encaps(~k, z),
+ mac(<'CA', certT, z.1, z.2, encaps(~k, z), z.3, encaps(~ke, z.3)>,
+ kTMAC),
+ encaps(~ke, z.3), '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, z.3)>, z.3
+ )
+ ]
+ variants (modulo AC)
+ 1. cCA = cCA.26
+ kTENC = kTENC.30
+ z = cert_pk(fst(sdec(cCA.26, kTENC.30)))
+ z.1 = fst(sdec(cCA.26, kTENC.30))
+ z.2 = fst(snd(sdec(cCA.26, kTENC.30)))
+ z.3 = snd(snd(sdec(cCA.26, kTENC.30)))
+ z.4 = verify(cert_sig(fst(sdec(cCA.26, kTENC.30))),
+ <cert_pk(fst(sdec(cCA.26, kTENC.30))),
+ cert_id(fst(sdec(cCA.26, kTENC.30))), 'chip'>,
+ pk(ca_sk))
+
+ 2. cCA = senc(x.165, kTENC.87)
+ kTENC = kTENC.87
+ z = cert_pk(fst(x.165))
+ z.1 = fst(x.165)
+ z.2 = fst(snd(x.165))
+ z.3 = snd(snd(x.165))
+ z.4 = verify(cert_sig(fst(x.165)),
+ <cert_pk(fst(x.165)), cert_id(fst(x.165)), 'chip'>, pk(ca_sk))
+
+ 3. cCA = senc(<z.38, z.39, z.40>, kTENC.31)
+ kTENC = kTENC.31
+ z = cert_pk(z.38)
+ z.1 = z.38
+ z.2 = z.39
+ z.3 = z.40
+ z.4 = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>,
+ pk(ca_sk))
+
+ 4. cCA = senc(<z.95, x.167>, kTENC.88)
+ kTENC = kTENC.88
+ z = cert_pk(z.95)
+ z.1 = z.95
+ z.2 = fst(x.167)
+ z.3 = snd(x.167)
+ z.4 = verify(cert_sig(z.95), <cert_pk(z.95), cert_id(z.95), 'chip'>,
+ pk(ca_sk))
+
+ 5. cCA = senc(<cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167),
+ z.96, z.97>,
+ kTENC.88)
+ kTENC = kTENC.88
+ z = z.93
+ z.1 = cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167)
+ z.2 = z.96
+ z.3 = z.97
+ z.4 = true
+
+ 6. cCA = senc(<cert(z.94, x.168, x.169), z.97, z.98>, kTENC.89)
+ kTENC = kTENC.89
+ z = z.94
+ z.1 = cert(z.94, x.168, x.169)
+ z.2 = z.97
+ z.3 = z.98
+ z.4 = verify(x.168, <z.94, x.169, 'chip'>, pk(ca_sk))
+
+ 7. cCA = senc(<cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168),
+ x.169>,
+ kTENC.89)
+ kTENC = kTENC.89
+ z = z.94
+ z.1 = cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168)
+ z.2 = fst(x.169)
+ z.3 = snd(x.169)
+ z.4 = true
+
+ 8. cCA = senc(<cert(z.95, x.169, x.170), x.171>, kTENC.90)
+ kTENC = kTENC.90
+ z = z.95
+ z.1 = cert(z.95, x.169, x.170)
+ z.2 = fst(x.171)
+ z.3 = snd(x.171)
+ z.4 = verify(x.169, <z.95, x.170, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) CA_FINISH_C:
+ [
+ In( <cip, s, cipe, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
+ ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <
+ kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ '6', 'c'>
+ ),
+ CAFinishC( $C, cert_id(certT),
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_C:
+ [
+ In( <cip, s, cipe, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
+ ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ '6', 'c'>
+ ),
+ CAFinishC( $C, z.2,
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.41
+ certT = certT.44
+ cip = cip.45
+ cipe = cipe.46
+ skCe = skCe.55
+ z = decaps(cip.45, ~skC.41)
+ z.1 = decaps(cipe.46, skCe.55)
+ z.2 = cert_id(certT.44)
+
+ 2. ~skC = ~skC.46
+ certT = certT.49
+ cip = encaps(z.65, pk(~skC.46))
+ cipe = cipe.51
+ skCe = skCe.60
+ z = z.65
+ z.1 = decaps(cipe.51, skCe.60)
+ z.2 = cert_id(certT.49)
+
+ 3. ~skC = ~skC.47
+ certT = certT.50
+ cip = cip.51
+ cipe = encaps(z.67, pk(skCe.61))
+ skCe = skCe.61
+ z = decaps(cip.51, ~skC.47)
+ z.1 = z.67
+ z.2 = cert_id(certT.50)
+
+ 4. ~skC = ~skC.47
+ certT = certT.50
+ cip = encaps(z.66, pk(~skC.47))
+ cipe = encaps(z.67, pk(skCe.61))
+ skCe = skCe.61
+ z = z.66
+ z.1 = z.67
+ z.2 = cert_id(certT.50)
+
+ 5. ~skC = ~skC.210
+ certT = cert(x.416, x.417, z.233)
+ cip = cip.214
+ cipe = cipe.215
+ skCe = skCe.224
+ z = decaps(cip.214, ~skC.210)
+ z.1 = decaps(cipe.215, skCe.224)
+ z.2 = z.233
+
+ 6. ~skC = ~skC.210
+ certT = cert(x.416, x.417, z.233)
+ cip = cip.214
+ cipe = encaps(z.230, pk(skCe.224))
+ skCe = skCe.224
+ z = decaps(cip.214, ~skC.210)
+ z.1 = z.230
+ z.2 = z.233
+
+ 7. ~skC = ~skC.213
+ certT = cert(x.422, x.423, z.236)
+ cip = encaps(z.232, pk(~skC.213))
+ cipe = cipe.218
+ skCe = skCe.227
+ z = z.232
+ z.1 = decaps(cipe.218, skCe.227)
+ z.2 = z.236
+
+ 8. ~skC = ~skC.213
+ certT = cert(x.422, x.423, z.236)
+ cip = encaps(z.232, pk(~skC.213))
+ cipe = encaps(z.233, pk(skCe.227))
+ skCe = skCe.227
+ z = z.232
+ z.1 = z.233
+ z.2 = z.236
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_c, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_c ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_c, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_c ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( z, $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.20
+ z = cert_id(certC.20)
+
+ 2. certC = cert(x.46, x.47, z.33)
+ z = z.33
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <kTA, skCe> ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, kTA)))) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, kTA))), 'chip'), true ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip, pk(skCe), cipe>,
+ kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip, pk(skCe), cipe>,
+ <decaps(cip, skC), decaps(cipe, skCe)>)
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <kTA, skCe> ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, z.3, z.4, cip, pk(skCe), cipe>, kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF, kdf(<'CNF', certT, z.3, z.4, cip, pk(skCe), cipe>, <z.5, z.6>)
+ ),
+ ValidTrans( C, 'chip', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.40
+ certT = certT.42
+ cip = cip.43
+ cipe = cipe.44
+ kTA = kTA.46
+ r1 = r1.48
+ skC = skC.50
+ skCe = skCe.51
+ z = cert_id(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))),
+ <cert_pk(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))),
+ cert_id(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))
+ z.4 = snd(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))
+ z.5 = decaps(cip.43, skC.50)
+ z.6 = decaps(cipe.44, skCe.51)
+ z.7 = cert_id(certT.42)
+
+ 2. cCA = cCA.51
+ certT = certT.53
+ cip = encaps(z.73, pk(skC.61))
+ cipe = cipe.55
+ kTA = kTA.57
+ r1 = r1.59
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))),
+ <cert_pk(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))),
+ cert_id(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))
+ z.4 = snd(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))
+ z.5 = z.73
+ z.6 = decaps(cipe.55, skCe.62)
+ z.7 = cert_id(certT.53)
+
+ 3. cCA = cCA.52
+ certT = certT.54
+ cip = cip.55
+ cipe = encaps(z.75, pk(skCe.63))
+ kTA = kTA.58
+ r1 = r1.60
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ <cert_pk(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.4 = snd(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.5 = decaps(cip.55, skC.62)
+ z.6 = z.75
+ z.7 = cert_id(certT.54)
+
+ 4. cCA = cCA.52
+ certT = certT.54
+ cip = encaps(z.74, pk(skC.62))
+ cipe = encaps(z.75, pk(skCe.63))
+ kTA = kTA.58
+ r1 = r1.60
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ <cert_pk(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.4 = snd(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = cert_id(certT.54)
+
+ 5. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = cip.132
+ cipe = cipe.133
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = decaps(cip.132, skC.139)
+ z.6 = decaps(cipe.133, skCe.140)
+ z.7 = z.153
+
+ 6. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = cip.132
+ cipe = encaps(z.152, pk(skCe.140))
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = decaps(cip.132, skC.139)
+ z.6 = z.152
+ z.7 = z.153
+
+ 7. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = encaps(z.151, pk(skC.139))
+ cipe = cipe.133
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = z.151
+ z.6 = decaps(cipe.133, skCe.140)
+ z.7 = z.153
+
+ 8. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = encaps(z.151, pk(skC.139))
+ cipe = encaps(z.152, pk(skCe.140))
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = z.153
+
+ 9. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = cip.133
+ cipe = cipe.134
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = decaps(cip.133, skC.140)
+ z.6 = decaps(cipe.134, skCe.141)
+ z.7 = z.154
+
+ 10. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = cip.133
+ cipe = encaps(z.153, pk(skCe.141))
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = decaps(cip.133, skC.140)
+ z.6 = z.153
+ z.7 = z.154
+
+ 11. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = encaps(z.152, pk(skC.140))
+ cipe = cipe.134
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = z.152
+ z.6 = decaps(cipe.134, skCe.141)
+ z.7 = z.154
+
+ 12. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = encaps(z.152, pk(skC.140))
+ cipe = encaps(z.153, pk(skCe.141))
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.154
+
+ 13. cCA = senc(x.204, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.208, sign(<x.208, z.127, 'terminal'>, ca_sk), z.127)
+ cip = encaps(z.125, pk(skC.113))
+ cipe = encaps(z.126, pk(skCe.114))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ skCe = skCe.114
+ z = cert_id(fst(x.204))
+ z.1 = verify(cert_sig(fst(x.204)),
+ <cert_pk(fst(x.204)), cert_id(fst(x.204)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.204)
+ z.4 = snd(x.204)
+ z.5 = z.125
+ z.6 = z.126
+ z.7 = z.127
+
+ 14. cCA = senc(x.205, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.209, x.210, z.128)
+ cip = encaps(z.126, pk(skC.114))
+ cipe = encaps(z.127, pk(skCe.115))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ skCe = skCe.115
+ z = cert_id(fst(x.205))
+ z.1 = verify(cert_sig(fst(x.205)),
+ <cert_pk(fst(x.205)), cert_id(fst(x.205)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.210, <x.209, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.205)
+ z.4 = snd(x.205)
+ z.5 = z.126
+ z.6 = z.127
+ z.7 = z.128
+
+ 15. cCA = senc(x.222, kdf(<'TENC', r1.121>, kTA.119))
+ certT = cert(x.226, sign(<x.226, z.137, 'terminal'>, ca_sk), z.137)
+ cip = encaps(z.135, pk(skC.123))
+ cipe = cipe.117
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ skCe = skCe.124
+ z = cert_id(fst(x.222))
+ z.1 = verify(cert_sig(fst(x.222)),
+ <cert_pk(fst(x.222)), cert_id(fst(x.222)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.222)
+ z.4 = snd(x.222)
+ z.5 = z.135
+ z.6 = decaps(cipe.117, skCe.124)
+ z.7 = z.137
+
+ 16. cCA = senc(x.223, kdf(<'TENC', r1.122>, kTA.120))
+ certT = cert(x.227, x.228, z.138)
+ cip = encaps(z.136, pk(skC.124))
+ cipe = cipe.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ skCe = skCe.125
+ z = cert_id(fst(x.223))
+ z.1 = verify(cert_sig(fst(x.223)),
+ <cert_pk(fst(x.223)), cert_id(fst(x.223)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.228, <x.227, z.138, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.223)
+ z.4 = snd(x.223)
+ z.5 = z.136
+ z.6 = decaps(cipe.118, skCe.125)
+ z.7 = z.138
+
+ 17. cCA = senc(x.231, kdf(<'TENC', r1.126>, kTA.124))
+ certT = cert(x.235, sign(<x.235, z.142, 'terminal'>, ca_sk), z.142)
+ cip = cip.121
+ cipe = cipe.122
+ kTA = kTA.124
+ r1 = r1.126
+ skC = skC.128
+ skCe = skCe.129
+ z = cert_id(fst(x.231))
+ z.1 = verify(cert_sig(fst(x.231)),
+ <cert_pk(fst(x.231)), cert_id(fst(x.231)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.231)
+ z.4 = snd(x.231)
+ z.5 = decaps(cip.121, skC.128)
+ z.6 = decaps(cipe.122, skCe.129)
+ z.7 = z.142
+
+ 18. cCA = senc(x.231, kdf(<'TENC', r1.126>, kTA.124))
+ certT = cert(x.235, sign(<x.235, z.142, 'terminal'>, ca_sk), z.142)
+ cip = cip.121
+ cipe = encaps(z.141, pk(skCe.129))
+ kTA = kTA.124
+ r1 = r1.126
+ skC = skC.128
+ skCe = skCe.129
+ z = cert_id(fst(x.231))
+ z.1 = verify(cert_sig(fst(x.231)),
+ <cert_pk(fst(x.231)), cert_id(fst(x.231)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.231)
+ z.4 = snd(x.231)
+ z.5 = decaps(cip.121, skC.128)
+ z.6 = z.141
+ z.7 = z.142
+
+ 19. cCA = senc(x.232, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.236, x.237, z.143)
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.232))
+ z.1 = verify(cert_sig(fst(x.232)),
+ <cert_pk(fst(x.232)), cert_id(fst(x.232)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.237, <x.236, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.232)
+ z.4 = snd(x.232)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = z.143
+
+ 20. cCA = senc(x.232, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.236, x.237, z.143)
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.232))
+ z.1 = verify(cert_sig(fst(x.232)),
+ <cert_pk(fst(x.232)), cert_id(fst(x.232)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.237, <x.236, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.232)
+ z.4 = snd(x.232)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = z.143
+
+ 21. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 22. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 23. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = z.141
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 24. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = z.141
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 25. cCA = senc(<z.62, z.63>, kdf(<'TENC', r1.52>, kTA.50))
+ certT = certT.46
+ cip = cip.47
+ cipe = cipe.48
+ kTA = kTA.50
+ r1 = r1.52
+ skC = skC.54
+ skCe = skCe.55
+ z = cert_id(z.62)
+ z.1 = verify(cert_sig(z.62), <cert_pk(z.62), cert_id(z.62), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.46),
+ <cert_pk(certT.46), cert_id(certT.46), 'terminal'>, pk(ca_sk))
+ z.3 = z.62
+ z.4 = z.63
+ z.5 = decaps(cip.47, skC.54)
+ z.6 = decaps(cipe.48, skCe.55)
+ z.7 = cert_id(certT.46)
+
+ 26. cCA = senc(<z.65, z.66>, kdf(<'TENC', r1.55>, kTA.53))
+ certT = certT.49
+ cip = encaps(z.69, pk(skC.57))
+ cipe = cipe.51
+ kTA = kTA.53
+ r1 = r1.55
+ skC = skC.57
+ skCe = skCe.58
+ z = cert_id(z.65)
+ z.1 = verify(cert_sig(z.65), <cert_pk(z.65), cert_id(z.65), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.3 = z.65
+ z.4 = z.66
+ z.5 = z.69
+ z.6 = decaps(cipe.51, skCe.58)
+ z.7 = cert_id(certT.49)
+
+ 27. cCA = senc(<z.66, z.67>, kdf(<'TENC', r1.56>, kTA.54))
+ certT = certT.50
+ cip = cip.51
+ cipe = encaps(z.71, pk(skCe.59))
+ kTA = kTA.54
+ r1 = r1.56
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(z.66)
+ z.1 = verify(cert_sig(z.66), <cert_pk(z.66), cert_id(z.66), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = z.66
+ z.4 = z.67
+ z.5 = decaps(cip.51, skC.58)
+ z.6 = z.71
+ z.7 = cert_id(certT.50)
+
+ 28. cCA = senc(<z.66, z.67>, kdf(<'TENC', r1.56>, kTA.54))
+ certT = certT.50
+ cip = encaps(z.70, pk(skC.58))
+ cipe = encaps(z.71, pk(skCe.59))
+ kTA = kTA.54
+ r1 = r1.56
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(z.66)
+ z.1 = verify(cert_sig(z.66), <cert_pk(z.66), cert_id(z.66), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = z.66
+ z.4 = z.67
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = cert_id(certT.50)
+
+ 29. cCA = senc(<z.122, z.123>, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.210, sign(<x.210, z.128, 'terminal'>, ca_sk), z.128)
+ cip = encaps(z.126, pk(skC.114))
+ cipe = encaps(z.127, pk(skCe.115))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ skCe = skCe.115
+ z = cert_id(z.122)
+ z.1 = verify(cert_sig(z.122), <cert_pk(z.122), cert_id(z.122), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.122
+ z.4 = z.123
+ z.5 = z.126
+ z.6 = z.127
+ z.7 = z.128
+
+ 30. cCA = senc(<z.123, z.124>, kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.211, x.212, z.129)
+ cip = encaps(z.127, pk(skC.115))
+ cipe = encaps(z.128, pk(skCe.116))
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ skCe = skCe.116
+ z = cert_id(z.123)
+ z.1 = verify(cert_sig(z.123), <cert_pk(z.123), cert_id(z.123), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.212, <x.211, z.129, 'terminal'>, pk(ca_sk))
+ z.3 = z.123
+ z.4 = z.124
+ z.5 = z.127
+ z.6 = z.128
+ z.7 = z.129
+
+ 31. cCA = senc(<z.132, z.133>, kdf(<'TENC', r1.122>, kTA.120))
+ certT = cert(x.228, sign(<x.228, z.138, 'terminal'>, ca_sk), z.138)
+ cip = encaps(z.136, pk(skC.124))
+ cipe = cipe.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ skCe = skCe.125
+ z = cert_id(z.132)
+ z.1 = verify(cert_sig(z.132), <cert_pk(z.132), cert_id(z.132), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.132
+ z.4 = z.133
+ z.5 = z.136
+ z.6 = decaps(cipe.118, skCe.125)
+ z.7 = z.138
+
+ 32. cCA = senc(<z.133, z.134>, kdf(<'TENC', r1.123>, kTA.121))
+ certT = cert(x.229, x.230, z.139)
+ cip = encaps(z.137, pk(skC.125))
+ cipe = cipe.119
+ kTA = kTA.121
+ r1 = r1.123
+ skC = skC.125
+ skCe = skCe.126
+ z = cert_id(z.133)
+ z.1 = verify(cert_sig(z.133), <cert_pk(z.133), cert_id(z.133), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.230, <x.229, z.139, 'terminal'>, pk(ca_sk))
+ z.3 = z.133
+ z.4 = z.134
+ z.5 = z.137
+ z.6 = decaps(cipe.119, skCe.126)
+ z.7 = z.139
+
+ 33. cCA = senc(<z.137, z.138>, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.237, sign(<x.237, z.143, 'terminal'>, ca_sk), z.143)
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(z.137)
+ z.1 = verify(cert_sig(z.137), <cert_pk(z.137), cert_id(z.137), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.137
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = z.143
+
+ 34. cCA = senc(<z.137, z.138>, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.237, sign(<x.237, z.143, 'terminal'>, ca_sk), z.143)
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(z.137)
+ z.1 = verify(cert_sig(z.137), <cert_pk(z.137), cert_id(z.137), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.137
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = z.143
+
+ 35. cCA = senc(<z.138, z.139>, kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.238, x.239, z.144)
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = cert_id(z.138)
+ z.1 = verify(cert_sig(z.138), <cert_pk(z.138), cert_id(z.138), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.239, <x.238, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = z.144
+
+ 36. cCA = senc(<z.138, z.139>, kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.238, x.239, z.144)
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = cert_id(z.138)
+ z.1 = verify(cert_sig(z.138), <cert_pk(z.138), cert_id(z.138), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.239, <x.238, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = z.144
+
+ 37. cCA = senc(<
+ cert(x.206, sign(<x.206, z.118, 'chip'>, ca_sk), z.118), z.124>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.212, sign(<x.212, z.129, 'terminal'>, ca_sk), z.129)
+ cip = encaps(z.127, pk(skC.115))
+ cipe = encaps(z.128, pk(skCe.116))
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ skCe = skCe.116
+ z = z.118
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.206, sign(<x.206, z.118, 'chip'>, ca_sk), z.118)
+ z.4 = z.124
+ z.5 = z.127
+ z.6 = z.128
+ z.7 = z.129
+
+ 38. cCA = senc(<cert(x.207, x.208, z.119), z.125>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.214, sign(<x.214, z.130, 'terminal'>, ca_sk), z.130)
+ cip = encaps(z.128, pk(skC.116))
+ cipe = encaps(z.129, pk(skCe.117))
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ skCe = skCe.117
+ z = z.119
+ z.1 = verify(x.208, <x.207, z.119, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.207, x.208, z.119)
+ z.4 = z.125
+ z.5 = z.128
+ z.6 = z.129
+ z.7 = z.130
+
+ 39. cCA = senc(<
+ cert(x.207, sign(<x.207, z.119, 'chip'>, ca_sk), z.119), z.125>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.213, x.214, z.130)
+ cip = encaps(z.128, pk(skC.116))
+ cipe = encaps(z.129, pk(skCe.117))
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ skCe = skCe.117
+ z = z.119
+ z.1 = true
+ z.2 = verify(x.214, <x.213, z.130, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, sign(<x.207, z.119, 'chip'>, ca_sk), z.119)
+ z.4 = z.125
+ z.5 = z.128
+ z.6 = z.129
+ z.7 = z.130
+
+ 40. cCA = senc(<cert(x.208, x.209, z.120), z.126>,
+ kdf(<'TENC', r1.115>, kTA.113))
+ certT = cert(x.215, x.216, z.131)
+ cip = encaps(z.129, pk(skC.117))
+ cipe = encaps(z.130, pk(skCe.118))
+ kTA = kTA.113
+ r1 = r1.115
+ skC = skC.117
+ skCe = skCe.118
+ z = z.120
+ z.1 = verify(x.209, <x.208, z.120, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.216, <x.215, z.131, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.208, x.209, z.120)
+ z.4 = z.126
+ z.5 = z.129
+ z.6 = z.130
+ z.7 = z.131
+
+ 41. cCA = senc(<
+ cert(x.224, sign(<x.224, z.128, 'chip'>, ca_sk), z.128), z.134>,
+ kdf(<'TENC', r1.123>, kTA.121))
+ certT = cert(x.230, sign(<x.230, z.139, 'terminal'>, ca_sk), z.139)
+ cip = encaps(z.137, pk(skC.125))
+ cipe = cipe.119
+ kTA = kTA.121
+ r1 = r1.123
+ skC = skC.125
+ skCe = skCe.126
+ z = z.128
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.224, sign(<x.224, z.128, 'chip'>, ca_sk), z.128)
+ z.4 = z.134
+ z.5 = z.137
+ z.6 = decaps(cipe.119, skCe.126)
+ z.7 = z.139
+
+ 42. cCA = senc(<cert(x.225, x.226, z.129), z.135>,
+ kdf(<'TENC', r1.124>, kTA.122))
+ certT = cert(x.232, sign(<x.232, z.140, 'terminal'>, ca_sk), z.140)
+ cip = encaps(z.138, pk(skC.126))
+ cipe = cipe.120
+ kTA = kTA.122
+ r1 = r1.124
+ skC = skC.126
+ skCe = skCe.127
+ z = z.129
+ z.1 = verify(x.226, <x.225, z.129, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.225, x.226, z.129)
+ z.4 = z.135
+ z.5 = z.138
+ z.6 = decaps(cipe.120, skCe.127)
+ z.7 = z.140
+
+ 43. cCA = senc(<
+ cert(x.225, sign(<x.225, z.129, 'chip'>, ca_sk), z.129), z.135>,
+ kdf(<'TENC', r1.124>, kTA.122))
+ certT = cert(x.231, x.232, z.140)
+ cip = encaps(z.138, pk(skC.126))
+ cipe = cipe.120
+ kTA = kTA.122
+ r1 = r1.124
+ skC = skC.126
+ skCe = skCe.127
+ z = z.129
+ z.1 = true
+ z.2 = verify(x.232, <x.231, z.140, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.225, sign(<x.225, z.129, 'chip'>, ca_sk), z.129)
+ z.4 = z.135
+ z.5 = z.138
+ z.6 = decaps(cipe.120, skCe.127)
+ z.7 = z.140
+
+ 44. cCA = senc(<cert(x.226, x.227, z.130), z.136>,
+ kdf(<'TENC', r1.125>, kTA.123))
+ certT = cert(x.233, x.234, z.141)
+ cip = encaps(z.139, pk(skC.127))
+ cipe = cipe.121
+ kTA = kTA.123
+ r1 = r1.125
+ skC = skC.127
+ skCe = skCe.128
+ z = z.130
+ z.1 = verify(x.227, <x.226, z.130, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.234, <x.233, z.141, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.226, x.227, z.130)
+ z.4 = z.136
+ z.5 = z.139
+ z.6 = decaps(cipe.121, skCe.128)
+ z.7 = z.141
+
+ 45. cCA = senc(<
+ cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.239, sign(<x.239, z.144, 'terminal'>, ca_sk), z.144)
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = z.144
+
+ 46. cCA = senc(<
+ cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.239, sign(<x.239, z.144, 'terminal'>, ca_sk), z.144)
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = z.144
+
+ 47. cCA = senc(<cert(x.234, x.235, z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.241, sign(<x.241, z.145, 'terminal'>, ca_sk), z.145)
+ cip = cip.124
+ cipe = cipe.125
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = verify(x.235, <x.234, z.134, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.234, x.235, z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = decaps(cipe.125, skCe.132)
+ z.7 = z.145
+
+ 48. cCA = senc(<cert(x.234, x.235, z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.241, sign(<x.241, z.145, 'terminal'>, ca_sk), z.145)
+ cip = cip.124
+ cipe = encaps(z.144, pk(skCe.132))
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = verify(x.235, <x.234, z.134, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.234, x.235, z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = z.144
+ z.7 = z.145
+
+ 49. cCA = senc(<
+ cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.240, x.241, z.145)
+ cip = cip.124
+ cipe = cipe.125
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = true
+ z.2 = verify(x.241, <x.240, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = decaps(cipe.125, skCe.132)
+ z.7 = z.145
+
+ 50. cCA = senc(<
+ cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.240, x.241, z.145)
+ cip = cip.124
+ cipe = encaps(z.144, pk(skCe.132))
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = true
+ z.2 = verify(x.241, <x.240, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = z.144
+ z.7 = z.145
+
+ 51. cCA = senc(<cert(x.235, x.236, z.135), z.141>,
+ kdf(<'TENC', r1.130>, kTA.128))
+ certT = cert(x.242, x.243, z.146)
+ cip = cip.125
+ cipe = cipe.126
+ kTA = kTA.128
+ r1 = r1.130
+ skC = skC.132
+ skCe = skCe.133
+ z = z.135
+ z.1 = verify(x.236, <x.235, z.135, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.243, <x.242, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.235, x.236, z.135)
+ z.4 = z.141
+ z.5 = decaps(cip.125, skC.132)
+ z.6 = decaps(cipe.126, skCe.133)
+ z.7 = z.146
+
+ 52. cCA = senc(<cert(x.235, x.236, z.135), z.141>,
+ kdf(<'TENC', r1.130>, kTA.128))
+ certT = cert(x.242, x.243, z.146)
+ cip = cip.125
+ cipe = encaps(z.145, pk(skCe.133))
+ kTA = kTA.128
+ r1 = r1.130
+ skC = skC.132
+ skCe = skCe.133
+ z = z.135
+ z.1 = verify(x.236, <x.235, z.135, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.243, <x.242, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.235, x.236, z.135)
+ z.4 = z.141
+ z.5 = decaps(cip.125, skC.132)
+ z.6 = z.145
+ z.7 = z.146
+
+ 53. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 54. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 55. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = z.141
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 56. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = z.141
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 57. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = cert_id(certT.122)
+
+ 58. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = cert_id(certT.122)
+
+ 59. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = encaps(z.142, pk(skC.130))
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = z.142
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = cert_id(certT.122)
+
+ 60. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = encaps(z.142, pk(skC.130))
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = z.142
+ z.6 = z.143
+ z.7 = cert_id(certT.122)
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <k, ke> ), !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ 'chip'),
+ true
+ ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, decaps(cTA, skT)) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cip,
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cipe>,
+ kdf(<'TMAC', r1>, decaps(cTA, skT)))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cip,
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cipe>,
+ <k, ke>)
+ ),
+ ValidTrans( T, 'terminal',
+ cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))))
+ )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <k, ke> ), !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, z.3) ),
+ Eq( s,
+ mac(<'CA', certT, z.4, z.5, cip, z.6, cipe>, kdf(<'TMAC', r1>, z.3))
+ ),
+ Eq( kCNF, kdf(<'CNF', certT, z.4, z.5, cip, z.6, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.40
+ cTA = cTA.41
+ certT = certT.42
+ r1 = r1.49
+ skT = skT.51
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ <
+ cert_pk(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ cert_id(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.41, skT.51)
+ z.4 = fst(sdec(cCA.40, kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))
+ z.5 = fst(snd(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+ z.6 = snd(snd(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+ z.7 = cert_id(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+
+ 2. cCA = cCA.46
+ cTA = encaps(z.63, pk(skT.57))
+ certT = certT.48
+ r1 = r1.55
+ skT = skT.57
+ z = cert_id(certT.48)
+ z.1 = verify(cert_sig(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))),
+ <cert_pk(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))),
+ cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = z.63
+ z.4 = fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))
+ z.5 = fst(snd(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+ z.6 = snd(snd(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+ z.7 = cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+
+ 3. cCA = cCA.129
+ cTA = cTA.130
+ certT = cert(x.254, sign(<x.254, z.142, 'terminal'>, ca_sk), z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ <
+ cert_pk(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ cert_id(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))
+ z.5 = fst(snd(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+ z.6 = snd(snd(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+ z.7 = cert_id(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+
+ 4. cCA = cCA.130
+ cTA = cTA.131
+ certT = cert(x.255, x.256, z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ <
+ cert_pk(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ cert_id(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))
+ z.5 = fst(snd(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+ z.6 = snd(snd(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+ z.7 = cert_id(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+
+ 5. cCA = cCA.131
+ cTA = encaps(z.148, pk(skT.142))
+ certT = cert(x.258, sign(<x.258, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(cert_sig(fst(sdec(cCA.131,
+ kdf(<'TENC', r1.140>, z.148)))),
+ <cert_pk(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))),
+ cert_id(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.148
+ z.4 = fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))
+ z.5 = fst(snd(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+ z.6 = snd(snd(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+ z.7 = cert_id(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+
+ 6. cCA = cCA.132
+ cTA = encaps(z.149, pk(skT.143))
+ certT = cert(x.259, x.260, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(cert_sig(fst(sdec(cCA.132,
+ kdf(<'TENC', r1.141>, z.149)))),
+ <cert_pk(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))),
+ cert_id(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.260, <x.259, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = z.149
+ z.4 = fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))
+ z.5 = fst(snd(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+ z.6 = snd(snd(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+ z.7 = cert_id(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+
+ 7. cCA = senc(x.177, kdf(<'TENC', r1.97>, z.105))
+ cTA = encaps(z.105, pk(skT.99))
+ certT = cert(x.181, sign(<x.181, z.101, 'terminal'>, ca_sk), z.101)
+ r1 = r1.97
+ skT = skT.99
+ z = z.101
+ z.1 = verify(cert_sig(fst(x.177)),
+ <cert_pk(fst(x.177)), cert_id(fst(x.177)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.105
+ z.4 = fst(x.177)
+ z.5 = fst(snd(x.177))
+ z.6 = snd(snd(x.177))
+ z.7 = cert_id(fst(x.177))
+
+ 8. cCA = senc(x.178, kdf(<'TENC', r1.98>, z.106))
+ cTA = encaps(z.106, pk(skT.100))
+ certT = cert(x.182, x.183, z.102)
+ r1 = r1.98
+ skT = skT.100
+ z = z.102
+ z.1 = verify(cert_sig(fst(x.178)),
+ <cert_pk(fst(x.178)), cert_id(fst(x.178)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.183, <x.182, z.102, 'terminal'>, pk(ca_sk))
+ z.3 = z.106
+ z.4 = fst(x.178)
+ z.5 = fst(snd(x.178))
+ z.6 = snd(snd(x.178))
+ z.7 = cert_id(fst(x.178))
+
+ 9. cCA = senc(x.236, kdf(<'TENC', r1.128>, z.136))
+ cTA = encaps(z.136, pk(skT.130))
+ certT = certT.121
+ r1 = r1.128
+ skT = skT.130
+ z = cert_id(certT.121)
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = z.136
+ z.4 = fst(x.236)
+ z.5 = fst(snd(x.236))
+ z.6 = snd(snd(x.236))
+ z.7 = cert_id(fst(x.236))
+
+ 10. cCA = senc(x.245, kdf(<'TENC', r1.133>, decaps(cTA.125, skT.135)))
+ cTA = cTA.125
+ certT = certT.126
+ r1 = r1.133
+ skT = skT.135
+ z = cert_id(certT.126)
+ z.1 = verify(cert_sig(fst(x.245)),
+ <cert_pk(fst(x.245)), cert_id(fst(x.245)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.126),
+ <cert_pk(certT.126), cert_id(certT.126), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.125, skT.135)
+ z.4 = fst(x.245)
+ z.5 = fst(snd(x.245))
+ z.6 = snd(snd(x.245))
+ z.7 = cert_id(fst(x.245))
+
+ 11. cCA = senc(x.249, kdf(<'TENC', r1.137>, decaps(cTA.129, skT.139)))
+ cTA = cTA.129
+ certT = cert(x.253, sign(<x.253, z.141, 'terminal'>, ca_sk), z.141)
+ r1 = r1.137
+ skT = skT.139
+ z = z.141
+ z.1 = verify(cert_sig(fst(x.249)),
+ <cert_pk(fst(x.249)), cert_id(fst(x.249)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.129, skT.139)
+ z.4 = fst(x.249)
+ z.5 = fst(snd(x.249))
+ z.6 = snd(snd(x.249))
+ z.7 = cert_id(fst(x.249))
+
+ 12. cCA = senc(x.250, kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))
+ cTA = cTA.130
+ certT = cert(x.254, x.255, z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(fst(x.250)),
+ <cert_pk(fst(x.250)), cert_id(fst(x.250)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.255, <x.254, z.142, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = fst(x.250)
+ z.5 = fst(snd(x.250))
+ z.6 = snd(snd(x.250))
+ z.7 = cert_id(fst(x.250))
+
+ 13. cCA = senc(<z.65, z.66, z.67>, kdf(<'TENC', r1.55>, z.63))
+ cTA = encaps(z.63, pk(skT.57))
+ certT = certT.48
+ r1 = r1.55
+ skT = skT.57
+ z = cert_id(certT.48)
+ z.1 = verify(cert_sig(z.65), <cert_pk(z.65), cert_id(z.65), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = z.63
+ z.4 = z.65
+ z.5 = z.66
+ z.6 = z.67
+ z.7 = cert_id(z.65)
+
+ 14. cCA = senc(<z.67, z.68, z.69>,
+ kdf(<'TENC', r1.57>, decaps(cTA.49, skT.59)))
+ cTA = cTA.49
+ certT = certT.50
+ r1 = r1.57
+ skT = skT.59
+ z = cert_id(certT.50)
+ z.1 = verify(cert_sig(z.67), <cert_pk(z.67), cert_id(z.67), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.49, skT.59)
+ z.4 = z.67
+ z.5 = z.68
+ z.6 = z.69
+ z.7 = cert_id(z.67)
+
+ 15. cCA = senc(<z.108, x.179>, kdf(<'TENC', r1.98>, z.106))
+ cTA = encaps(z.106, pk(skT.100))
+ certT = cert(x.183, sign(<x.183, z.102, 'terminal'>, ca_sk), z.102)
+ r1 = r1.98
+ skT = skT.100
+ z = z.102
+ z.1 = verify(cert_sig(z.108), <cert_pk(z.108), cert_id(z.108), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.106
+ z.4 = z.108
+ z.5 = fst(x.179)
+ z.6 = snd(x.179)
+ z.7 = cert_id(z.108)
+
+ 16. cCA = senc(<z.109, x.180>, kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.184, x.185, z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = verify(cert_sig(z.109), <cert_pk(z.109), cert_id(z.109), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.185, <x.184, z.103, 'terminal'>, pk(ca_sk))
+ z.3 = z.107
+ z.4 = z.109
+ z.5 = fst(x.180)
+ z.6 = snd(x.180)
+ z.7 = cert_id(z.109)
+
+ 17. cCA = senc(<z.109, z.110, z.111>, kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.185, sign(<x.185, z.103, 'terminal'>, ca_sk), z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = verify(cert_sig(z.109), <cert_pk(z.109), cert_id(z.109), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.107
+ z.4 = z.109
+ z.5 = z.110
+ z.6 = z.111
+ z.7 = cert_id(z.109)
+
+ 18. cCA = senc(<z.110, z.111, z.112>, kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.186, x.187, z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = verify(cert_sig(z.110), <cert_pk(z.110), cert_id(z.110), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.187, <x.186, z.104, 'terminal'>, pk(ca_sk))
+ z.3 = z.108
+ z.4 = z.110
+ z.5 = z.111
+ z.6 = z.112
+ z.7 = cert_id(z.110)
+
+ 19. cCA = senc(<z.139, x.238>, kdf(<'TENC', r1.129>, z.137))
+ cTA = encaps(z.137, pk(skT.131))
+ certT = certT.122
+ r1 = r1.129
+ skT = skT.131
+ z = cert_id(certT.122)
+ z.1 = verify(cert_sig(z.139), <cert_pk(z.139), cert_id(z.139), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = z.137
+ z.4 = z.139
+ z.5 = fst(x.238)
+ z.6 = snd(x.238)
+ z.7 = cert_id(z.139)
+
+ 20. cCA = senc(<z.144, x.247>,
+ kdf(<'TENC', r1.134>, decaps(cTA.126, skT.136)))
+ cTA = cTA.126
+ certT = certT.127
+ r1 = r1.134
+ skT = skT.136
+ z = cert_id(certT.127)
+ z.1 = verify(cert_sig(z.144), <cert_pk(z.144), cert_id(z.144), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.127),
+ <cert_pk(certT.127), cert_id(certT.127), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.126, skT.136)
+ z.4 = z.144
+ z.5 = fst(x.247)
+ z.6 = snd(x.247)
+ z.7 = cert_id(z.144)
+
+ 21. cCA = senc(<z.148, x.251>,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))
+ cTA = cTA.130
+ certT = cert(x.255, sign(<x.255, z.142, 'terminal'>, ca_sk), z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(z.148), <cert_pk(z.148), cert_id(z.148), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = z.148
+ z.5 = fst(x.251)
+ z.6 = snd(x.251)
+ z.7 = cert_id(z.148)
+
+ 22. cCA = senc(<z.149, x.252>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.256, x.257, z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(z.149), <cert_pk(z.149), cert_id(z.149), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.257, <x.256, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = z.149
+ z.5 = fst(x.252)
+ z.6 = snd(x.252)
+ z.7 = cert_id(z.149)
+
+ 23. cCA = senc(<z.149, z.150, z.151>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.257, sign(<x.257, z.143, 'terminal'>, ca_sk), z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(z.149), <cert_pk(z.149), cert_id(z.149), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = z.149
+ z.5 = z.150
+ z.6 = z.151
+ z.7 = cert_id(z.149)
+
+ 24. cCA = senc(<z.150, z.151, z.152>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.258, x.259, z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(cert_sig(z.150), <cert_pk(z.150), cert_id(z.150), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.259, <x.258, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = z.150
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = cert_id(z.150)
+
+ 25. cCA = senc(<
+ cert(x.179, sign(<x.179, z.114, 'chip'>, ca_sk), z.114), x.181>,
+ kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.185, sign(<x.185, z.103, 'terminal'>, ca_sk), z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = true
+ z.2 = true
+ z.3 = z.107
+ z.4 = cert(x.179, sign(<x.179, z.114, 'chip'>, ca_sk), z.114)
+ z.5 = fst(x.181)
+ z.6 = snd(x.181)
+ z.7 = z.114
+
+ 26. cCA = senc(<cert(x.180, x.181, z.115), x.183>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.187, sign(<x.187, z.104, 'terminal'>, ca_sk), z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = verify(x.181, <x.180, z.115, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.108
+ z.4 = cert(x.180, x.181, z.115)
+ z.5 = fst(x.183)
+ z.6 = snd(x.183)
+ z.7 = z.115
+
+ 27. cCA = senc(<
+ cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115), x.182>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.186, x.187, z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = true
+ z.2 = verify(x.187, <x.186, z.104, 'terminal'>, pk(ca_sk))
+ z.3 = z.108
+ z.4 = cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115)
+ z.5 = fst(x.182)
+ z.6 = snd(x.182)
+ z.7 = z.115
+
+ 28. cCA = senc(<
+ cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115), z.111, z.112>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.187, sign(<x.187, z.104, 'terminal'>, ca_sk), z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = true
+ z.2 = true
+ z.3 = z.108
+ z.4 = cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115)
+ z.5 = z.111
+ z.6 = z.112
+ z.7 = z.115
+
+ 29. cCA = senc(<cert(x.181, x.182, z.116), x.184>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.188, x.189, z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = verify(x.182, <x.181, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.189, <x.188, z.105, 'terminal'>, pk(ca_sk))
+ z.3 = z.109
+ z.4 = cert(x.181, x.182, z.116)
+ z.5 = fst(x.184)
+ z.6 = snd(x.184)
+ z.7 = z.116
+
+ 30. cCA = senc(<cert(x.181, x.182, z.116), z.112, z.113>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.189, sign(<x.189, z.105, 'terminal'>, ca_sk), z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = verify(x.182, <x.181, z.116, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.109
+ z.4 = cert(x.181, x.182, z.116)
+ z.5 = z.112
+ z.6 = z.113
+ z.7 = z.116
+
+ 31. cCA = senc(<
+ cert(x.181, sign(<x.181, z.116, 'chip'>, ca_sk), z.116), z.112, z.113>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.188, x.189, z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = true
+ z.2 = verify(x.189, <x.188, z.105, 'terminal'>, pk(ca_sk))
+ z.3 = z.109
+ z.4 = cert(x.181, sign(<x.181, z.116, 'chip'>, ca_sk), z.116)
+ z.5 = z.112
+ z.6 = z.113
+ z.7 = z.116
+
+ 32. cCA = senc(<cert(x.182, x.183, z.117), z.113, z.114>,
+ kdf(<'TENC', r1.102>, z.110))
+ cTA = encaps(z.110, pk(skT.104))
+ certT = cert(x.190, x.191, z.106)
+ r1 = r1.102
+ skT = skT.104
+ z = z.106
+ z.1 = verify(x.183, <x.182, z.117, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.191, <x.190, z.106, 'terminal'>, pk(ca_sk))
+ z.3 = z.110
+ z.4 = cert(x.182, x.183, z.117)
+ z.5 = z.113
+ z.6 = z.114
+ z.7 = z.117
+
+ 33. cCA = senc(<
+ cert(x.236, sign(<x.236, z.143, 'chip'>, ca_sk), z.143), z.139, z.140>,
+ kdf(<'TENC', r1.128>, z.136))
+ cTA = encaps(z.136, pk(skT.130))
+ certT = certT.121
+ r1 = r1.128
+ skT = skT.130
+ z = cert_id(certT.121)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = z.136
+ z.4 = cert(x.236, sign(<x.236, z.143, 'chip'>, ca_sk), z.143)
+ z.5 = z.139
+ z.6 = z.140
+ z.7 = z.143
+
+ 34. cCA = senc(<cert(x.237, x.238, z.144), z.140, z.141>,
+ kdf(<'TENC', r1.129>, z.137))
+ cTA = encaps(z.137, pk(skT.131))
+ certT = certT.122
+ r1 = r1.129
+ skT = skT.131
+ z = cert_id(certT.122)
+ z.1 = verify(x.238, <x.237, z.144, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = z.137
+ z.4 = cert(x.237, x.238, z.144)
+ z.5 = z.140
+ z.6 = z.141
+ z.7 = z.144
+
+ 35. cCA = senc(<
+ cert(x.238, sign(<x.238, z.145, 'chip'>, ca_sk), z.145), x.240>,
+ kdf(<'TENC', r1.130>, z.138))
+ cTA = encaps(z.138, pk(skT.132))
+ certT = certT.123
+ r1 = r1.130
+ skT = skT.132
+ z = cert_id(certT.123)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.123),
+ <cert_pk(certT.123), cert_id(certT.123), 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = cert(x.238, sign(<x.238, z.145, 'chip'>, ca_sk), z.145)
+ z.5 = fst(x.240)
+ z.6 = snd(x.240)
+ z.7 = z.145
+
+ 36. cCA = senc(<cert(x.239, x.240, z.146), x.242>,
+ kdf(<'TENC', r1.131>, z.139))
+ cTA = encaps(z.139, pk(skT.133))
+ certT = certT.124
+ r1 = r1.131
+ skT = skT.133
+ z = cert_id(certT.124)
+ z.1 = verify(x.240, <x.239, z.146, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.124),
+ <cert_pk(certT.124), cert_id(certT.124), 'terminal'>, pk(ca_sk))
+ z.3 = z.139
+ z.4 = cert(x.239, x.240, z.146)
+ z.5 = fst(x.242)
+ z.6 = snd(x.242)
+ z.7 = z.146
+
+ 37. cCA = senc(<
+ cert(x.245, sign(<x.245, z.148, 'chip'>, ca_sk), z.148), z.144, z.145>,
+ kdf(<'TENC', r1.133>, decaps(cTA.125, skT.135)))
+ cTA = cTA.125
+ certT = certT.126
+ r1 = r1.133
+ skT = skT.135
+ z = cert_id(certT.126)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.126),
+ <cert_pk(certT.126), cert_id(certT.126), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.125, skT.135)
+ z.4 = cert(x.245, sign(<x.245, z.148, 'chip'>, ca_sk), z.148)
+ z.5 = z.144
+ z.6 = z.145
+ z.7 = z.148
+
+ 38. cCA = senc(<cert(x.246, x.247, z.149), z.145, z.146>,
+ kdf(<'TENC', r1.134>, decaps(cTA.126, skT.136)))
+ cTA = cTA.126
+ certT = certT.127
+ r1 = r1.134
+ skT = skT.136
+ z = cert_id(certT.127)
+ z.1 = verify(x.247, <x.246, z.149, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.127),
+ <cert_pk(certT.127), cert_id(certT.127), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.126, skT.136)
+ z.4 = cert(x.246, x.247, z.149)
+ z.5 = z.145
+ z.6 = z.146
+ z.7 = z.149
+
+ 39. cCA = senc(<
+ cert(x.247, sign(<x.247, z.150, 'chip'>, ca_sk), z.150), x.249>,
+ kdf(<'TENC', r1.135>, decaps(cTA.127, skT.137)))
+ cTA = cTA.127
+ certT = certT.128
+ r1 = r1.135
+ skT = skT.137
+ z = cert_id(certT.128)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.128),
+ <cert_pk(certT.128), cert_id(certT.128), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.127, skT.137)
+ z.4 = cert(x.247, sign(<x.247, z.150, 'chip'>, ca_sk), z.150)
+ z.5 = fst(x.249)
+ z.6 = snd(x.249)
+ z.7 = z.150
+
+ 40. cCA = senc(<cert(x.248, x.249, z.151), x.251>,
+ kdf(<'TENC', r1.136>, decaps(cTA.128, skT.138)))
+ cTA = cTA.128
+ certT = certT.129
+ r1 = r1.136
+ skT = skT.138
+ z = cert_id(certT.129)
+ z.1 = verify(x.249, <x.248, z.151, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.129),
+ <cert_pk(certT.129), cert_id(certT.129), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.128, skT.138)
+ z.4 = cert(x.248, x.249, z.151)
+ z.5 = fst(x.251)
+ z.6 = snd(x.251)
+ z.7 = z.151
+
+ 41. cCA = senc(<
+ cert(x.251, sign(<x.251, z.154, 'chip'>, ca_sk), z.154), x.253>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.257, sign(<x.257, z.143, 'terminal'>, ca_sk), z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = cert(x.251, sign(<x.251, z.154, 'chip'>, ca_sk), z.154)
+ z.5 = fst(x.253)
+ z.6 = snd(x.253)
+ z.7 = z.154
+
+ 42. cCA = senc(<cert(x.252, x.253, z.155), x.255>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.259, sign(<x.259, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(x.253, <x.252, z.155, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, x.253, z.155)
+ z.5 = fst(x.255)
+ z.6 = snd(x.255)
+ z.7 = z.155
+
+ 43. cCA = senc(<
+ cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155), x.254>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.258, x.259, z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = true
+ z.2 = verify(x.259, <x.258, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155)
+ z.5 = fst(x.254)
+ z.6 = snd(x.254)
+ z.7 = z.155
+
+ 44. cCA = senc(<
+ cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155), z.151, z.152>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.259, sign(<x.259, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155)
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = z.155
+
+ 45. cCA = senc(<cert(x.253, x.254, z.156), x.256>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.260, x.261, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(x.254, <x.253, z.156, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.261, <x.260, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, x.254, z.156)
+ z.5 = fst(x.256)
+ z.6 = snd(x.256)
+ z.7 = z.156
+
+ 46. cCA = senc(<cert(x.253, x.254, z.156), z.152, z.153>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.261, sign(<x.261, z.145, 'terminal'>, ca_sk), z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(x.254, <x.253, z.156, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, x.254, z.156)
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.156
+
+ 47. cCA = senc(<
+ cert(x.253, sign(<x.253, z.156, 'chip'>, ca_sk), z.156), z.152, z.153>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.260, x.261, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = true
+ z.2 = verify(x.261, <x.260, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, sign(<x.253, z.156, 'chip'>, ca_sk), z.156)
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.156
+
+ 48. cCA = senc(<cert(x.254, x.255, z.157), z.153, z.154>,
+ kdf(<'TENC', r1.142>, decaps(cTA.134, skT.144)))
+ cTA = cTA.134
+ certT = cert(x.262, x.263, z.146)
+ r1 = r1.142
+ skT = skT.144
+ z = z.146
+ z.1 = verify(x.255, <x.254, z.157, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.263, <x.262, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.134, skT.144)
+ z.4 = cert(x.254, x.255, z.157)
+ z.5 = z.153
+ z.6 = z.154
+ z.7 = z.157
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ pk(~skCe)>,
+ kdf(<'TENC', r1.1>, decaps(cTA, ~skT)))
+ ) @ #vk.36 )
+ case c_senc
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.44 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.56 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.58 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.52 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.57 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', r1.1>, decaps(cTA, ~skT)) ) @ #vk.58 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT) ) @ #vk.62 )
+ case c_decaps
+ solve( !KU( ~skT ) @ #vk.63 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.59 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.38 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe),
+ encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.43 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.35 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.59 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe) ) @ #vk.60 )
+ case CA_INIT_C
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1,
+ <kTA.1, cTA>, kTMAC, kTENC, r2.1, skCe.1
+ ) ▶₁ #i2 )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip, pk(~skCe.1), cipe>,
+ <z, z.1>),
+ <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip, pk(~skCe.1), cipe>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>, <z.1, cipe>, pk(~skCe.1)
+ ) ▶₁ #j2 )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))
+ >,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.63 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.22 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2, pk(~skCe)>,
+ kdf(<'TENC', r1.2>, decaps(cTA, ~skT)))
+ ) @ #vk.46 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.2),
+ sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1),
+ encaps(~ke.1, pk(~skCe.1))>,
+ kdf(<'TMAC', ~r1.1>, ~kTA.1))
+ ) @ #vk.55 )
+ case CA_INIT_T
+ solve( !KU( senc(<
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, pk(~skCe.1)>,
+ kdf(<'TENC', ~r1.1>, ~kTA.1))
+ ) @ #vk.62 )
+ case CA_INIT_C
+ solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.65 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.66 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.76 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.78 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.72 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.77 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', r1.2>, decaps(cTA, ~skT.1))
+ ) @ #vk.78 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.82 )
+ case c_decaps
+ solve( !KU( ~skT.1 ) @ #vk.83 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.79 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.75 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.53 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1),
+ $T, 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C,
+ 'chip'>,
+ ca_sk),
+ $C),
+ ~r2,
+ encaps(~k, pk(~ltk)),
+ pk(~skCe),
+ encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.56 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k, pk(~ltk))
+ ) @ #vk.41 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke, pk(~skCe))
+ ) @ #vk.45 )
+ case CA_INIT_T
+ solve( !KU( kdf(<'TCNF', ~r1.1>,
+ ~kTA.1)
+ ) @ #vk.74 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA.1,
+ pk(~skT.2))
+ ) @ #vk.88 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.76 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<
+ pk(~skC),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1,
+ pk(~skC)),
+ pk(~skCe.1),
+ encaps(~ke.1,
+ pk(~skCe.1))
+ >,
+ <~k.1, ~ke.1>)
+ ) @ #vk.77 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k.1,
+ pk(~skC))
+ ) @ #vk.76 )
+ case CA_INIT_T
+ solve( !KU( encaps(~ke.1,
+ pk(~skCe.1))
+ ) @ #vk.77 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<
+ pk(~ltk),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C)
+ ) @ #vk.80 )
+ case CA_INIT_C
+ solve( !KU( kdf(<
+ 'TENC',
+ ~r1.3
+ >,
+ ~kTA.2)
+ ) @ #vk.88 )
+ case c_kdf
+ solve( !KU( ~kTA.2
+ ) @ #vk.92 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<
+ 'TCNF',
+ ~r1.3
+ >,
+ ~kTA.2)
+ ) @ #vk.91 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk),
+ sign(<
+ pk(sk),
+ z,
+ 'terminal'
+ >,
+ ca_sk),
+ z)
+ ) @ #vk.93 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.5
+ ) @ #vk.97 )
+ case Corrupt_ltk
+ solve( !KU( encaps(~kTA.2,
+ pk(~skT.2))
+ ) @ #vk.99 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.3
+ ) @ #vk.98 )
+ case TA_CHALLENGE_C
+ solve( !KU( pk(~skCe)
+ ) @ #vk.93 )
+ case CA_INIT_C
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ <kTA, cTA>, kTMAC, kTENC, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.15 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.43 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.15 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.21 )
+ case CA_INIT_T_case_1
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_INIT_T_case_2
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.48 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ <kTA, cTA>, kTMAC, kTENC, r2, skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(3) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.45 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(3) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.45 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.15 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.43 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.15 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.21 )
+ case CA_INIT_T_case_1
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_INIT_T_case_2
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.48 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.15 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.39 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.43 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.32 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.15 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.21 )
+ case CA_INIT_T_case_1
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.34 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_INIT_T_case_2
+ solve( splitEqs(11) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.39 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.51 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.48 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x),
+ encaps(~ke, snd(x))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case CA_INIT_T
+ by solve( !KU( ~ke ) @ #vk.32 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
+ <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
+ <ke, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.55 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.56 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.57 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.50 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.27 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.54 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.55 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.56 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case CA_INIT_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.45 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.43 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.55 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.56 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.57 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.50 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.27 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.54 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.55 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.56 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.47 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.47 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !KU( ~iid ) @ #vk.6 )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !KU( cert(x, sign(<x, T, 'terminal'>, ca_sk), T) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>,
+ kdf(<'TENC', r1>, kTA))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
+ kdf(<'TMAC', r1>, kTA))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
+ <z.1, z.2>)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.30 )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_3
+ solve( !KU( encaps(z.1, pk(~ltk.2)) ) @ #vk.23 )
+ case c_encaps
+ solve( !KU( decaps(cipe, skCe) ) @ #vk.39 )
+ case c_decaps
+ solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.34 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.37 )
+ case c_kdf
+ solve( !KU( pk(skCe) ) @ #vk.40 )
+ case CA_Sign_ltk_case_1
+ solve( !KU( ~ltk.3 ) @ #vk.38 )
+ case Corrupt_ltk
+ solve( !KU( pk(~ltk.2) ) @ #vk.43 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Ltk( T, skT, 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( cert(x, sign(<x, $A, 'terminal'>, ca_sk), $A) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, C, 'chip'>, ca_sk), C), x.1>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip, z.2, cipe>,
+ kdf(<'TMAC', r1>, z))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip, z.2, cipe>,
+ <k, ke>)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.30 )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_4
+ solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.21 )
+ case c_encaps
+ solve( !KU( kdf(<'TCNF', r1>, z) ) @ #vk.22 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, z) ) @ #vk.32 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.35 )
+ case c_kdf
+ solve( !KU( pk(~ltk.1) ) @ #vk.42 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
+ skCe
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.47 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.50 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.44 )
+ case CA_INIT_C
+ solve( !KU( ~k ) @ #vk.46 )
+ case CA_INIT_T
+ solve( !KU( ~ke ) @ #vk.47 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.50 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 327.25s
+
+ session_exist (exists-trace): verified (29 steps)
+ two_session_exist (exists-trace): verified (54 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (131 steps)
+ agreement_C (all-traces): verified (24 steps)
+ agreement_T (all-traces): verified (131 steps)
+ aliveness (all-traces): verified (132 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (47 steps)
+ key_secrecy (all-traces): verified (23 steps)
+ chip_hiding (all-traces): verified (4 steps)
+ nonRepudiation_terminal (exists-trace): verified (18 steps)
+ nonRepudiation_chip (exists-trace): verified (15 steps)
+ pfs (all-traces): verified (23 steps)
+
+==============================================================================
diff --git a/results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN b/results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..e8b69d9cbe3f08bce37f20bdff07736861fc19fc
--- /dev/null
+++ b/results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN
@@ -0,0 +1,28 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN b/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..77c0026374582d086bfa81a516a69a14d56b97ef
--- /dev/null
+++ b/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN
@@ -0,0 +1,5238 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory FastKemPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, mac/2, pair/2, pk/1,
+ sdec/2, senc/2, sign/2, snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ sdec(senc(x.1, x.2), x.2) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
+ Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)),
+ senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
+ ),
+ Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe,
+ kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
+ Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( z.1, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, z),
+ senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
+ ),
+ Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe,
+ kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+ )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.21
+ z = cert_pk(certT.21)
+ z.1 = verify(cert_sig(certT.21),
+ <cert_pk(certT.21), cert_id(certT.21), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(z.71, sign(<z.71, x.128, 'terminal'>, ca_sk), x.128)
+ z = z.71
+ z.1 = true
+
+ 3. certT = cert(z.72, x.129, x.130)
+ z = z.72
+ z.1 = verify(x.129, <z.72, x.130, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ),
+ TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ 'chip'),
+ true
+ )
+ ]->
+ [
+ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)),
+ encaps(~k,
+ cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))),
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))),
+ encaps(~k,
+ cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))),
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))),
+ encaps(~ke, snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))))>,
+ kdf(<'TMAC', r1>, decaps(cTA, ~skT))),
+ encaps(~ke, snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))),
+ '3', 't'>
+ ),
+ TAResponseT( <$T, iid>, id_c,
+ fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))),
+ <~k,
+ encaps(~k, cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))))
+ >,
+ <~ke,
+ encaps(~ke, snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))))>,
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ),
+ TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[ Eq( z.5, true ) ]->
+ [
+ Out( <kdf(<'TCNF', r1>, z), encaps(~k, z.1),
+ mac(<'CA', certT, z.2, z.3, encaps(~k, z.1), z.4, encaps(~ke, z.4)>,
+ kdf(<'TMAC', r1>, z)),
+ encaps(~ke, z.4), '3', 't'>
+ ),
+ TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)>,
+ <~ke, encaps(~ke, z.4)>, z.4
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skT = ~skT.32
+ cCA = cCA.33
+ cTA = cTA.34
+ r1 = r1.38
+ z = decaps(cTA.34, ~skT.32)
+ z.1 = cert_pk(fst(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
+ z.2 = fst(sdec(cCA.33, kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))
+ z.3 = fst(snd(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
+ z.4 = snd(snd(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
+ z.5 = verify(cert_sig(fst(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))),
+ <
+ cert_pk(fst(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))),
+ cert_id(fst(sdec(cCA.33,
+ kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))),
+ 'chip'>,
+ pk(ca_sk))
+
+ 2. ~skT = ~skT.37
+ cCA = cCA.38
+ cTA = encaps(z.48, pk(~skT.37))
+ r1 = r1.43
+ z = z.48
+ z.1 = cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
+ z.2 = fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))
+ z.3 = fst(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
+ z.4 = snd(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
+ z.5 = verify(cert_sig(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))),
+ <cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))),
+ cert_id(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), 'chip'>,
+ pk(ca_sk))
+
+ 3. ~skT = ~skT.42
+ cCA = senc(<z.56, z.57, z.58>, kdf(<'TENC', r1.48>, z.53))
+ cTA = encaps(z.53, pk(~skT.42))
+ r1 = r1.48
+ z = z.53
+ z.1 = cert_pk(z.56)
+ z.2 = z.56
+ z.3 = z.57
+ z.4 = z.58
+ z.5 = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>,
+ pk(ca_sk))
+
+ 4. ~skT = ~skT.42
+ cCA = senc(<z.56, z.57, z.58>,
+ kdf(<'TENC', r1.48>, decaps(cTA.44, ~skT.42)))
+ cTA = cTA.44
+ r1 = r1.48
+ z = decaps(cTA.44, ~skT.42)
+ z.1 = cert_pk(z.56)
+ z.2 = z.56
+ z.3 = z.57
+ z.4 = z.58
+ z.5 = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>,
+ pk(ca_sk))
+
+ 5. ~skT = ~skT.174
+ cCA = senc(x.343, kdf(<'TENC', r1.180>, z.185))
+ cTA = encaps(z.185, pk(~skT.174))
+ r1 = r1.180
+ z = z.185
+ z.1 = cert_pk(fst(x.343))
+ z.2 = fst(x.343)
+ z.3 = fst(snd(x.343))
+ z.4 = snd(snd(x.343))
+ z.5 = verify(cert_sig(fst(x.343)),
+ <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk))
+
+ 6. ~skT = ~skT.174
+ cCA = senc(x.343, kdf(<'TENC', r1.180>, decaps(cTA.176, ~skT.174)))
+ cTA = cTA.176
+ r1 = r1.180
+ z = decaps(cTA.176, ~skT.174)
+ z.1 = cert_pk(fst(x.343))
+ z.2 = fst(x.343)
+ z.3 = fst(snd(x.343))
+ z.4 = snd(snd(x.343))
+ z.5 = verify(cert_sig(fst(x.343)),
+ <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk))
+
+ 7. ~skT = ~skT.175
+ cCA = senc(<z.189, x.345>, kdf(<'TENC', r1.181>, z.186))
+ cTA = encaps(z.186, pk(~skT.175))
+ r1 = r1.181
+ z = z.186
+ z.1 = cert_pk(z.189)
+ z.2 = z.189
+ z.3 = fst(x.345)
+ z.4 = snd(x.345)
+ z.5 = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>,
+ pk(ca_sk))
+
+ 8. ~skT = ~skT.175
+ cCA = senc(<z.189, x.345>,
+ kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175)))
+ cTA = cTA.177
+ r1 = r1.181
+ z = decaps(cTA.177, ~skT.175)
+ z.1 = cert_pk(z.189)
+ z.2 = z.189
+ z.3 = fst(x.345)
+ z.4 = snd(x.345)
+ z.5 = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>,
+ pk(ca_sk))
+
+ 9. ~skT = ~skT.175
+ cCA = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345),
+ z.190, z.191>,
+ kdf(<'TENC', r1.181>, z.186))
+ cTA = encaps(z.186, pk(~skT.175))
+ r1 = r1.181
+ z = z.186
+ z.1 = z.187
+ z.2 = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345)
+ z.3 = z.190
+ z.4 = z.191
+ z.5 = true
+
+ 10. ~skT = ~skT.175
+ cCA = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345),
+ z.190, z.191>,
+ kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175)))
+ cTA = cTA.177
+ r1 = r1.181
+ z = decaps(cTA.177, ~skT.175)
+ z.1 = z.187
+ z.2 = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345)
+ z.3 = z.190
+ z.4 = z.191
+ z.5 = true
+
+ 11. ~skT = ~skT.176
+ cCA = senc(<cert(z.188, x.346, x.347), z.191, z.192>,
+ kdf(<'TENC', r1.182>, z.187))
+ cTA = encaps(z.187, pk(~skT.176))
+ r1 = r1.182
+ z = z.187
+ z.1 = z.188
+ z.2 = cert(z.188, x.346, x.347)
+ z.3 = z.191
+ z.4 = z.192
+ z.5 = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk))
+
+ 12. ~skT = ~skT.176
+ cCA = senc(<cert(z.188, x.346, x.347), z.191, z.192>,
+ kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176)))
+ cTA = cTA.178
+ r1 = r1.182
+ z = decaps(cTA.178, ~skT.176)
+ z.1 = z.188
+ z.2 = cert(z.188, x.346, x.347)
+ z.3 = z.191
+ z.4 = z.192
+ z.5 = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk))
+
+ 13. ~skT = ~skT.176
+ cCA = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346),
+ x.347>,
+ kdf(<'TENC', r1.182>, z.187))
+ cTA = encaps(z.187, pk(~skT.176))
+ r1 = r1.182
+ z = z.187
+ z.1 = z.188
+ z.2 = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346)
+ z.3 = fst(x.347)
+ z.4 = snd(x.347)
+ z.5 = true
+
+ 14. ~skT = ~skT.176
+ cCA = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346),
+ x.347>,
+ kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176)))
+ cTA = cTA.178
+ r1 = r1.182
+ z = decaps(cTA.178, ~skT.176)
+ z.1 = z.188
+ z.2 = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346)
+ z.3 = fst(x.347)
+ z.4 = snd(x.347)
+ z.5 = true
+
+ 15. ~skT = ~skT.177
+ cCA = senc(<cert(z.189, x.347, x.348), x.349>,
+ kdf(<'TENC', r1.183>, z.188))
+ cTA = encaps(z.188, pk(~skT.177))
+ r1 = r1.183
+ z = z.188
+ z.1 = z.189
+ z.2 = cert(z.189, x.347, x.348)
+ z.3 = fst(x.349)
+ z.4 = snd(x.349)
+ z.5 = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk))
+
+ 16. ~skT = ~skT.177
+ cCA = senc(<cert(z.189, x.347, x.348), x.349>,
+ kdf(<'TENC', r1.183>, decaps(cTA.179, ~skT.177)))
+ cTA = cTA.179
+ r1 = r1.183
+ z = decaps(cTA.179, ~skT.177)
+ z.1 = z.189
+ z.2 = cert(z.189, x.347, x.348)
+ z.3 = fst(x.349)
+ z.4 = snd(x.349)
+ z.5 = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, cip, s, cipe, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( kTCNF_T, kTCNF ),
+ Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
+ CompletedTA( $C, iid, cert_id(certT) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
+ ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <
+ kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>,
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, cip, s, cipe, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( kTCNF_T, kTCNF ),
+ Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
+ CompletedTA( $C, iid, z.2 ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
+ ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>,
+ kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.41
+ certT = certT.43
+ cip = cip.44
+ cipe = cipe.45
+ skCe = skCe.54
+ z = decaps(cip.44, ~skC.41)
+ z.1 = decaps(cipe.45, skCe.54)
+ z.2 = cert_id(certT.43)
+
+ 2. ~skC = ~skC.46
+ certT = certT.48
+ cip = encaps(z.64, pk(~skC.46))
+ cipe = cipe.50
+ skCe = skCe.59
+ z = z.64
+ z.1 = decaps(cipe.50, skCe.59)
+ z.2 = cert_id(certT.48)
+
+ 3. ~skC = ~skC.47
+ certT = certT.49
+ cip = cip.50
+ cipe = encaps(z.66, pk(skCe.60))
+ skCe = skCe.60
+ z = decaps(cip.50, ~skC.47)
+ z.1 = z.66
+ z.2 = cert_id(certT.49)
+
+ 4. ~skC = ~skC.47
+ certT = certT.49
+ cip = encaps(z.65, pk(~skC.47))
+ cipe = encaps(z.66, pk(skCe.60))
+ skCe = skCe.60
+ z = z.65
+ z.1 = z.66
+ z.2 = cert_id(certT.49)
+
+ 5. ~skC = ~skC.204
+ certT = cert(x.404, x.405, z.228)
+ cip = cip.207
+ cipe = cipe.208
+ skCe = skCe.217
+ z = decaps(cip.207, ~skC.204)
+ z.1 = decaps(cipe.208, skCe.217)
+ z.2 = z.228
+
+ 6. ~skC = ~skC.204
+ certT = cert(x.404, x.405, z.228)
+ cip = cip.207
+ cipe = encaps(z.223, pk(skCe.217))
+ skCe = skCe.217
+ z = decaps(cip.207, ~skC.204)
+ z.1 = z.223
+ z.2 = z.228
+
+ 7. ~skC = ~skC.206
+ certT = cert(x.408, x.409, z.230)
+ cip = encaps(z.224, pk(~skC.206))
+ cipe = cipe.210
+ skCe = skCe.219
+ z = z.224
+ z.1 = decaps(cipe.210, skCe.219)
+ z.2 = z.230
+
+ 8. ~skC = ~skC.206
+ certT = cert(x.408, x.409, z.230)
+ cip = encaps(z.224, pk(~skC.206))
+ cipe = encaps(z.225, pk(skCe.219))
+ skCe = skCe.219
+ z = z.224
+ z.1 = z.225
+ z.2 = z.230
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( z, $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.18
+ z = cert_id(certC.18)
+
+ 2. certC = cert(x.44, x.45, z.31)
+ z = z.31
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <kTA, skCe> ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, kTA)))) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, kTA))), 'chip'), true ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip, pk(skCe), cipe>,
+ kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip, pk(skCe), cipe>,
+ <decaps(cip, skC), decaps(cipe, skCe)>)
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <kTA, skCe> ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, z.3, z.4, cip, pk(skCe), cipe>, kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF, kdf(<'CNF', certT, z.3, z.4, cip, pk(skCe), cipe>, <z.5, z.6>)
+ ),
+ ValidTrans( C, 'chip', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.40
+ certT = certT.42
+ cip = cip.43
+ cipe = cipe.44
+ kTA = kTA.46
+ r1 = r1.48
+ skC = skC.50
+ skCe = skCe.51
+ z = cert_id(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))),
+ <cert_pk(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))),
+ cert_id(fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))
+ z.4 = snd(sdec(cCA.40, kdf(<'TENC', r1.48>, kTA.46)))
+ z.5 = decaps(cip.43, skC.50)
+ z.6 = decaps(cipe.44, skCe.51)
+ z.7 = cert_id(certT.42)
+
+ 2. cCA = cCA.51
+ certT = certT.53
+ cip = encaps(z.73, pk(skC.61))
+ cipe = cipe.55
+ kTA = kTA.57
+ r1 = r1.59
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))),
+ <cert_pk(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))),
+ cert_id(fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))
+ z.4 = snd(sdec(cCA.51, kdf(<'TENC', r1.59>, kTA.57)))
+ z.5 = z.73
+ z.6 = decaps(cipe.55, skCe.62)
+ z.7 = cert_id(certT.53)
+
+ 3. cCA = cCA.52
+ certT = certT.54
+ cip = cip.55
+ cipe = encaps(z.75, pk(skCe.63))
+ kTA = kTA.58
+ r1 = r1.60
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ <cert_pk(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.4 = snd(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.5 = decaps(cip.55, skC.62)
+ z.6 = z.75
+ z.7 = cert_id(certT.54)
+
+ 4. cCA = cCA.52
+ certT = certT.54
+ cip = encaps(z.74, pk(skC.62))
+ cipe = encaps(z.75, pk(skCe.63))
+ kTA = kTA.58
+ r1 = r1.60
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ <cert_pk(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))),
+ cert_id(fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.4 = snd(sdec(cCA.52, kdf(<'TENC', r1.60>, kTA.58)))
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = cert_id(certT.54)
+
+ 5. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = cip.132
+ cipe = cipe.133
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = decaps(cip.132, skC.139)
+ z.6 = decaps(cipe.133, skCe.140)
+ z.7 = z.153
+
+ 6. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = cip.132
+ cipe = encaps(z.152, pk(skCe.140))
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = decaps(cip.132, skC.139)
+ z.6 = z.152
+ z.7 = z.153
+
+ 7. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = encaps(z.151, pk(skC.139))
+ cipe = cipe.133
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = z.151
+ z.6 = decaps(cipe.133, skCe.140)
+ z.7 = z.153
+
+ 8. cCA = cCA.129
+ certT = cert(x.254, sign(<x.254, z.153, 'terminal'>, ca_sk), z.153)
+ cip = encaps(z.151, pk(skC.139))
+ cipe = encaps(z.152, pk(skCe.140))
+ kTA = kTA.135
+ r1 = r1.137
+ skC = skC.139
+ skCe = skCe.140
+ z = cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.137>, kTA.135)))),
+ <cert_pk(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))),
+ cert_id(fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.4 = snd(sdec(cCA.129, kdf(<'TENC', r1.137>, kTA.135)))
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = z.153
+
+ 9. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = cip.133
+ cipe = cipe.134
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = decaps(cip.133, skC.140)
+ z.6 = decaps(cipe.134, skCe.141)
+ z.7 = z.154
+
+ 10. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = cip.133
+ cipe = encaps(z.153, pk(skCe.141))
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = decaps(cip.133, skC.140)
+ z.6 = z.153
+ z.7 = z.154
+
+ 11. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = encaps(z.152, pk(skC.140))
+ cipe = cipe.134
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = z.152
+ z.6 = decaps(cipe.134, skCe.141)
+ z.7 = z.154
+
+ 12. cCA = cCA.130
+ certT = cert(x.255, x.256, z.154)
+ cip = encaps(z.152, pk(skC.140))
+ cipe = encaps(z.153, pk(skCe.141))
+ kTA = kTA.136
+ r1 = r1.138
+ skC = skC.140
+ skCe = skCe.141
+ z = cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.138>, kTA.136)))),
+ <cert_pk(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))),
+ cert_id(fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.154, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.4 = snd(sdec(cCA.130, kdf(<'TENC', r1.138>, kTA.136)))
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.154
+
+ 13. cCA = senc(x.204, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.208, sign(<x.208, z.127, 'terminal'>, ca_sk), z.127)
+ cip = encaps(z.125, pk(skC.113))
+ cipe = encaps(z.126, pk(skCe.114))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ skCe = skCe.114
+ z = cert_id(fst(x.204))
+ z.1 = verify(cert_sig(fst(x.204)),
+ <cert_pk(fst(x.204)), cert_id(fst(x.204)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.204)
+ z.4 = snd(x.204)
+ z.5 = z.125
+ z.6 = z.126
+ z.7 = z.127
+
+ 14. cCA = senc(x.205, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.209, x.210, z.128)
+ cip = encaps(z.126, pk(skC.114))
+ cipe = encaps(z.127, pk(skCe.115))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ skCe = skCe.115
+ z = cert_id(fst(x.205))
+ z.1 = verify(cert_sig(fst(x.205)),
+ <cert_pk(fst(x.205)), cert_id(fst(x.205)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.210, <x.209, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.205)
+ z.4 = snd(x.205)
+ z.5 = z.126
+ z.6 = z.127
+ z.7 = z.128
+
+ 15. cCA = senc(x.222, kdf(<'TENC', r1.121>, kTA.119))
+ certT = cert(x.226, sign(<x.226, z.137, 'terminal'>, ca_sk), z.137)
+ cip = encaps(z.135, pk(skC.123))
+ cipe = cipe.117
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ skCe = skCe.124
+ z = cert_id(fst(x.222))
+ z.1 = verify(cert_sig(fst(x.222)),
+ <cert_pk(fst(x.222)), cert_id(fst(x.222)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.222)
+ z.4 = snd(x.222)
+ z.5 = z.135
+ z.6 = decaps(cipe.117, skCe.124)
+ z.7 = z.137
+
+ 16. cCA = senc(x.223, kdf(<'TENC', r1.122>, kTA.120))
+ certT = cert(x.227, x.228, z.138)
+ cip = encaps(z.136, pk(skC.124))
+ cipe = cipe.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ skCe = skCe.125
+ z = cert_id(fst(x.223))
+ z.1 = verify(cert_sig(fst(x.223)),
+ <cert_pk(fst(x.223)), cert_id(fst(x.223)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.228, <x.227, z.138, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.223)
+ z.4 = snd(x.223)
+ z.5 = z.136
+ z.6 = decaps(cipe.118, skCe.125)
+ z.7 = z.138
+
+ 17. cCA = senc(x.231, kdf(<'TENC', r1.126>, kTA.124))
+ certT = cert(x.235, sign(<x.235, z.142, 'terminal'>, ca_sk), z.142)
+ cip = cip.121
+ cipe = cipe.122
+ kTA = kTA.124
+ r1 = r1.126
+ skC = skC.128
+ skCe = skCe.129
+ z = cert_id(fst(x.231))
+ z.1 = verify(cert_sig(fst(x.231)),
+ <cert_pk(fst(x.231)), cert_id(fst(x.231)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.231)
+ z.4 = snd(x.231)
+ z.5 = decaps(cip.121, skC.128)
+ z.6 = decaps(cipe.122, skCe.129)
+ z.7 = z.142
+
+ 18. cCA = senc(x.231, kdf(<'TENC', r1.126>, kTA.124))
+ certT = cert(x.235, sign(<x.235, z.142, 'terminal'>, ca_sk), z.142)
+ cip = cip.121
+ cipe = encaps(z.141, pk(skCe.129))
+ kTA = kTA.124
+ r1 = r1.126
+ skC = skC.128
+ skCe = skCe.129
+ z = cert_id(fst(x.231))
+ z.1 = verify(cert_sig(fst(x.231)),
+ <cert_pk(fst(x.231)), cert_id(fst(x.231)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.231)
+ z.4 = snd(x.231)
+ z.5 = decaps(cip.121, skC.128)
+ z.6 = z.141
+ z.7 = z.142
+
+ 19. cCA = senc(x.232, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.236, x.237, z.143)
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.232))
+ z.1 = verify(cert_sig(fst(x.232)),
+ <cert_pk(fst(x.232)), cert_id(fst(x.232)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.237, <x.236, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.232)
+ z.4 = snd(x.232)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = z.143
+
+ 20. cCA = senc(x.232, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.236, x.237, z.143)
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.232))
+ z.1 = verify(cert_sig(fst(x.232)),
+ <cert_pk(fst(x.232)), cert_id(fst(x.232)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.237, <x.236, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.232)
+ z.4 = snd(x.232)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = z.143
+
+ 21. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 22. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 23. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = z.141
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 24. cCA = senc(x.236, kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(fst(x.236))
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.236)
+ z.4 = snd(x.236)
+ z.5 = z.141
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 25. cCA = senc(<z.62, z.63>, kdf(<'TENC', r1.52>, kTA.50))
+ certT = certT.46
+ cip = cip.47
+ cipe = cipe.48
+ kTA = kTA.50
+ r1 = r1.52
+ skC = skC.54
+ skCe = skCe.55
+ z = cert_id(z.62)
+ z.1 = verify(cert_sig(z.62), <cert_pk(z.62), cert_id(z.62), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.46),
+ <cert_pk(certT.46), cert_id(certT.46), 'terminal'>, pk(ca_sk))
+ z.3 = z.62
+ z.4 = z.63
+ z.5 = decaps(cip.47, skC.54)
+ z.6 = decaps(cipe.48, skCe.55)
+ z.7 = cert_id(certT.46)
+
+ 26. cCA = senc(<z.65, z.66>, kdf(<'TENC', r1.55>, kTA.53))
+ certT = certT.49
+ cip = encaps(z.69, pk(skC.57))
+ cipe = cipe.51
+ kTA = kTA.53
+ r1 = r1.55
+ skC = skC.57
+ skCe = skCe.58
+ z = cert_id(z.65)
+ z.1 = verify(cert_sig(z.65), <cert_pk(z.65), cert_id(z.65), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.3 = z.65
+ z.4 = z.66
+ z.5 = z.69
+ z.6 = decaps(cipe.51, skCe.58)
+ z.7 = cert_id(certT.49)
+
+ 27. cCA = senc(<z.66, z.67>, kdf(<'TENC', r1.56>, kTA.54))
+ certT = certT.50
+ cip = cip.51
+ cipe = encaps(z.71, pk(skCe.59))
+ kTA = kTA.54
+ r1 = r1.56
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(z.66)
+ z.1 = verify(cert_sig(z.66), <cert_pk(z.66), cert_id(z.66), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = z.66
+ z.4 = z.67
+ z.5 = decaps(cip.51, skC.58)
+ z.6 = z.71
+ z.7 = cert_id(certT.50)
+
+ 28. cCA = senc(<z.66, z.67>, kdf(<'TENC', r1.56>, kTA.54))
+ certT = certT.50
+ cip = encaps(z.70, pk(skC.58))
+ cipe = encaps(z.71, pk(skCe.59))
+ kTA = kTA.54
+ r1 = r1.56
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(z.66)
+ z.1 = verify(cert_sig(z.66), <cert_pk(z.66), cert_id(z.66), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = z.66
+ z.4 = z.67
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = cert_id(certT.50)
+
+ 29. cCA = senc(<z.122, z.123>, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.210, sign(<x.210, z.128, 'terminal'>, ca_sk), z.128)
+ cip = encaps(z.126, pk(skC.114))
+ cipe = encaps(z.127, pk(skCe.115))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ skCe = skCe.115
+ z = cert_id(z.122)
+ z.1 = verify(cert_sig(z.122), <cert_pk(z.122), cert_id(z.122), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.122
+ z.4 = z.123
+ z.5 = z.126
+ z.6 = z.127
+ z.7 = z.128
+
+ 30. cCA = senc(<z.123, z.124>, kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.211, x.212, z.129)
+ cip = encaps(z.127, pk(skC.115))
+ cipe = encaps(z.128, pk(skCe.116))
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ skCe = skCe.116
+ z = cert_id(z.123)
+ z.1 = verify(cert_sig(z.123), <cert_pk(z.123), cert_id(z.123), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.212, <x.211, z.129, 'terminal'>, pk(ca_sk))
+ z.3 = z.123
+ z.4 = z.124
+ z.5 = z.127
+ z.6 = z.128
+ z.7 = z.129
+
+ 31. cCA = senc(<z.132, z.133>, kdf(<'TENC', r1.122>, kTA.120))
+ certT = cert(x.228, sign(<x.228, z.138, 'terminal'>, ca_sk), z.138)
+ cip = encaps(z.136, pk(skC.124))
+ cipe = cipe.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ skCe = skCe.125
+ z = cert_id(z.132)
+ z.1 = verify(cert_sig(z.132), <cert_pk(z.132), cert_id(z.132), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.132
+ z.4 = z.133
+ z.5 = z.136
+ z.6 = decaps(cipe.118, skCe.125)
+ z.7 = z.138
+
+ 32. cCA = senc(<z.133, z.134>, kdf(<'TENC', r1.123>, kTA.121))
+ certT = cert(x.229, x.230, z.139)
+ cip = encaps(z.137, pk(skC.125))
+ cipe = cipe.119
+ kTA = kTA.121
+ r1 = r1.123
+ skC = skC.125
+ skCe = skCe.126
+ z = cert_id(z.133)
+ z.1 = verify(cert_sig(z.133), <cert_pk(z.133), cert_id(z.133), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.230, <x.229, z.139, 'terminal'>, pk(ca_sk))
+ z.3 = z.133
+ z.4 = z.134
+ z.5 = z.137
+ z.6 = decaps(cipe.119, skCe.126)
+ z.7 = z.139
+
+ 33. cCA = senc(<z.137, z.138>, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.237, sign(<x.237, z.143, 'terminal'>, ca_sk), z.143)
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(z.137)
+ z.1 = verify(cert_sig(z.137), <cert_pk(z.137), cert_id(z.137), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.137
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = z.143
+
+ 34. cCA = senc(<z.137, z.138>, kdf(<'TENC', r1.127>, kTA.125))
+ certT = cert(x.237, sign(<x.237, z.143, 'terminal'>, ca_sk), z.143)
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = cert_id(z.137)
+ z.1 = verify(cert_sig(z.137), <cert_pk(z.137), cert_id(z.137), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.137
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = z.143
+
+ 35. cCA = senc(<z.138, z.139>, kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.238, x.239, z.144)
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = cert_id(z.138)
+ z.1 = verify(cert_sig(z.138), <cert_pk(z.138), cert_id(z.138), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.239, <x.238, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = z.144
+
+ 36. cCA = senc(<z.138, z.139>, kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.238, x.239, z.144)
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = cert_id(z.138)
+ z.1 = verify(cert_sig(z.138), <cert_pk(z.138), cert_id(z.138), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.239, <x.238, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = z.144
+
+ 37. cCA = senc(<
+ cert(x.206, sign(<x.206, z.118, 'chip'>, ca_sk), z.118), z.124>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.212, sign(<x.212, z.129, 'terminal'>, ca_sk), z.129)
+ cip = encaps(z.127, pk(skC.115))
+ cipe = encaps(z.128, pk(skCe.116))
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ skCe = skCe.116
+ z = z.118
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.206, sign(<x.206, z.118, 'chip'>, ca_sk), z.118)
+ z.4 = z.124
+ z.5 = z.127
+ z.6 = z.128
+ z.7 = z.129
+
+ 38. cCA = senc(<cert(x.207, x.208, z.119), z.125>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.214, sign(<x.214, z.130, 'terminal'>, ca_sk), z.130)
+ cip = encaps(z.128, pk(skC.116))
+ cipe = encaps(z.129, pk(skCe.117))
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ skCe = skCe.117
+ z = z.119
+ z.1 = verify(x.208, <x.207, z.119, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.207, x.208, z.119)
+ z.4 = z.125
+ z.5 = z.128
+ z.6 = z.129
+ z.7 = z.130
+
+ 39. cCA = senc(<
+ cert(x.207, sign(<x.207, z.119, 'chip'>, ca_sk), z.119), z.125>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.213, x.214, z.130)
+ cip = encaps(z.128, pk(skC.116))
+ cipe = encaps(z.129, pk(skCe.117))
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ skCe = skCe.117
+ z = z.119
+ z.1 = true
+ z.2 = verify(x.214, <x.213, z.130, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, sign(<x.207, z.119, 'chip'>, ca_sk), z.119)
+ z.4 = z.125
+ z.5 = z.128
+ z.6 = z.129
+ z.7 = z.130
+
+ 40. cCA = senc(<cert(x.208, x.209, z.120), z.126>,
+ kdf(<'TENC', r1.115>, kTA.113))
+ certT = cert(x.215, x.216, z.131)
+ cip = encaps(z.129, pk(skC.117))
+ cipe = encaps(z.130, pk(skCe.118))
+ kTA = kTA.113
+ r1 = r1.115
+ skC = skC.117
+ skCe = skCe.118
+ z = z.120
+ z.1 = verify(x.209, <x.208, z.120, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.216, <x.215, z.131, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.208, x.209, z.120)
+ z.4 = z.126
+ z.5 = z.129
+ z.6 = z.130
+ z.7 = z.131
+
+ 41. cCA = senc(<
+ cert(x.224, sign(<x.224, z.128, 'chip'>, ca_sk), z.128), z.134>,
+ kdf(<'TENC', r1.123>, kTA.121))
+ certT = cert(x.230, sign(<x.230, z.139, 'terminal'>, ca_sk), z.139)
+ cip = encaps(z.137, pk(skC.125))
+ cipe = cipe.119
+ kTA = kTA.121
+ r1 = r1.123
+ skC = skC.125
+ skCe = skCe.126
+ z = z.128
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.224, sign(<x.224, z.128, 'chip'>, ca_sk), z.128)
+ z.4 = z.134
+ z.5 = z.137
+ z.6 = decaps(cipe.119, skCe.126)
+ z.7 = z.139
+
+ 42. cCA = senc(<cert(x.225, x.226, z.129), z.135>,
+ kdf(<'TENC', r1.124>, kTA.122))
+ certT = cert(x.232, sign(<x.232, z.140, 'terminal'>, ca_sk), z.140)
+ cip = encaps(z.138, pk(skC.126))
+ cipe = cipe.120
+ kTA = kTA.122
+ r1 = r1.124
+ skC = skC.126
+ skCe = skCe.127
+ z = z.129
+ z.1 = verify(x.226, <x.225, z.129, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.225, x.226, z.129)
+ z.4 = z.135
+ z.5 = z.138
+ z.6 = decaps(cipe.120, skCe.127)
+ z.7 = z.140
+
+ 43. cCA = senc(<
+ cert(x.225, sign(<x.225, z.129, 'chip'>, ca_sk), z.129), z.135>,
+ kdf(<'TENC', r1.124>, kTA.122))
+ certT = cert(x.231, x.232, z.140)
+ cip = encaps(z.138, pk(skC.126))
+ cipe = cipe.120
+ kTA = kTA.122
+ r1 = r1.124
+ skC = skC.126
+ skCe = skCe.127
+ z = z.129
+ z.1 = true
+ z.2 = verify(x.232, <x.231, z.140, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.225, sign(<x.225, z.129, 'chip'>, ca_sk), z.129)
+ z.4 = z.135
+ z.5 = z.138
+ z.6 = decaps(cipe.120, skCe.127)
+ z.7 = z.140
+
+ 44. cCA = senc(<cert(x.226, x.227, z.130), z.136>,
+ kdf(<'TENC', r1.125>, kTA.123))
+ certT = cert(x.233, x.234, z.141)
+ cip = encaps(z.139, pk(skC.127))
+ cipe = cipe.121
+ kTA = kTA.123
+ r1 = r1.125
+ skC = skC.127
+ skCe = skCe.128
+ z = z.130
+ z.1 = verify(x.227, <x.226, z.130, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.234, <x.233, z.141, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.226, x.227, z.130)
+ z.4 = z.136
+ z.5 = z.139
+ z.6 = decaps(cipe.121, skCe.128)
+ z.7 = z.141
+
+ 45. cCA = senc(<
+ cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.239, sign(<x.239, z.144, 'terminal'>, ca_sk), z.144)
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = z.144
+
+ 46. cCA = senc(<
+ cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = cert(x.239, sign(<x.239, z.144, 'terminal'>, ca_sk), z.144)
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.233, sign(<x.233, z.133, 'chip'>, ca_sk), z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = z.144
+
+ 47. cCA = senc(<cert(x.234, x.235, z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.241, sign(<x.241, z.145, 'terminal'>, ca_sk), z.145)
+ cip = cip.124
+ cipe = cipe.125
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = verify(x.235, <x.234, z.134, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.234, x.235, z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = decaps(cipe.125, skCe.132)
+ z.7 = z.145
+
+ 48. cCA = senc(<cert(x.234, x.235, z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.241, sign(<x.241, z.145, 'terminal'>, ca_sk), z.145)
+ cip = cip.124
+ cipe = encaps(z.144, pk(skCe.132))
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = verify(x.235, <x.234, z.134, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.234, x.235, z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = z.144
+ z.7 = z.145
+
+ 49. cCA = senc(<
+ cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.240, x.241, z.145)
+ cip = cip.124
+ cipe = cipe.125
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = true
+ z.2 = verify(x.241, <x.240, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = decaps(cipe.125, skCe.132)
+ z.7 = z.145
+
+ 50. cCA = senc(<
+ cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134), z.140>,
+ kdf(<'TENC', r1.129>, kTA.127))
+ certT = cert(x.240, x.241, z.145)
+ cip = cip.124
+ cipe = encaps(z.144, pk(skCe.132))
+ kTA = kTA.127
+ r1 = r1.129
+ skC = skC.131
+ skCe = skCe.132
+ z = z.134
+ z.1 = true
+ z.2 = verify(x.241, <x.240, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.234, sign(<x.234, z.134, 'chip'>, ca_sk), z.134)
+ z.4 = z.140
+ z.5 = decaps(cip.124, skC.131)
+ z.6 = z.144
+ z.7 = z.145
+
+ 51. cCA = senc(<cert(x.235, x.236, z.135), z.141>,
+ kdf(<'TENC', r1.130>, kTA.128))
+ certT = cert(x.242, x.243, z.146)
+ cip = cip.125
+ cipe = cipe.126
+ kTA = kTA.128
+ r1 = r1.130
+ skC = skC.132
+ skCe = skCe.133
+ z = z.135
+ z.1 = verify(x.236, <x.235, z.135, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.243, <x.242, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.235, x.236, z.135)
+ z.4 = z.141
+ z.5 = decaps(cip.125, skC.132)
+ z.6 = decaps(cipe.126, skCe.133)
+ z.7 = z.146
+
+ 52. cCA = senc(<cert(x.235, x.236, z.135), z.141>,
+ kdf(<'TENC', r1.130>, kTA.128))
+ certT = cert(x.242, x.243, z.146)
+ cip = cip.125
+ cipe = encaps(z.145, pk(skCe.133))
+ kTA = kTA.128
+ r1 = r1.130
+ skC = skC.132
+ skCe = skCe.133
+ z = z.135
+ z.1 = verify(x.236, <x.235, z.135, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.243, <x.242, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.235, x.236, z.135)
+ z.4 = z.141
+ z.5 = decaps(cip.125, skC.132)
+ z.6 = z.145
+ z.7 = z.146
+
+ 53. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 54. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = cip.122
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = decaps(cip.122, skC.129)
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 55. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = cipe.123
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = z.141
+ z.6 = decaps(cipe.123, skCe.130)
+ z.7 = cert_id(certT.121)
+
+ 56. cCA = senc(<
+ cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132), z.138>,
+ kdf(<'TENC', r1.127>, kTA.125))
+ certT = certT.121
+ cip = encaps(z.141, pk(skC.129))
+ cipe = encaps(z.142, pk(skCe.130))
+ kTA = kTA.125
+ r1 = r1.127
+ skC = skC.129
+ skCe = skCe.130
+ z = z.132
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.236, sign(<x.236, z.132, 'chip'>, ca_sk), z.132)
+ z.4 = z.138
+ z.5 = z.141
+ z.6 = z.142
+ z.7 = cert_id(certT.121)
+
+ 57. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = cip.123
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = cert_id(certT.122)
+
+ 58. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = cip.123
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = decaps(cip.123, skC.130)
+ z.6 = z.143
+ z.7 = cert_id(certT.122)
+
+ 59. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = encaps(z.142, pk(skC.130))
+ cipe = cipe.124
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = z.142
+ z.6 = decaps(cipe.124, skCe.131)
+ z.7 = cert_id(certT.122)
+
+ 60. cCA = senc(<cert(x.237, x.238, z.133), z.139>,
+ kdf(<'TENC', r1.128>, kTA.126))
+ certT = certT.122
+ cip = encaps(z.142, pk(skC.130))
+ cipe = encaps(z.143, pk(skCe.131))
+ kTA = kTA.126
+ r1 = r1.128
+ skC = skC.130
+ skCe = skCe.131
+ z = z.133
+ z.1 = verify(x.238, <x.237, z.133, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.237, x.238, z.133)
+ z.4 = z.139
+ z.5 = z.142
+ z.6 = z.143
+ z.7 = cert_id(certT.122)
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <k, ke> ), !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ 'chip'),
+ true
+ ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, decaps(cTA, skT)) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cip,
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cipe>,
+ kdf(<'TMAC', r1>, decaps(cTA, skT)))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cip,
+ snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT))))), cipe>,
+ <k, ke>)
+ ),
+ ValidTrans( T, 'terminal',
+ cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))))
+ )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF> ),
+ In( <k, ke> ), !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, z.3) ),
+ Eq( s,
+ mac(<'CA', certT, z.4, z.5, cip, z.6, cipe>, kdf(<'TMAC', r1>, z.3))
+ ),
+ Eq( kCNF, kdf(<'CNF', certT, z.4, z.5, cip, z.6, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.40
+ cTA = cTA.41
+ certT = certT.42
+ r1 = r1.49
+ skT = skT.51
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ <
+ cert_pk(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ cert_id(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.41, skT.51)
+ z.4 = fst(sdec(cCA.40, kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51))))
+ z.5 = fst(snd(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+ z.6 = snd(snd(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+ z.7 = cert_id(fst(sdec(cCA.40,
+ kdf(<'TENC', r1.49>, decaps(cTA.41, skT.51)))))
+
+ 2. cCA = cCA.46
+ cTA = encaps(z.63, pk(skT.57))
+ certT = certT.48
+ r1 = r1.55
+ skT = skT.57
+ z = cert_id(certT.48)
+ z.1 = verify(cert_sig(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))),
+ <cert_pk(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))),
+ cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = z.63
+ z.4 = fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63)))
+ z.5 = fst(snd(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+ z.6 = snd(snd(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+ z.7 = cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.55>, z.63))))
+
+ 3. cCA = cCA.129
+ cTA = cTA.130
+ certT = cert(x.254, sign(<x.254, z.142, 'terminal'>, ca_sk), z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ <
+ cert_pk(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ cert_id(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140))))
+ z.5 = fst(snd(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+ z.6 = snd(snd(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+ z.7 = cert_id(fst(sdec(cCA.129,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))))
+
+ 4. cCA = cCA.130
+ cTA = cTA.131
+ certT = cert(x.255, x.256, z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ <
+ cert_pk(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ cert_id(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.256, <x.255, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141))))
+ z.5 = fst(snd(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+ z.6 = snd(snd(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+ z.7 = cert_id(fst(sdec(cCA.130,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))))
+
+ 5. cCA = cCA.131
+ cTA = encaps(z.148, pk(skT.142))
+ certT = cert(x.258, sign(<x.258, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(cert_sig(fst(sdec(cCA.131,
+ kdf(<'TENC', r1.140>, z.148)))),
+ <cert_pk(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))),
+ cert_id(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.148
+ z.4 = fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148)))
+ z.5 = fst(snd(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+ z.6 = snd(snd(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+ z.7 = cert_id(fst(sdec(cCA.131, kdf(<'TENC', r1.140>, z.148))))
+
+ 6. cCA = cCA.132
+ cTA = encaps(z.149, pk(skT.143))
+ certT = cert(x.259, x.260, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(cert_sig(fst(sdec(cCA.132,
+ kdf(<'TENC', r1.141>, z.149)))),
+ <cert_pk(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))),
+ cert_id(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.260, <x.259, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = z.149
+ z.4 = fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149)))
+ z.5 = fst(snd(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+ z.6 = snd(snd(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+ z.7 = cert_id(fst(sdec(cCA.132, kdf(<'TENC', r1.141>, z.149))))
+
+ 7. cCA = senc(x.177, kdf(<'TENC', r1.97>, z.105))
+ cTA = encaps(z.105, pk(skT.99))
+ certT = cert(x.181, sign(<x.181, z.101, 'terminal'>, ca_sk), z.101)
+ r1 = r1.97
+ skT = skT.99
+ z = z.101
+ z.1 = verify(cert_sig(fst(x.177)),
+ <cert_pk(fst(x.177)), cert_id(fst(x.177)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.105
+ z.4 = fst(x.177)
+ z.5 = fst(snd(x.177))
+ z.6 = snd(snd(x.177))
+ z.7 = cert_id(fst(x.177))
+
+ 8. cCA = senc(x.178, kdf(<'TENC', r1.98>, z.106))
+ cTA = encaps(z.106, pk(skT.100))
+ certT = cert(x.182, x.183, z.102)
+ r1 = r1.98
+ skT = skT.100
+ z = z.102
+ z.1 = verify(cert_sig(fst(x.178)),
+ <cert_pk(fst(x.178)), cert_id(fst(x.178)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.183, <x.182, z.102, 'terminal'>, pk(ca_sk))
+ z.3 = z.106
+ z.4 = fst(x.178)
+ z.5 = fst(snd(x.178))
+ z.6 = snd(snd(x.178))
+ z.7 = cert_id(fst(x.178))
+
+ 9. cCA = senc(x.236, kdf(<'TENC', r1.128>, z.136))
+ cTA = encaps(z.136, pk(skT.130))
+ certT = certT.121
+ r1 = r1.128
+ skT = skT.130
+ z = cert_id(certT.121)
+ z.1 = verify(cert_sig(fst(x.236)),
+ <cert_pk(fst(x.236)), cert_id(fst(x.236)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = z.136
+ z.4 = fst(x.236)
+ z.5 = fst(snd(x.236))
+ z.6 = snd(snd(x.236))
+ z.7 = cert_id(fst(x.236))
+
+ 10. cCA = senc(x.245, kdf(<'TENC', r1.133>, decaps(cTA.125, skT.135)))
+ cTA = cTA.125
+ certT = certT.126
+ r1 = r1.133
+ skT = skT.135
+ z = cert_id(certT.126)
+ z.1 = verify(cert_sig(fst(x.245)),
+ <cert_pk(fst(x.245)), cert_id(fst(x.245)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.126),
+ <cert_pk(certT.126), cert_id(certT.126), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.125, skT.135)
+ z.4 = fst(x.245)
+ z.5 = fst(snd(x.245))
+ z.6 = snd(snd(x.245))
+ z.7 = cert_id(fst(x.245))
+
+ 11. cCA = senc(x.249, kdf(<'TENC', r1.137>, decaps(cTA.129, skT.139)))
+ cTA = cTA.129
+ certT = cert(x.253, sign(<x.253, z.141, 'terminal'>, ca_sk), z.141)
+ r1 = r1.137
+ skT = skT.139
+ z = z.141
+ z.1 = verify(cert_sig(fst(x.249)),
+ <cert_pk(fst(x.249)), cert_id(fst(x.249)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.129, skT.139)
+ z.4 = fst(x.249)
+ z.5 = fst(snd(x.249))
+ z.6 = snd(snd(x.249))
+ z.7 = cert_id(fst(x.249))
+
+ 12. cCA = senc(x.250, kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))
+ cTA = cTA.130
+ certT = cert(x.254, x.255, z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(fst(x.250)),
+ <cert_pk(fst(x.250)), cert_id(fst(x.250)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.255, <x.254, z.142, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = fst(x.250)
+ z.5 = fst(snd(x.250))
+ z.6 = snd(snd(x.250))
+ z.7 = cert_id(fst(x.250))
+
+ 13. cCA = senc(<z.65, z.66, z.67>, kdf(<'TENC', r1.55>, z.63))
+ cTA = encaps(z.63, pk(skT.57))
+ certT = certT.48
+ r1 = r1.55
+ skT = skT.57
+ z = cert_id(certT.48)
+ z.1 = verify(cert_sig(z.65), <cert_pk(z.65), cert_id(z.65), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = z.63
+ z.4 = z.65
+ z.5 = z.66
+ z.6 = z.67
+ z.7 = cert_id(z.65)
+
+ 14. cCA = senc(<z.67, z.68, z.69>,
+ kdf(<'TENC', r1.57>, decaps(cTA.49, skT.59)))
+ cTA = cTA.49
+ certT = certT.50
+ r1 = r1.57
+ skT = skT.59
+ z = cert_id(certT.50)
+ z.1 = verify(cert_sig(z.67), <cert_pk(z.67), cert_id(z.67), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.49, skT.59)
+ z.4 = z.67
+ z.5 = z.68
+ z.6 = z.69
+ z.7 = cert_id(z.67)
+
+ 15. cCA = senc(<z.108, x.179>, kdf(<'TENC', r1.98>, z.106))
+ cTA = encaps(z.106, pk(skT.100))
+ certT = cert(x.183, sign(<x.183, z.102, 'terminal'>, ca_sk), z.102)
+ r1 = r1.98
+ skT = skT.100
+ z = z.102
+ z.1 = verify(cert_sig(z.108), <cert_pk(z.108), cert_id(z.108), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.106
+ z.4 = z.108
+ z.5 = fst(x.179)
+ z.6 = snd(x.179)
+ z.7 = cert_id(z.108)
+
+ 16. cCA = senc(<z.109, x.180>, kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.184, x.185, z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = verify(cert_sig(z.109), <cert_pk(z.109), cert_id(z.109), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.185, <x.184, z.103, 'terminal'>, pk(ca_sk))
+ z.3 = z.107
+ z.4 = z.109
+ z.5 = fst(x.180)
+ z.6 = snd(x.180)
+ z.7 = cert_id(z.109)
+
+ 17. cCA = senc(<z.109, z.110, z.111>, kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.185, sign(<x.185, z.103, 'terminal'>, ca_sk), z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = verify(cert_sig(z.109), <cert_pk(z.109), cert_id(z.109), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.107
+ z.4 = z.109
+ z.5 = z.110
+ z.6 = z.111
+ z.7 = cert_id(z.109)
+
+ 18. cCA = senc(<z.110, z.111, z.112>, kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.186, x.187, z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = verify(cert_sig(z.110), <cert_pk(z.110), cert_id(z.110), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.187, <x.186, z.104, 'terminal'>, pk(ca_sk))
+ z.3 = z.108
+ z.4 = z.110
+ z.5 = z.111
+ z.6 = z.112
+ z.7 = cert_id(z.110)
+
+ 19. cCA = senc(<z.139, x.238>, kdf(<'TENC', r1.129>, z.137))
+ cTA = encaps(z.137, pk(skT.131))
+ certT = certT.122
+ r1 = r1.129
+ skT = skT.131
+ z = cert_id(certT.122)
+ z.1 = verify(cert_sig(z.139), <cert_pk(z.139), cert_id(z.139), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = z.137
+ z.4 = z.139
+ z.5 = fst(x.238)
+ z.6 = snd(x.238)
+ z.7 = cert_id(z.139)
+
+ 20. cCA = senc(<z.144, x.247>,
+ kdf(<'TENC', r1.134>, decaps(cTA.126, skT.136)))
+ cTA = cTA.126
+ certT = certT.127
+ r1 = r1.134
+ skT = skT.136
+ z = cert_id(certT.127)
+ z.1 = verify(cert_sig(z.144), <cert_pk(z.144), cert_id(z.144), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.127),
+ <cert_pk(certT.127), cert_id(certT.127), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.126, skT.136)
+ z.4 = z.144
+ z.5 = fst(x.247)
+ z.6 = snd(x.247)
+ z.7 = cert_id(z.144)
+
+ 21. cCA = senc(<z.148, x.251>,
+ kdf(<'TENC', r1.138>, decaps(cTA.130, skT.140)))
+ cTA = cTA.130
+ certT = cert(x.255, sign(<x.255, z.142, 'terminal'>, ca_sk), z.142)
+ r1 = r1.138
+ skT = skT.140
+ z = z.142
+ z.1 = verify(cert_sig(z.148), <cert_pk(z.148), cert_id(z.148), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.130, skT.140)
+ z.4 = z.148
+ z.5 = fst(x.251)
+ z.6 = snd(x.251)
+ z.7 = cert_id(z.148)
+
+ 22. cCA = senc(<z.149, x.252>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.256, x.257, z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(z.149), <cert_pk(z.149), cert_id(z.149), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.257, <x.256, z.143, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = z.149
+ z.5 = fst(x.252)
+ z.6 = snd(x.252)
+ z.7 = cert_id(z.149)
+
+ 23. cCA = senc(<z.149, z.150, z.151>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.257, sign(<x.257, z.143, 'terminal'>, ca_sk), z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = verify(cert_sig(z.149), <cert_pk(z.149), cert_id(z.149), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = z.149
+ z.5 = z.150
+ z.6 = z.151
+ z.7 = cert_id(z.149)
+
+ 24. cCA = senc(<z.150, z.151, z.152>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.258, x.259, z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(cert_sig(z.150), <cert_pk(z.150), cert_id(z.150), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.259, <x.258, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = z.150
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = cert_id(z.150)
+
+ 25. cCA = senc(<
+ cert(x.179, sign(<x.179, z.114, 'chip'>, ca_sk), z.114), x.181>,
+ kdf(<'TENC', r1.99>, z.107))
+ cTA = encaps(z.107, pk(skT.101))
+ certT = cert(x.185, sign(<x.185, z.103, 'terminal'>, ca_sk), z.103)
+ r1 = r1.99
+ skT = skT.101
+ z = z.103
+ z.1 = true
+ z.2 = true
+ z.3 = z.107
+ z.4 = cert(x.179, sign(<x.179, z.114, 'chip'>, ca_sk), z.114)
+ z.5 = fst(x.181)
+ z.6 = snd(x.181)
+ z.7 = z.114
+
+ 26. cCA = senc(<cert(x.180, x.181, z.115), x.183>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.187, sign(<x.187, z.104, 'terminal'>, ca_sk), z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = verify(x.181, <x.180, z.115, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.108
+ z.4 = cert(x.180, x.181, z.115)
+ z.5 = fst(x.183)
+ z.6 = snd(x.183)
+ z.7 = z.115
+
+ 27. cCA = senc(<
+ cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115), x.182>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.186, x.187, z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = true
+ z.2 = verify(x.187, <x.186, z.104, 'terminal'>, pk(ca_sk))
+ z.3 = z.108
+ z.4 = cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115)
+ z.5 = fst(x.182)
+ z.6 = snd(x.182)
+ z.7 = z.115
+
+ 28. cCA = senc(<
+ cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115), z.111, z.112>,
+ kdf(<'TENC', r1.100>, z.108))
+ cTA = encaps(z.108, pk(skT.102))
+ certT = cert(x.187, sign(<x.187, z.104, 'terminal'>, ca_sk), z.104)
+ r1 = r1.100
+ skT = skT.102
+ z = z.104
+ z.1 = true
+ z.2 = true
+ z.3 = z.108
+ z.4 = cert(x.180, sign(<x.180, z.115, 'chip'>, ca_sk), z.115)
+ z.5 = z.111
+ z.6 = z.112
+ z.7 = z.115
+
+ 29. cCA = senc(<cert(x.181, x.182, z.116), x.184>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.188, x.189, z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = verify(x.182, <x.181, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.189, <x.188, z.105, 'terminal'>, pk(ca_sk))
+ z.3 = z.109
+ z.4 = cert(x.181, x.182, z.116)
+ z.5 = fst(x.184)
+ z.6 = snd(x.184)
+ z.7 = z.116
+
+ 30. cCA = senc(<cert(x.181, x.182, z.116), z.112, z.113>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.189, sign(<x.189, z.105, 'terminal'>, ca_sk), z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = verify(x.182, <x.181, z.116, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.109
+ z.4 = cert(x.181, x.182, z.116)
+ z.5 = z.112
+ z.6 = z.113
+ z.7 = z.116
+
+ 31. cCA = senc(<
+ cert(x.181, sign(<x.181, z.116, 'chip'>, ca_sk), z.116), z.112, z.113>,
+ kdf(<'TENC', r1.101>, z.109))
+ cTA = encaps(z.109, pk(skT.103))
+ certT = cert(x.188, x.189, z.105)
+ r1 = r1.101
+ skT = skT.103
+ z = z.105
+ z.1 = true
+ z.2 = verify(x.189, <x.188, z.105, 'terminal'>, pk(ca_sk))
+ z.3 = z.109
+ z.4 = cert(x.181, sign(<x.181, z.116, 'chip'>, ca_sk), z.116)
+ z.5 = z.112
+ z.6 = z.113
+ z.7 = z.116
+
+ 32. cCA = senc(<cert(x.182, x.183, z.117), z.113, z.114>,
+ kdf(<'TENC', r1.102>, z.110))
+ cTA = encaps(z.110, pk(skT.104))
+ certT = cert(x.190, x.191, z.106)
+ r1 = r1.102
+ skT = skT.104
+ z = z.106
+ z.1 = verify(x.183, <x.182, z.117, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.191, <x.190, z.106, 'terminal'>, pk(ca_sk))
+ z.3 = z.110
+ z.4 = cert(x.182, x.183, z.117)
+ z.5 = z.113
+ z.6 = z.114
+ z.7 = z.117
+
+ 33. cCA = senc(<
+ cert(x.236, sign(<x.236, z.143, 'chip'>, ca_sk), z.143), z.139, z.140>,
+ kdf(<'TENC', r1.128>, z.136))
+ cTA = encaps(z.136, pk(skT.130))
+ certT = certT.121
+ r1 = r1.128
+ skT = skT.130
+ z = cert_id(certT.121)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.121),
+ <cert_pk(certT.121), cert_id(certT.121), 'terminal'>, pk(ca_sk))
+ z.3 = z.136
+ z.4 = cert(x.236, sign(<x.236, z.143, 'chip'>, ca_sk), z.143)
+ z.5 = z.139
+ z.6 = z.140
+ z.7 = z.143
+
+ 34. cCA = senc(<cert(x.237, x.238, z.144), z.140, z.141>,
+ kdf(<'TENC', r1.129>, z.137))
+ cTA = encaps(z.137, pk(skT.131))
+ certT = certT.122
+ r1 = r1.129
+ skT = skT.131
+ z = cert_id(certT.122)
+ z.1 = verify(x.238, <x.237, z.144, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.122),
+ <cert_pk(certT.122), cert_id(certT.122), 'terminal'>, pk(ca_sk))
+ z.3 = z.137
+ z.4 = cert(x.237, x.238, z.144)
+ z.5 = z.140
+ z.6 = z.141
+ z.7 = z.144
+
+ 35. cCA = senc(<
+ cert(x.238, sign(<x.238, z.145, 'chip'>, ca_sk), z.145), x.240>,
+ kdf(<'TENC', r1.130>, z.138))
+ cTA = encaps(z.138, pk(skT.132))
+ certT = certT.123
+ r1 = r1.130
+ skT = skT.132
+ z = cert_id(certT.123)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.123),
+ <cert_pk(certT.123), cert_id(certT.123), 'terminal'>, pk(ca_sk))
+ z.3 = z.138
+ z.4 = cert(x.238, sign(<x.238, z.145, 'chip'>, ca_sk), z.145)
+ z.5 = fst(x.240)
+ z.6 = snd(x.240)
+ z.7 = z.145
+
+ 36. cCA = senc(<cert(x.239, x.240, z.146), x.242>,
+ kdf(<'TENC', r1.131>, z.139))
+ cTA = encaps(z.139, pk(skT.133))
+ certT = certT.124
+ r1 = r1.131
+ skT = skT.133
+ z = cert_id(certT.124)
+ z.1 = verify(x.240, <x.239, z.146, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.124),
+ <cert_pk(certT.124), cert_id(certT.124), 'terminal'>, pk(ca_sk))
+ z.3 = z.139
+ z.4 = cert(x.239, x.240, z.146)
+ z.5 = fst(x.242)
+ z.6 = snd(x.242)
+ z.7 = z.146
+
+ 37. cCA = senc(<
+ cert(x.245, sign(<x.245, z.148, 'chip'>, ca_sk), z.148), z.144, z.145>,
+ kdf(<'TENC', r1.133>, decaps(cTA.125, skT.135)))
+ cTA = cTA.125
+ certT = certT.126
+ r1 = r1.133
+ skT = skT.135
+ z = cert_id(certT.126)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.126),
+ <cert_pk(certT.126), cert_id(certT.126), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.125, skT.135)
+ z.4 = cert(x.245, sign(<x.245, z.148, 'chip'>, ca_sk), z.148)
+ z.5 = z.144
+ z.6 = z.145
+ z.7 = z.148
+
+ 38. cCA = senc(<cert(x.246, x.247, z.149), z.145, z.146>,
+ kdf(<'TENC', r1.134>, decaps(cTA.126, skT.136)))
+ cTA = cTA.126
+ certT = certT.127
+ r1 = r1.134
+ skT = skT.136
+ z = cert_id(certT.127)
+ z.1 = verify(x.247, <x.246, z.149, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.127),
+ <cert_pk(certT.127), cert_id(certT.127), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.126, skT.136)
+ z.4 = cert(x.246, x.247, z.149)
+ z.5 = z.145
+ z.6 = z.146
+ z.7 = z.149
+
+ 39. cCA = senc(<
+ cert(x.247, sign(<x.247, z.150, 'chip'>, ca_sk), z.150), x.249>,
+ kdf(<'TENC', r1.135>, decaps(cTA.127, skT.137)))
+ cTA = cTA.127
+ certT = certT.128
+ r1 = r1.135
+ skT = skT.137
+ z = cert_id(certT.128)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.128),
+ <cert_pk(certT.128), cert_id(certT.128), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.127, skT.137)
+ z.4 = cert(x.247, sign(<x.247, z.150, 'chip'>, ca_sk), z.150)
+ z.5 = fst(x.249)
+ z.6 = snd(x.249)
+ z.7 = z.150
+
+ 40. cCA = senc(<cert(x.248, x.249, z.151), x.251>,
+ kdf(<'TENC', r1.136>, decaps(cTA.128, skT.138)))
+ cTA = cTA.128
+ certT = certT.129
+ r1 = r1.136
+ skT = skT.138
+ z = cert_id(certT.129)
+ z.1 = verify(x.249, <x.248, z.151, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.129),
+ <cert_pk(certT.129), cert_id(certT.129), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.128, skT.138)
+ z.4 = cert(x.248, x.249, z.151)
+ z.5 = fst(x.251)
+ z.6 = snd(x.251)
+ z.7 = z.151
+
+ 41. cCA = senc(<
+ cert(x.251, sign(<x.251, z.154, 'chip'>, ca_sk), z.154), x.253>,
+ kdf(<'TENC', r1.139>, decaps(cTA.131, skT.141)))
+ cTA = cTA.131
+ certT = cert(x.257, sign(<x.257, z.143, 'terminal'>, ca_sk), z.143)
+ r1 = r1.139
+ skT = skT.141
+ z = z.143
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.131, skT.141)
+ z.4 = cert(x.251, sign(<x.251, z.154, 'chip'>, ca_sk), z.154)
+ z.5 = fst(x.253)
+ z.6 = snd(x.253)
+ z.7 = z.154
+
+ 42. cCA = senc(<cert(x.252, x.253, z.155), x.255>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.259, sign(<x.259, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = verify(x.253, <x.252, z.155, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, x.253, z.155)
+ z.5 = fst(x.255)
+ z.6 = snd(x.255)
+ z.7 = z.155
+
+ 43. cCA = senc(<
+ cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155), x.254>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.258, x.259, z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = true
+ z.2 = verify(x.259, <x.258, z.144, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155)
+ z.5 = fst(x.254)
+ z.6 = snd(x.254)
+ z.7 = z.155
+
+ 44. cCA = senc(<
+ cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155), z.151, z.152>,
+ kdf(<'TENC', r1.140>, decaps(cTA.132, skT.142)))
+ cTA = cTA.132
+ certT = cert(x.259, sign(<x.259, z.144, 'terminal'>, ca_sk), z.144)
+ r1 = r1.140
+ skT = skT.142
+ z = z.144
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.132, skT.142)
+ z.4 = cert(x.252, sign(<x.252, z.155, 'chip'>, ca_sk), z.155)
+ z.5 = z.151
+ z.6 = z.152
+ z.7 = z.155
+
+ 45. cCA = senc(<cert(x.253, x.254, z.156), x.256>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.260, x.261, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(x.254, <x.253, z.156, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.261, <x.260, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, x.254, z.156)
+ z.5 = fst(x.256)
+ z.6 = snd(x.256)
+ z.7 = z.156
+
+ 46. cCA = senc(<cert(x.253, x.254, z.156), z.152, z.153>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.261, sign(<x.261, z.145, 'terminal'>, ca_sk), z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = verify(x.254, <x.253, z.156, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, x.254, z.156)
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.156
+
+ 47. cCA = senc(<
+ cert(x.253, sign(<x.253, z.156, 'chip'>, ca_sk), z.156), z.152, z.153>,
+ kdf(<'TENC', r1.141>, decaps(cTA.133, skT.143)))
+ cTA = cTA.133
+ certT = cert(x.260, x.261, z.145)
+ r1 = r1.141
+ skT = skT.143
+ z = z.145
+ z.1 = true
+ z.2 = verify(x.261, <x.260, z.145, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.133, skT.143)
+ z.4 = cert(x.253, sign(<x.253, z.156, 'chip'>, ca_sk), z.156)
+ z.5 = z.152
+ z.6 = z.153
+ z.7 = z.156
+
+ 48. cCA = senc(<cert(x.254, x.255, z.157), z.153, z.154>,
+ kdf(<'TENC', r1.142>, decaps(cTA.134, skT.144)))
+ cTA = cTA.134
+ certT = cert(x.262, x.263, z.146)
+ r1 = r1.142
+ skT = skT.144
+ z = z.146
+ z.1 = verify(x.255, <x.254, z.157, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.263, <x.262, z.146, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.134, skT.144)
+ z.4 = cert(x.254, x.255, z.157)
+ z.5 = z.153
+ z.6 = z.154
+ z.7 = z.157
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe)>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.28 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.28 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.28 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.19 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.11 )
+ case TA_RESPONSE_T
+ solve( splitEqs(4) )
+ case split_case_1
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), x.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.35 )
+ case c_senc
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.37 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.41 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~skT ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.41 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe),
+ encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.33 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.26 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.29 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1,
+ skCe.1, kTMAC, kTCNF
+ ) ▶₁ #i2 )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip, pk(~skCe.1), cipe>,
+ <z, z.1>),
+ <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip, pk(~skCe.1), cipe>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1)
+ ) ▶₁ #j2 )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))
+ >,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.59 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( splitEqs(8) )
+ case split_case_1
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2, pk(~skCe)>,
+ kdf(<'TENC', r1.2>, decaps(cTA, ~skT)))
+ ) @ #vk.47 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.2),
+ sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1),
+ encaps(~ke.1, pk(~skCe.1))>,
+ kdf(<'TMAC', ~r1.1>, ~kTA.1))
+ ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, pk(~skCe.1)>,
+ kdf(<'TENC', ~r1.1>, ~kTA.1))
+ ) @ #vk.62 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.62 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.63 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.74 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.76 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.69 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.74 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(z,
+ sign(<z, x, 'chip'>, ca_sk),
+ x),
+ x.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.75 )
+ case c_senc
+ solve( !KU( kdf(<'TENC', r1.2>,
+ decaps(cTA, ~skT.1))
+ ) @ #vk.76 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.83 )
+ case c_decaps
+ solve( !KU( ~skT.1 ) @ #vk.84 )
+ case Corrupt_ltk
+ solve( !KU( cert(z,
+ sign(<z, x, 'chip'>,
+ ca_sk),
+ x)
+ ) @ #vk.83 )
+ case CA_Sign_ltk
+ solve( !KU( ~r1 ) @ #vk.78 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.75 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1),
+ $T, 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.58 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<
+ pk(~ltk.1),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<
+ pk(~ltk),
+ $C,
+ 'chip'>,
+ ca_sk),
+ $C),
+ ~r2,
+ encaps(~k,
+ pk(~ltk)),
+ pk(~skCe),
+ encaps(~ke,
+ pk(~skCe))
+ >,
+ <~k, ~ke>)
+ ) @ #vk.61 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k, pk(~ltk))
+ ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke,
+ pk(~skCe))
+ ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.75 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF',
+ ~r1.1>,
+ ~kTA.1)
+ ) @ #vk.73 )
+ case TA_RESPONSE_T
+ solve( splitEqs(12) )
+ case split_case_1
+ solve( !KU( encaps(~kTA.1,
+ pk(~skT.2))
+ ) @ #vk.90 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(z,
+ sign(<
+ z,
+ x.1,
+ 'chip'
+ >,
+ ca_sk),
+ x.1),
+ z.1,
+ z.2
+ >,
+ kdf(<
+ 'TENC',
+ ~r1.1
+ >,
+ ~kTA.1))
+ ) @ #vk.90 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<
+ 'CNF',
+ cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<
+ pk(~skC),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1,
+ pk(~skC)),
+ pk(~skCe.1),
+ encaps(~ke.1,
+ pk(~skCe.1))
+ >,
+ <
+ ~k.1,
+ ~ke.1
+ >)
+ ) @ #vk.77 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k.1,
+ pk(~skC))
+ ) @ #vk.76 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke.1,
+ pk(~skCe.1))
+ ) @ #vk.77 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<
+ pk(~ltk),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C)
+ ) @ #vk.80 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe)
+ ) @ #vk.81 )
+ case TA_CHALLENGE_C
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.30 )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.19 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.19 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.29 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.30 )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.19 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.19 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.29 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.30 )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.19 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2,
+ pk(sk.1)>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.19 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.29 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.28 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
+ kTMAC, kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
+ pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
+ <ke, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.43 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.46 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.16 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.43 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.46 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
+ <ke, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.43 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.46 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.16 )
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.44 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.43 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.46 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( !KU( ~iid ) @ #vk.13 )
+ case TA_CHALLENGE_C
+ solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.16 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.29 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.25 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe)
+ >,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.27 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.25 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.24 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.37 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), x.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.37 )
+ case c_senc
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.39 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.25 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.28 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !KU( cert(x, sign(<x, T, 'terminal'>, ca_sk), T) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>,
+ kdf(<'TENC', r1>, kTA))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
+ kdf(<'TMAC', r1>, kTA))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
+ <z.1, z.2>)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.30 )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_3
+ solve( !KU( encaps(z.1, pk(~ltk.2)) ) @ #vk.23 )
+ case c_encaps
+ solve( !KU( decaps(cipe, skCe) ) @ #vk.39 )
+ case c_decaps
+ solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.25 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.34 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.37 )
+ case c_kdf
+ solve( !KU( pk(skCe) ) @ #vk.40 )
+ case CA_Sign_ltk_case_1
+ solve( !KU( ~ltk.3 ) @ #vk.38 )
+ case Corrupt_ltk
+ solve( !KU( pk(~ltk.2) ) @ #vk.43 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Ltk( T, skT, 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( cert(x, sign(<x, $A, 'terminal'>, ca_sk), $A) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, C, 'chip'>, ca_sk), C), x.1>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip, z.2, cipe>,
+ kdf(<'TMAC', r1>, z))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip, z.2, cipe>,
+ <k, ke>)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.30 )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_4
+ solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.21 )
+ case c_encaps
+ solve( !KU( kdf(<'TCNF', r1>, z) ) @ #vk.22 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, z) ) @ #vk.32 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.35 )
+ case c_kdf
+ solve( !KU( pk(~ltk.1) ) @ #vk.42 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.46 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.46 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z.1, z.2>),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
+ <z.2, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.46 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~r2 ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~k ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.46 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 1715.21s
+
+ session_exist (exists-trace): verified (26 steps)
+ two_session_exist (exists-trace): verified (52 steps)
+ weak_agreement_C (all-traces): verified (12 steps)
+ weak_agreement_T (all-traces): verified (37 steps)
+ agreement_C (all-traces): verified (44 steps)
+ agreement_T (all-traces): verified (37 steps)
+ aliveness (all-traces): verified (39 steps)
+ session_uniqueness (all-traces): verified (64 steps)
+ consistency (all-traces): verified (116 steps)
+ key_secrecy (all-traces): verified (44 steps)
+ chip_hiding (all-traces): falsified - found trace (22 steps)
+ nonRepudiation_terminal (exists-trace): verified (18 steps)
+ nonRepudiation_chip (exists-trace): verified (15 steps)
+ pfs (all-traces): verified (44 steps)
+
+==============================================================================
diff --git a/results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN b/results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..3b363a0b30e496b41053a8bd84ac85abf59b3883
--- /dev/null
+++ b/results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN
@@ -0,0 +1,32 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Open Chains] Too many chain goals, stopping precomputation. Open Chains limits (can be changed with -c=): 10
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 3/5
+[Open Chains] Too many chain goals, stopping precomputation. Open Chains limits (can be changed with -c=): 10
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 3/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN b/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..03861b17a0c6103ef04bc68f59ee5a0901ff83c4
--- /dev/null
+++ b/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN
@@ -0,0 +1,5813 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory FastSigPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, pair/2, pk/1, sign/2,
+ snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ),
+ Fr( ~r2 ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ),
+ Fr( ~r2 ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( z, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.16
+ z = verify(cert_sig(certT.16),
+ <cert_pk(certT.16), cert_id(certT.16), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(x.17, sign(<x.17, x.18, 'terminal'>, ca_sk), x.18)
+ z = true
+
+ 3. certT = cert(x.18, x.19, x.20)
+ z = verify(x.19, <x.18, x.20, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ),
+ Fr( ~ke )
+ ]
+ --[ Eq( verify_cert(certC, 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(certC)), encaps(~ke, pkCe),
+ sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC)), pkCe,
+ encaps(~ke, pkCe)>,
+ ~skT),
+ '3', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ),
+ Fr( ~ke )
+ ]
+ --[ Eq( z.1, true ) ]->
+ [
+ Out( <encaps(~k, z), encaps(~ke, pkCe), sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>,
+ ~skT),
+ '3', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.22
+ z = cert_pk(certC.22)
+ z.1 = verify(cert_sig(certC.22),
+ <cert_pk(certC.22), cert_id(certC.22), 'chip'>, pk(ca_sk))
+
+ 2. certC = cert(z.59, sign(<z.59, x.102, 'chip'>, ca_sk), x.102)
+ z = z.59
+ z.1 = true
+
+ 3. certC = cert(z.60, x.103, x.104)
+ z = z.60
+ z.1 = verify(x.103, <z.60, x.104, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <cip, cipe, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
+ Eq( verify(s2, <'CA', certT, certC, r2, cip, pk(skCe), cipe>,
+ cert_pk(certT)),
+ true
+ ),
+ CompletedTA( $C, iid, cert_id(certT) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <
+ kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
+ <decaps(cip, ~skC), decaps(cipe, skCe)>),
+ '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <cip, cipe, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( z.2, true ), Eq( z.3, true ), CompletedTA( $C, iid, z.4 ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.4
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
+ '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.37
+ certC = certC.38
+ certT = certT.39
+ cip = cip.40
+ cipe = cipe.41
+ id_c = id_c.42
+ r1 = r1.44
+ r2 = r2.45
+ s1 = s1.46
+ s2 = s2.47
+ skCe = skCe.48
+ z = decaps(cip.40, ~skC.37)
+ z.1 = decaps(cipe.41, skCe.48)
+ z.2 = verify(s1.46, <'TA', id_c.42, r1.44>, cert_pk(certT.39))
+ z.3 = verify(s2.47,
+ <'CA', certT.39, certC.38, r2.45, cip.40, pk(skCe.48), cipe.41>,
+ cert_pk(certT.39))
+ z.4 = cert_id(certT.39)
+
+ 2. ~skC = ~skC.42
+ certC = certC.43
+ certT = certT.44
+ cip = encaps(z.58, pk(~skC.42))
+ cipe = cipe.46
+ id_c = id_c.47
+ r1 = r1.49
+ r2 = r2.50
+ s1 = s1.51
+ s2 = s2.52
+ skCe = skCe.53
+ z = z.58
+ z.1 = decaps(cipe.46, skCe.53)
+ z.2 = verify(s1.51, <'TA', id_c.47, r1.49>, cert_pk(certT.44))
+ z.3 = verify(s2.52,
+ <'CA', certT.44, certC.43, r2.50, encaps(z.58, pk(~skC.42)),
+ pk(skCe.53), cipe.46>,
+ cert_pk(certT.44))
+ z.4 = cert_id(certT.44)
+
+ 3. ~skC = ~skC.43
+ certC = certC.44
+ certT = certT.45
+ cip = cip.46
+ cipe = encaps(z.60, pk(skCe.54))
+ id_c = id_c.48
+ r1 = r1.50
+ r2 = r2.51
+ s1 = s1.52
+ s2 = s2.53
+ skCe = skCe.54
+ z = decaps(cip.46, ~skC.43)
+ z.1 = z.60
+ z.2 = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45))
+ z.3 = verify(s2.53,
+ <'CA', certT.45, certC.44, r2.51, cip.46, pk(skCe.54),
+ encaps(z.60, pk(skCe.54))>,
+ cert_pk(certT.45))
+ z.4 = cert_id(certT.45)
+
+ 4. ~skC = ~skC.43
+ certC = certC.44
+ certT = certT.45
+ cip = encaps(z.59, pk(~skC.43))
+ cipe = encaps(z.60, pk(skCe.54))
+ id_c = id_c.48
+ r1 = r1.50
+ r2 = r2.51
+ s1 = s1.52
+ s2 = s2.53
+ skCe = skCe.54
+ z = z.59
+ z.1 = z.60
+ z.2 = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45))
+ z.3 = verify(s2.53,
+ <'CA', certT.45, certC.44, r2.51, encaps(z.59, pk(~skC.43)),
+ pk(skCe.54), encaps(z.60, pk(skCe.54))>,
+ cert_pk(certT.45))
+ z.4 = cert_id(certT.45)
+
+ 5. ~skC = ~skC.171
+ certC = certC.172
+ certT = cert(x.338, x.339, z.193)
+ cip = cip.174
+ cipe = cipe.175
+ id_c = id_c.176
+ r1 = r1.178
+ r2 = r2.179
+ s1 = s1.180
+ s2 = s2.181
+ skCe = skCe.182
+ z = decaps(cip.174, ~skC.171)
+ z.1 = decaps(cipe.175, skCe.182)
+ z.2 = verify(s1.180, <'TA', id_c.176, r1.178>, x.338)
+ z.3 = verify(s2.181,
+ <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174,
+ pk(skCe.182), cipe.175>,
+ x.338)
+ z.4 = z.193
+
+ 6. ~skC = ~skC.171
+ certC = certC.172
+ certT = cert(x.338, x.339, z.193)
+ cip = cip.174
+ cipe = encaps(z.188, pk(skCe.182))
+ id_c = id_c.176
+ r1 = r1.178
+ r2 = r2.179
+ s1 = s1.180
+ s2 = s2.181
+ skCe = skCe.182
+ z = decaps(cip.174, ~skC.171)
+ z.1 = z.188
+ z.2 = verify(s1.180, <'TA', id_c.176, r1.178>, x.338)
+ z.3 = verify(s2.181,
+ <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174,
+ pk(skCe.182), encaps(z.188, pk(skCe.182))>,
+ x.338)
+ z.4 = z.193
+
+ 7. ~skC = ~skC.171
+ certC = certC.172
+ certT = cert(pk(x.338), x.339, z.193)
+ cip = cip.174
+ cipe = cipe.175
+ id_c = id_c.176
+ r1 = r1.178
+ r2 = r2.179
+ s1 = sign(<'TA', id_c.176, r1.178>, x.338)
+ s2 = s2.181
+ skCe = skCe.182
+ z = decaps(cip.174, ~skC.171)
+ z.1 = decaps(cipe.175, skCe.182)
+ z.2 = true
+ z.3 = verify(s2.181,
+ <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174,
+ pk(skCe.182), cipe.175>,
+ pk(x.338))
+ z.4 = z.193
+
+ 8. ~skC = ~skC.171
+ certC = certC.172
+ certT = cert(pk(x.338), x.339, z.193)
+ cip = cip.174
+ cipe = encaps(z.188, pk(skCe.182))
+ id_c = id_c.176
+ r1 = r1.178
+ r2 = r2.179
+ s1 = sign(<'TA', id_c.176, r1.178>, x.338)
+ s2 = s2.181
+ skCe = skCe.182
+ z = decaps(cip.174, ~skC.171)
+ z.1 = z.188
+ z.2 = true
+ z.3 = verify(s2.181,
+ <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174,
+ pk(skCe.182), encaps(z.188, pk(skCe.182))>,
+ pk(x.338))
+ z.4 = z.193
+
+ 9. ~skC = ~skC.172
+ certC = certC.173
+ certT = cert(pk(x.340), x.341, z.194)
+ cip = cip.175
+ cipe = cipe.176
+ id_c = id_c.177
+ r1 = r1.179
+ r2 = r2.180
+ s1 = s1.181
+ s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180,
+ cip.175, pk(skCe.183), cipe.176>,
+ x.340)
+ skCe = skCe.183
+ z = decaps(cip.175, ~skC.172)
+ z.1 = decaps(cipe.176, skCe.183)
+ z.2 = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340))
+ z.3 = true
+ z.4 = z.194
+
+ 10. ~skC = ~skC.172
+ certC = certC.173
+ certT = cert(pk(x.340), x.341, z.194)
+ cip = cip.175
+ cipe = cipe.176
+ id_c = id_c.177
+ r1 = r1.179
+ r2 = r2.180
+ s1 = sign(<'TA', id_c.177, r1.179>, x.340)
+ s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180,
+ cip.175, pk(skCe.183), cipe.176>,
+ x.340)
+ skCe = skCe.183
+ z = decaps(cip.175, ~skC.172)
+ z.1 = decaps(cipe.176, skCe.183)
+ z.2 = true
+ z.3 = true
+ z.4 = z.194
+
+ 11. ~skC = ~skC.172
+ certC = certC.173
+ certT = cert(pk(x.340), x.341, z.194)
+ cip = cip.175
+ cipe = encaps(z.189, pk(skCe.183))
+ id_c = id_c.177
+ r1 = r1.179
+ r2 = r2.180
+ s1 = s1.181
+ s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180,
+ cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>,
+ x.340)
+ skCe = skCe.183
+ z = decaps(cip.175, ~skC.172)
+ z.1 = z.189
+ z.2 = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340))
+ z.3 = true
+ z.4 = z.194
+
+ 12. ~skC = ~skC.172
+ certC = certC.173
+ certT = cert(pk(x.340), x.341, z.194)
+ cip = cip.175
+ cipe = encaps(z.189, pk(skCe.183))
+ id_c = id_c.177
+ r1 = r1.179
+ r2 = r2.180
+ s1 = sign(<'TA', id_c.177, r1.179>, x.340)
+ s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180,
+ cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>,
+ x.340)
+ skCe = skCe.183
+ z = decaps(cip.175, ~skC.172)
+ z.1 = z.189
+ z.2 = true
+ z.3 = true
+ z.4 = z.194
+
+ 13. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(x.342, x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = cipe.177
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = s1.182
+ s2 = s2.183
+ skCe = skCe.184
+ z = z.189
+ z.1 = decaps(cipe.177, skCe.184)
+ z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, x.342)
+ z.3 = verify(s2.183,
+ <'CA', cert(x.342, x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
+ x.342)
+ z.4 = z.195
+
+ 14. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(x.342, x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = encaps(z.190, pk(skCe.184))
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = s1.182
+ s2 = s2.183
+ skCe = skCe.184
+ z = z.189
+ z.1 = z.190
+ z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, x.342)
+ z.3 = verify(s2.183,
+ <'CA', cert(x.342, x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
+ x.342)
+ z.4 = z.195
+
+ 15. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = cipe.177
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = s1.182
+ s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
+ x.342)
+ skCe = skCe.184
+ z = z.189
+ z.1 = decaps(cipe.177, skCe.184)
+ z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342))
+ z.3 = true
+ z.4 = z.195
+
+ 16. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = cipe.177
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = sign(<'TA', id_c.178, r1.180>, x.342)
+ s2 = s2.183
+ skCe = skCe.184
+ z = z.189
+ z.1 = decaps(cipe.177, skCe.184)
+ z.2 = true
+ z.3 = verify(s2.183,
+ <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
+ pk(x.342))
+ z.4 = z.195
+
+ 17. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = cipe.177
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = sign(<'TA', id_c.178, r1.180>, x.342)
+ s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
+ x.342)
+ skCe = skCe.184
+ z = z.189
+ z.1 = decaps(cipe.177, skCe.184)
+ z.2 = true
+ z.3 = true
+ z.4 = z.195
+
+ 18. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = encaps(z.190, pk(skCe.184))
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = s1.182
+ s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
+ x.342)
+ skCe = skCe.184
+ z = z.189
+ z.1 = z.190
+ z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342))
+ z.3 = true
+ z.4 = z.195
+
+ 19. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = encaps(z.190, pk(skCe.184))
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = sign(<'TA', id_c.178, r1.180>, x.342)
+ s2 = s2.183
+ skCe = skCe.184
+ z = z.189
+ z.1 = z.190
+ z.2 = true
+ z.3 = verify(s2.183,
+ <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
+ pk(x.342))
+ z.4 = z.195
+
+ 20. ~skC = ~skC.173
+ certC = certC.174
+ certT = cert(pk(x.342), x.343, z.195)
+ cip = encaps(z.189, pk(~skC.173))
+ cipe = encaps(z.190, pk(skCe.184))
+ id_c = id_c.178
+ r1 = r1.180
+ r2 = r2.181
+ s1 = sign(<'TA', id_c.178, r1.180>, x.342)
+ s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181,
+ encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
+ x.342)
+ skCe = skCe.184
+ z = z.189
+ z.1 = z.190
+ z.2 = true
+ z.3 = true
+ z.4 = z.195
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>),
+ <certT, certC, r2, cip, pkCe, cipe>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip, pkCe, cipe> )
+ ]->
+ [
+ CAFinishT( z, $T,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ ),
+ !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
+ kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.18
+ z = cert_id(certC.18)
+
+ 2. certC = cert(x.44, x.45, z.31)
+ z = z.31
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( skCe ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(certC) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, cert_pk(certT)), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip, pkCe, cipe>,
+ cert_pk(certT)),
+ true
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>,
+ <decaps(cip, skC), decaps(cipe, skCe)>)
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( skCe ), !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <z.5, z.6>) ),
+ ValidTrans( C, 'chip', z.7 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.38
+ certC = certC.39
+ certT = certT.40
+ cip = cip.41
+ cipe = cipe.42
+ pkCe = pkCe.44
+ r1 = r1.45
+ r2 = r2.46
+ sC = sC.47
+ sT = sT.48
+ skC = skC.49
+ skCe = skCe.50
+ z = cert_id(certC.39)
+ z.1 = verify(cert_sig(certT.40),
+ <cert_pk(certT.40), cert_id(certT.40), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.39),
+ <cert_pk(certC.39), cert_id(certC.39), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.48, <'TA', IDc.38, r1.45>, cert_pk(certT.40))
+ z.4 = verify(sC.47,
+ <'CA', certT.40, certC.39, r2.46, cip.41, pkCe.44, cipe.42>,
+ cert_pk(certT.40))
+ z.5 = decaps(cip.41, skC.49)
+ z.6 = decaps(cipe.42, skCe.50)
+ z.7 = cert_id(certT.40)
+
+ 2. IDc = IDc.46
+ certC = certC.47
+ certT = certT.48
+ cip = encaps(z.66, pk(skC.57))
+ cipe = cipe.50
+ pkCe = pkCe.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ skC = skC.57
+ skCe = skCe.58
+ z = cert_id(certC.47)
+ z.1 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.47),
+ <cert_pk(certC.47), cert_id(certC.47), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.56, <'TA', IDc.46, r1.53>, cert_pk(certT.48))
+ z.4 = verify(sC.55,
+ <'CA', certT.48, certC.47, r2.54, encaps(z.66, pk(skC.57)), pkCe.52,
+ cipe.50>,
+ cert_pk(certT.48))
+ z.5 = z.66
+ z.6 = decaps(cipe.50, skCe.58)
+ z.7 = cert_id(certT.48)
+
+ 3. IDc = IDc.47
+ certC = certC.48
+ certT = certT.49
+ cip = cip.50
+ cipe = encaps(z.68, pk(skCe.59))
+ pkCe = pkCe.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(certC.48)
+ z.1 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.48),
+ <cert_pk(certC.48), cert_id(certC.48), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.47, r1.54>, cert_pk(certT.49))
+ z.4 = verify(sC.56,
+ <'CA', certT.49, certC.48, r2.55, cip.50, pkCe.53,
+ encaps(z.68, pk(skCe.59))>,
+ cert_pk(certT.49))
+ z.5 = decaps(cip.50, skC.58)
+ z.6 = z.68
+ z.7 = cert_id(certT.49)
+
+ 4. IDc = IDc.47
+ certC = certC.48
+ certT = certT.49
+ cip = encaps(z.67, pk(skC.58))
+ cipe = encaps(z.68, pk(skCe.59))
+ pkCe = pkCe.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ skC = skC.58
+ skCe = skCe.59
+ z = cert_id(certC.48)
+ z.1 = verify(cert_sig(certT.49),
+ <cert_pk(certT.49), cert_id(certT.49), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.48),
+ <cert_pk(certC.48), cert_id(certC.48), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.47, r1.54>, cert_pk(certT.49))
+ z.4 = verify(sC.56,
+ <'CA', certT.49, certC.48, r2.55, encaps(z.67, pk(skC.58)), pkCe.53,
+ encaps(z.68, pk(skCe.59))>,
+ cert_pk(certT.49))
+ z.5 = z.67
+ z.6 = z.68
+ z.7 = cert_id(certT.49)
+
+ 5. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, cip.52, pkCe.55, cipe.53>,
+ x.95)
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = z.71
+
+ 6. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = cip.52
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, cip.52, pkCe.55, encaps(z.70, pk(skCe.61))>,
+ x.95)
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = z.70
+ z.7 = z.71
+
+ 7. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = encaps(z.69, pk(skC.60))
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, encaps(z.69, pk(skC.60)), pkCe.55, cipe.53>,
+ x.95)
+ z.5 = z.69
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = z.71
+
+ 8. IDc = IDc.49
+ certC = certC.50
+ certT = cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71)
+ cip = encaps(z.69, pk(skC.60))
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = cert_id(certC.50)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, x.95)
+ z.4 = verify(sC.58,
+ <'CA', cert(x.95, sign(<x.95, z.71, 'terminal'>, ca_sk), z.71),
+ certC.50, r2.57, encaps(z.69, pk(skC.60)), pkCe.55,
+ encaps(z.70, pk(skCe.61))>,
+ x.95)
+ z.5 = z.69
+ z.6 = z.70
+ z.7 = z.71
+
+ 9. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, cip.52, pkCe.55, cipe.53>,
+ cert_pk(certT.51))
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = cert_id(certT.51)
+
+ 10. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = cip.52
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, cip.52, pkCe.55, encaps(z.70, pk(skCe.61))>,
+ cert_pk(certT.51))
+ z.5 = decaps(cip.52, skC.60)
+ z.6 = z.70
+ z.7 = cert_id(certT.51)
+
+ 11. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = encaps(z.69, pk(skC.60))
+ cipe = cipe.53
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, encaps(z.69, pk(skC.60)), pkCe.55, cipe.53>,
+ cert_pk(certT.51))
+ z.5 = z.69
+ z.6 = decaps(cipe.53, skCe.61)
+ z.7 = cert_id(certT.51)
+
+ 12. IDc = IDc.49
+ certC = cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63)
+ certT = certT.51
+ cip = encaps(z.69, pk(skC.60))
+ cipe = encaps(z.70, pk(skCe.61))
+ pkCe = pkCe.55
+ r1 = r1.56
+ r2 = r2.57
+ sC = sC.58
+ sT = sT.59
+ skC = skC.60
+ skCe = skCe.61
+ z = z.63
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.49, r1.56>, cert_pk(certT.51))
+ z.4 = verify(sC.58,
+ <'CA', certT.51, cert(x.95, sign(<x.95, z.63, 'chip'>, ca_sk), z.63),
+ r2.57, encaps(z.69, pk(skC.60)), pkCe.55, encaps(z.70, pk(skCe.61))>,
+ cert_pk(certT.51))
+ z.5 = z.69
+ z.6 = z.70
+ z.7 = cert_id(certT.51)
+
+ 13. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58, cip.53, pkCe.56, cipe.54
+ >,
+ x.96)
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 14. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58, cip.53, pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ x.96)
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = z.72
+
+ 15. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ x.96)
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 16. IDc = IDc.50
+ certC = certC.51
+ certT = cert(x.96, x.97, z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = verify(x.97, <x.96, z.72, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, x.96)
+ z.4 = verify(sC.59,
+ <'CA', cert(x.96, x.97, z.72), certC.51, r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, encaps(z.71, pk(skCe.62))>,
+ x.96)
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = z.72
+
+ 17. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, cip.53, pkCe.56, cipe.54>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 18. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, cip.53, pkCe.56, encaps(z.71, pk(skCe.62))>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = z.72
+
+ 19. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = z.72
+
+ 20. IDc = IDc.50
+ certC = certC.51
+ certT = cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72)
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(pk(x.97), sign(<pk(x.97), z.72, 'terminal'>, ca_sk), z.72),
+ certC.51, r2.58, encaps(z.70, pk(skC.61)), pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ x.97)
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = cert_id(certC.51)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, pk(x.97))
+ z.4 = true
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = z.72
+
+ 21. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58, cip.53, pkCe.56, cipe.54
+ >,
+ cert_pk(certT.52))
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = cert_id(certT.52)
+
+ 22. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = cip.53
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58, cip.53, pkCe.56,
+ encaps(z.71, pk(skCe.62))>,
+ cert_pk(certT.52))
+ z.5 = decaps(cip.53, skC.61)
+ z.6 = z.71
+ z.7 = cert_id(certT.52)
+
+ 23. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = encaps(z.70, pk(skC.61))
+ cipe = cipe.54
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, cipe.54>,
+ cert_pk(certT.52))
+ z.5 = z.70
+ z.6 = decaps(cipe.54, skCe.62)
+ z.7 = cert_id(certT.52)
+
+ 24. IDc = IDc.50
+ certC = cert(x.96, x.97, z.64)
+ certT = certT.52
+ cip = encaps(z.70, pk(skC.61))
+ cipe = encaps(z.71, pk(skCe.62))
+ pkCe = pkCe.56
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sT.60
+ skC = skC.61
+ skCe = skCe.62
+ z = z.64
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.97, <x.96, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.50, r1.57>, cert_pk(certT.52))
+ z.4 = verify(sC.59,
+ <'CA', certT.52, cert(x.96, x.97, z.64), r2.58,
+ encaps(z.70, pk(skC.61)), pkCe.56, encaps(z.71, pk(skCe.62))>,
+ cert_pk(certT.52))
+ z.5 = z.70
+ z.6 = z.71
+ z.7 = cert_id(certT.52)
+
+ 25. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 26. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 27. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 28. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.98), x.99, z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(pk(x.98), x.99, z.73), certC.52, r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.98)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = verify(x.99, <pk(x.98), z.73, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 29. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, cipe.55>,
+ pk(x.99))
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 30. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, cipe.55>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 31. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, encaps(z.72, pk(skCe.63))>,
+ pk(x.99))
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 32. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, cip.54, pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 33. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ pk(x.99))
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 34. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 35. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57,
+ encaps(z.72, pk(skCe.63))>,
+ pk(x.99))
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 36. IDc = IDc.51
+ certC = certC.52
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ certC.52, r2.59, encaps(z.71, pk(skC.62)), pkCe.57,
+ encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sign(<'TA', IDc.51, r1.58>, x.99)
+ skC = skC.62
+ skCe = skCe.63
+ z = cert_id(certC.52)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 37. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.99)
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 38. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 39. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 40. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, x.99)
+ z.4 = verify(sC.60,
+ <'CA', cert(x.99, sign(<x.99, z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 41. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, cipe.55>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 42. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.54
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59, cip.54,
+ pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = decaps(cip.54, skC.62)
+ z.6 = z.72
+ z.7 = z.73
+
+ 43. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = cipe.55
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, cipe.55>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = z.71
+ z.6 = decaps(cipe.55, skCe.63)
+ z.7 = z.73
+
+ 44. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65)
+ certT = cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73)
+ cip = encaps(z.71, pk(skC.62))
+ cipe = encaps(z.72, pk(skCe.63))
+ pkCe = pkCe.57
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(pk(x.99), sign(<pk(x.99), z.73, 'terminal'>, ca_sk), z.73),
+ cert(x.97, sign(<x.97, z.65, 'chip'>, ca_sk), z.65), r2.59,
+ encaps(z.71, pk(skC.62)), pkCe.57, encaps(z.72, pk(skCe.63))>,
+ x.99)
+ sT = sT.61
+ skC = skC.62
+ skCe = skCe.63
+ z = z.65
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.51, r1.58>, pk(x.99))
+ z.4 = true
+ z.5 = z.71
+ z.6 = z.72
+ z.7 = z.73
+
+ 45. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60, cip.55, pkCe.58,
+ cipe.56>,
+ pk(x.100))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 46. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ cip.55, pkCe.58, cipe.56>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 47. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60, cip.55, pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ pk(x.100))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 48. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ cip.55, pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 49. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ pk(x.100))
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 50. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 51. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.100))
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 52. IDc = IDc.52
+ certC = certC.53
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74), certC.53, r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sign(<'TA', IDc.52, r1.59>, x.100)
+ skC = skC.63
+ skCe = skCe.64
+ z = cert_id(certC.53)
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 53. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, cipe.56>,
+ x.101)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 54. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, encaps(z.73, pk(skCe.64))
+ >,
+ x.101)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 55. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58, cipe.56
+ >,
+ x.101)
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 56. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.101)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.101, sign(<x.101, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ x.101)
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 57. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, cipe.56>,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 58. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, cip.55, pkCe.58, encaps(z.73, pk(skCe.64))
+ >,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 59. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58, cipe.56
+ >,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 60. IDc = IDc.52
+ certC = cert(x.98, x.99, z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.98, x.99, z.66), r2.60, encaps(z.72, pk(skC.63)), pkCe.58,
+ encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = verify(x.99, <x.98, z.66, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.101))
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 61. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.100)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 62. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 63. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 64. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(x.100, x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <x.100, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, x.100)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.100, x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 65. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 66. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 67. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 68. IDc = IDc.52
+ certC = cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.100), x.101, z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(pk(x.100), x.101, z.74),
+ cert(x.98, sign(<x.98, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.100)
+ sT = sT.62
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = verify(x.101, <pk(x.100), z.74, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.52, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 69. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ pk(x.101))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 70. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, cipe.56>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 71. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.101))
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 72. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.55
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60, cip.55,
+ pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.55, skC.63)
+ z.6 = z.73
+ z.7 = z.74
+
+ 73. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ pk(x.101))
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 74. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = cipe.56
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, cipe.56>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = decaps(cipe.56, skCe.64)
+ z.7 = z.74
+
+ 75. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ pk(x.101))
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 76. IDc = IDc.52
+ certC = cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66)
+ certT = cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74)
+ cip = encaps(z.72, pk(skC.63))
+ cipe = encaps(z.73, pk(skCe.64))
+ pkCe = pkCe.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(pk(x.101), sign(<pk(x.101), z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.99, sign(<x.99, z.66, 'chip'>, ca_sk), z.66), r2.60,
+ encaps(z.72, pk(skC.63)), pkCe.58, encaps(z.73, pk(skCe.64))>,
+ x.101)
+ sT = sign(<'TA', IDc.52, r1.59>, x.101)
+ skC = skC.63
+ skCe = skCe.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ z.6 = z.73
+ z.7 = z.74
+
+ 77. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ x.102)
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 78. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 79. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ x.102)
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 80. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(x.102, x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <x.102, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, x.102)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.102, x.103, z.75), cert(x.99, x.100, z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 81. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 82. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 83. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 84. IDc = IDc.53
+ certC = cert(x.99, x.100, z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.99, x.100, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sT.63
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.100, <x.99, z.67, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.53, r1.60>, pk(x.102))
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 85. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ pk(x.103))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 86. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59, cipe.57>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 87. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ pk(x.103))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 88. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, cip.56, pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 89. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ pk(x.103))
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 90. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ cipe.57>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 91. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ pk(x.103))
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 92. IDc = IDc.53
+ certC = cert(x.100, x.101, z.67)
+ certT = cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(pk(x.103), sign(<pk(x.103), z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.100, x.101, z.67), r2.61, encaps(z.73, pk(skC.64)), pkCe.59,
+ encaps(z.74, pk(skCe.65))>,
+ x.103)
+ sT = sign(<'TA', IDc.53, r1.60>, x.103)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.101, <x.100, z.67, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 93. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ pk(x.102))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 94. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, cipe.57>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 95. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ pk(x.102))
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 96. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = cip.56
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61, cip.56,
+ pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.56, skC.64)
+ z.6 = z.74
+ z.7 = z.75
+
+ 97. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ pk(x.102))
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 98. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = cipe.57
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, cipe.57>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = decaps(cipe.57, skCe.65)
+ z.7 = z.75
+
+ 99. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ pk(x.102))
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 100. IDc = IDc.53
+ certC = cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67)
+ certT = cert(pk(x.102), x.103, z.75)
+ cip = encaps(z.73, pk(skC.64))
+ cipe = encaps(z.74, pk(skCe.65))
+ pkCe = pkCe.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(pk(x.102), x.103, z.75),
+ cert(x.100, sign(<x.100, z.67, 'chip'>, ca_sk), z.67), r2.61,
+ encaps(z.73, pk(skC.64)), pkCe.59, encaps(z.74, pk(skCe.65))>,
+ x.102)
+ sT = sign(<'TA', IDc.53, r1.60>, x.102)
+ skC = skC.64
+ skCe = skCe.65
+ z = z.67
+ z.1 = verify(x.103, <pk(x.102), z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.73
+ z.6 = z.74
+ z.7 = z.75
+
+ 101. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ cip.57, pkCe.60, cipe.58>,
+ pk(x.104))
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 102. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, cip.57, pkCe.60, cipe.58>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 103. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ cip.57, pkCe.60, encaps(z.75, pk(skCe.66))>,
+ pk(x.104))
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = z.75
+ z.7 = z.76
+
+ 104. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = cip.57
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, cip.57, pkCe.60,
+ encaps(z.75, pk(skCe.66))>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.57, skC.65)
+ z.6 = z.75
+ z.7 = z.76
+
+ 105. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ encaps(z.74, pk(skC.65)), pkCe.60, cipe.58>,
+ pk(x.104))
+ z.5 = z.74
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 106. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = cipe.58
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, encaps(z.74, pk(skC.65)), pkCe.60,
+ cipe.58>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.74
+ z.6 = decaps(cipe.58, skCe.66)
+ z.7 = z.76
+
+ 107. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(pk(x.104), x.105, z.76), cert(x.101, x.102, z.68), r2.62,
+ encaps(z.74, pk(skC.65)), pkCe.60, encaps(z.75, pk(skCe.66))>,
+ pk(x.104))
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = z.76
+
+ 108. IDc = IDc.54
+ certC = cert(x.101, x.102, z.68)
+ certT = cert(pk(x.104), x.105, z.76)
+ cip = encaps(z.74, pk(skC.65))
+ cipe = encaps(z.75, pk(skCe.66))
+ pkCe = pkCe.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(pk(x.104), x.105, z.76),
+ cert(x.101, x.102, z.68), r2.62, encaps(z.74, pk(skC.65)), pkCe.60,
+ encaps(z.75, pk(skCe.66))>,
+ x.104)
+ sT = sign(<'TA', IDc.54, r1.61>, x.104)
+ skC = skC.65
+ skCe = skCe.66
+ z = z.68
+ z.1 = verify(x.105, <pk(x.104), z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.102, <x.101, z.68, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.74
+ z.6 = z.75
+ z.7 = z.76
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( <k, ke> ), !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, pkT), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip, pkCe, cipe>, pkT), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', cert_id(certC) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF> ),
+ In( <k, ke> ), !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ),
+ ValidTrans( T, 'terminal', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.39
+ certC = certC.41
+ certT = certT.42
+ cip = cip.43
+ cipe = cipe.44
+ pkCe = pkCe.48
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.41),
+ <cert_pk(certC.41), cert_id(certC.41), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.39, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', certT.42, certC.41, r2.51, cip.43, pkCe.48, cipe.44>, pkT.49)
+ z.5 = cert_id(certC.41)
+
+ 2. IDc = IDc.48
+ certC = certC.50
+ certT = cert(x.94, sign(<x.94, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.57
+ pkT = pkT.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ z = z.64
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.48, r1.59>, pkT.58)
+ z.4 = verify(sC.61,
+ <'CA', cert(x.94, sign(<x.94, z.64, 'terminal'>, ca_sk), z.64),
+ certC.50, r2.60, cip.52, pkCe.57, cipe.53>,
+ pkT.58)
+ z.5 = cert_id(certC.50)
+
+ 3. IDc = IDc.48
+ certC = cert(x.94, sign(<x.94, z.70, 'chip'>, ca_sk), z.70)
+ certT = certT.51
+ cip = cip.52
+ cipe = cipe.53
+ pkCe = pkCe.57
+ pkT = pkT.58
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sT.62
+ z = cert_id(certT.51)
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.62, <'TA', IDc.48, r1.59>, pkT.58)
+ z.4 = verify(sC.61,
+ <'CA', certT.51, cert(x.94, sign(<x.94, z.70, 'chip'>, ca_sk), z.70),
+ r2.60, cip.52, pkCe.57, cipe.53>,
+ pkT.58)
+ z.5 = z.70
+
+ 4. IDc = IDc.49
+ certC = certC.51
+ certT = cert(x.95, x.96, z.65)
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.58
+ pkT = pkT.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ z = z.65
+ z.1 = verify(x.96, <x.95, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.49, r1.60>, pkT.59)
+ z.4 = verify(sC.62,
+ <'CA', cert(x.95, x.96, z.65), certC.51, r2.61, cip.53, pkCe.58, cipe.54
+ >,
+ pkT.59)
+ z.5 = cert_id(certC.51)
+
+ 5. IDc = IDc.49
+ certC = cert(x.95, x.96, z.71)
+ certT = certT.52
+ cip = cip.53
+ cipe = cipe.54
+ pkCe = pkCe.58
+ pkT = pkT.59
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sT.63
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.71, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.63, <'TA', IDc.49, r1.60>, pkT.59)
+ z.4 = verify(sC.62,
+ <'CA', certT.52, cert(x.95, x.96, z.71), r2.61, cip.53, pkCe.58, cipe.54
+ >,
+ pkT.59)
+ z.5 = z.71
+
+ 6. IDc = IDc.50
+ certC = cert(x.96, sign(<x.96, z.72, 'chip'>, ca_sk), z.72)
+ certT = cert(x.98, sign(<x.98, z.66, 'terminal'>, ca_sk), z.66)
+ cip = cip.54
+ cipe = cipe.55
+ pkCe = pkCe.59
+ pkT = pkT.60
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sT.64
+ z = z.66
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.64, <'TA', IDc.50, r1.61>, pkT.60)
+ z.4 = verify(sC.63,
+ <'CA', cert(x.98, sign(<x.98, z.66, 'terminal'>, ca_sk), z.66),
+ cert(x.96, sign(<x.96, z.72, 'chip'>, ca_sk), z.72), r2.62, cip.54,
+ pkCe.59, cipe.55>,
+ pkT.60)
+ z.5 = z.72
+
+ 7. IDc = IDc.51
+ certC = cert(x.97, x.98, z.73)
+ certT = cert(x.100, sign(<x.100, z.67, 'terminal'>, ca_sk), z.67)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.60
+ pkT = pkT.61
+ r1 = r1.62
+ r2 = r2.63
+ sC = sC.64
+ sT = sT.65
+ z = z.67
+ z.1 = true
+ z.2 = verify(x.98, <x.97, z.73, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.65, <'TA', IDc.51, r1.62>, pkT.61)
+ z.4 = verify(sC.64,
+ <'CA', cert(x.100, sign(<x.100, z.67, 'terminal'>, ca_sk), z.67),
+ cert(x.97, x.98, z.73), r2.63, cip.55, pkCe.60, cipe.56>,
+ pkT.61)
+ z.5 = z.73
+
+ 8. IDc = IDc.51
+ certC = cert(x.97, sign(<x.97, z.73, 'chip'>, ca_sk), z.73)
+ certT = cert(x.99, x.100, z.67)
+ cip = cip.55
+ cipe = cipe.56
+ pkCe = pkCe.60
+ pkT = pkT.61
+ r1 = r1.62
+ r2 = r2.63
+ sC = sC.64
+ sT = sT.65
+ z = z.67
+ z.1 = verify(x.100, <x.99, z.67, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.65, <'TA', IDc.51, r1.62>, pkT.61)
+ z.4 = verify(sC.64,
+ <'CA', cert(x.99, x.100, z.67),
+ cert(x.97, sign(<x.97, z.73, 'chip'>, ca_sk), z.73), r2.63, cip.55,
+ pkCe.60, cipe.56>,
+ pkT.61)
+ z.5 = z.73
+
+ 9. IDc = IDc.52
+ certC = cert(x.98, x.99, z.74)
+ certT = cert(x.101, x.102, z.68)
+ cip = cip.56
+ cipe = cipe.57
+ pkCe = pkCe.61
+ pkT = pkT.62
+ r1 = r1.63
+ r2 = r2.64
+ sC = sC.65
+ sT = sT.66
+ z = z.68
+ z.1 = verify(x.102, <x.101, z.68, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.99, <x.98, z.74, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.66, <'TA', IDc.52, r1.63>, pkT.62)
+ z.4 = verify(sC.65,
+ <'CA', cert(x.101, x.102, z.68), cert(x.98, x.99, z.74), r2.64, cip.56,
+ pkCe.61, cipe.57>,
+ pkT.62)
+ z.5 = z.74
+
+ 10. IDc = IDc.56
+ certC = certC.58
+ certT = certT.59
+ cip = cip.60
+ cipe = cipe.61
+ pkCe = pkCe.65
+ pkT = pk(x.110)
+ r1 = r1.67
+ r2 = r2.68
+ sC = sign(<'CA', certT.59, certC.58, r2.68, cip.60, pkCe.65, cipe.61>,
+ x.110)
+ sT = sT.70
+ z = cert_id(certT.59)
+ z.1 = verify(cert_sig(certT.59),
+ <cert_pk(certT.59), cert_id(certT.59), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.58),
+ <cert_pk(certC.58), cert_id(certC.58), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.70, <'TA', IDc.56, r1.67>, pk(x.110))
+ z.4 = true
+ z.5 = cert_id(certC.58)
+
+ 11. IDc = IDc.57
+ certC = certC.59
+ certT = cert(x.104, sign(<x.104, z.73, 'terminal'>, ca_sk), z.73)
+ cip = cip.61
+ cipe = cipe.62
+ pkCe = pkCe.66
+ pkT = pk(x.112)
+ r1 = r1.68
+ r2 = r2.69
+ sC = sign(<'CA',
+ cert(x.104, sign(<x.104, z.73, 'terminal'>, ca_sk), z.73), certC.59,
+ r2.69, cip.61, pkCe.66, cipe.62>,
+ x.112)
+ sT = sT.71
+ z = z.73
+ z.1 = true
+ z.2 = verify(cert_sig(certC.59),
+ <cert_pk(certC.59), cert_id(certC.59), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.71, <'TA', IDc.57, r1.68>, pk(x.112))
+ z.4 = true
+ z.5 = cert_id(certC.59)
+
+ 12. IDc = IDc.57
+ certC = cert(x.103, sign(<x.103, z.79, 'chip'>, ca_sk), z.79)
+ certT = certT.60
+ cip = cip.61
+ cipe = cipe.62
+ pkCe = pkCe.66
+ pkT = pk(x.112)
+ r1 = r1.68
+ r2 = r2.69
+ sC = sign(<'CA', certT.60,
+ cert(x.103, sign(<x.103, z.79, 'chip'>, ca_sk), z.79), r2.69, cip.61,
+ pkCe.66, cipe.62>,
+ x.112)
+ sT = sT.71
+ z = cert_id(certT.60)
+ z.1 = verify(cert_sig(certT.60),
+ <cert_pk(certT.60), cert_id(certT.60), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.71, <'TA', IDc.57, r1.68>, pk(x.112))
+ z.4 = true
+ z.5 = z.79
+
+ 13. IDc = IDc.58
+ certC = certC.60
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sC.71
+ sT = sign(<'TA', IDc.58, r1.69>, x.114)
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.71,
+ <'CA', certT.61, certC.60, r2.70, cip.62, pkCe.67, cipe.63>, pk(x.114))
+ z.5 = cert_id(certC.60)
+
+ 14. IDc = IDc.58
+ certC = certC.60
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', certT.61, certC.60, r2.70, cip.62, pkCe.67, cipe.63>,
+ x.114)
+ sT = sign(<'TA', IDc.58, r1.69>, x.114)
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.60)
+
+ 15. IDc = IDc.58
+ certC = certC.60
+ certT = cert(x.105, x.106, z.74)
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', cert(x.105, x.106, z.74), certC.60, r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = z.74
+ z.1 = verify(x.106, <x.105, z.74, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.60),
+ <cert_pk(certC.60), cert_id(certC.60), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = cert_id(certC.60)
+
+ 16. IDc = IDc.58
+ certC = cert(x.104, x.105, z.80)
+ certT = certT.61
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA', certT.61, cert(x.104, x.105, z.80), r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = cert_id(certT.61)
+ z.1 = verify(cert_sig(certT.61),
+ <cert_pk(certT.61), cert_id(certT.61), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.105, <x.104, z.80, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = z.80
+
+ 17. IDc = IDc.58
+ certC = cert(x.104, sign(<x.104, z.80, 'chip'>, ca_sk), z.80)
+ certT = cert(x.106, sign(<x.106, z.74, 'terminal'>, ca_sk), z.74)
+ cip = cip.62
+ cipe = cipe.63
+ pkCe = pkCe.67
+ pkT = pk(x.114)
+ r1 = r1.69
+ r2 = r2.70
+ sC = sign(<'CA',
+ cert(x.106, sign(<x.106, z.74, 'terminal'>, ca_sk), z.74),
+ cert(x.104, sign(<x.104, z.80, 'chip'>, ca_sk), z.80), r2.70, cip.62,
+ pkCe.67, cipe.63>,
+ x.114)
+ sT = sT.72
+ z = z.74
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.72, <'TA', IDc.58, r1.69>, pk(x.114))
+ z.4 = true
+ z.5 = z.80
+
+ 18. IDc = IDc.59
+ certC = certC.61
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sC.72
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = z.75
+ z.1 = true
+ z.2 = verify(cert_sig(certC.61),
+ <cert_pk(certC.61), cert_id(certC.61), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.72,
+ <'CA', cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75),
+ certC.61, r2.71, cip.63, pkCe.68, cipe.64>,
+ pk(x.116))
+ z.5 = cert_id(certC.61)
+
+ 19. IDc = IDc.59
+ certC = certC.61
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA',
+ cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75), certC.61,
+ r2.71, cip.63, pkCe.68, cipe.64>,
+ x.116)
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = z.75
+ z.1 = true
+ z.2 = verify(cert_sig(certC.61),
+ <cert_pk(certC.61), cert_id(certC.61), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.61)
+
+ 20. IDc = IDc.59
+ certC = cert(x.105, x.106, z.81)
+ certT = cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA',
+ cert(x.108, sign(<x.108, z.75, 'terminal'>, ca_sk), z.75),
+ cert(x.105, x.106, z.81), r2.71, cip.63, pkCe.68, cipe.64>,
+ x.116)
+ sT = sT.73
+ z = z.75
+ z.1 = true
+ z.2 = verify(x.106, <x.105, z.81, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.73, <'TA', IDc.59, r1.70>, pk(x.116))
+ z.4 = true
+ z.5 = z.81
+
+ 21. IDc = IDc.59
+ certC = cert(x.105, sign(<x.105, z.81, 'chip'>, ca_sk), z.81)
+ certT = cert(x.107, x.108, z.75)
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA', cert(x.107, x.108, z.75),
+ cert(x.105, sign(<x.105, z.81, 'chip'>, ca_sk), z.81), r2.71, cip.63,
+ pkCe.68, cipe.64>,
+ x.116)
+ sT = sT.73
+ z = z.75
+ z.1 = verify(x.108, <x.107, z.75, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.73, <'TA', IDc.59, r1.70>, pk(x.116))
+ z.4 = true
+ z.5 = z.81
+
+ 22. IDc = IDc.59
+ certC = cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81)
+ certT = certT.62
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sC.72
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = cert_id(certT.62)
+ z.1 = verify(cert_sig(certT.62),
+ <cert_pk(certT.62), cert_id(certT.62), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.72,
+ <'CA', certT.62, cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81),
+ r2.71, cip.63, pkCe.68, cipe.64>,
+ pk(x.116))
+ z.5 = z.81
+
+ 23. IDc = IDc.59
+ certC = cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81)
+ certT = certT.62
+ cip = cip.63
+ cipe = cipe.64
+ pkCe = pkCe.68
+ pkT = pk(x.116)
+ r1 = r1.70
+ r2 = r2.71
+ sC = sign(<'CA', certT.62,
+ cert(x.107, sign(<x.107, z.81, 'chip'>, ca_sk), z.81), r2.71, cip.63,
+ pkCe.68, cipe.64>,
+ x.116)
+ sT = sign(<'TA', IDc.59, r1.70>, x.116)
+ z = cert_id(certT.62)
+ z.1 = verify(cert_sig(certT.62),
+ <cert_pk(certT.62), cert_id(certT.62), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.81
+
+ 24. IDc = IDc.60
+ certC = certC.62
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.62),
+ <cert_pk(certC.62), cert_id(certC.62), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', cert(x.109, x.110, z.76), certC.62, r2.72, cip.64, pkCe.69,
+ cipe.65>,
+ pk(x.118))
+ z.5 = cert_id(certC.62)
+
+ 25. IDc = IDc.60
+ certC = certC.62
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', cert(x.109, x.110, z.76), certC.62, r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.62),
+ <cert_pk(certC.62), cert_id(certC.62), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.62)
+
+ 26. IDc = IDc.60
+ certC = cert(x.106, x.107, z.82)
+ certT = cert(x.109, x.110, z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', cert(x.109, x.110, z.76), cert(x.106, x.107, z.82),
+ r2.72, cip.64, pkCe.69, cipe.65>,
+ x.118)
+ sT = sT.74
+ z = z.76
+ z.1 = verify(x.110, <x.109, z.76, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.107, <x.106, z.82, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.74, <'TA', IDc.60, r1.71>, pk(x.118))
+ z.4 = true
+ z.5 = z.82
+
+ 27. IDc = IDc.60
+ certC = cert(x.108, x.109, z.82)
+ certT = certT.63
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = cert_id(certT.63)
+ z.1 = verify(cert_sig(certT.63),
+ <cert_pk(certT.63), cert_id(certT.63), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.109, <x.108, z.82, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', certT.63, cert(x.108, x.109, z.82), r2.72, cip.64, pkCe.69,
+ cipe.65>,
+ pk(x.118))
+ z.5 = z.82
+
+ 28. IDc = IDc.60
+ certC = cert(x.108, x.109, z.82)
+ certT = certT.63
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA', certT.63, cert(x.108, x.109, z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = cert_id(certT.63)
+ z.1 = verify(cert_sig(certT.63),
+ <cert_pk(certT.63), cert_id(certT.63), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.109, <x.108, z.82, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.82
+
+ 29. IDc = IDc.60
+ certC = cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82)
+ certT = cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sC.73
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.73,
+ <'CA', cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76),
+ cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ pk(x.118))
+ z.5 = z.82
+
+ 30. IDc = IDc.60
+ certC = cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82)
+ certT = cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76)
+ cip = cip.64
+ cipe = cipe.65
+ pkCe = pkCe.69
+ pkT = pk(x.118)
+ r1 = r1.71
+ r2 = r2.72
+ sC = sign(<'CA',
+ cert(x.110, sign(<x.110, z.76, 'terminal'>, ca_sk), z.76),
+ cert(x.108, sign(<x.108, z.82, 'chip'>, ca_sk), z.82), r2.72, cip.64,
+ pkCe.69, cipe.65>,
+ x.118)
+ sT = sign(<'TA', IDc.60, r1.71>, x.118)
+ z = z.76
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.82
+
+ 31. IDc = IDc.61
+ certC = cert(x.109, x.110, z.83)
+ certT = cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sC.74
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = true
+ z.2 = verify(x.110, <x.109, z.83, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.74,
+ <'CA', cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77),
+ cert(x.109, x.110, z.83), r2.73, cip.65, pkCe.70, cipe.66>,
+ pk(x.120))
+ z.5 = z.83
+
+ 32. IDc = IDc.61
+ certC = cert(x.109, x.110, z.83)
+ certT = cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sign(<'CA',
+ cert(x.112, sign(<x.112, z.77, 'terminal'>, ca_sk), z.77),
+ cert(x.109, x.110, z.83), r2.73, cip.65, pkCe.70, cipe.66>,
+ x.120)
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = true
+ z.2 = verify(x.110, <x.109, z.83, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.83
+
+ 33. IDc = IDc.61
+ certC = cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83)
+ certT = cert(x.111, x.112, z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sC.74
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = verify(x.112, <x.111, z.77, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.74,
+ <'CA', cert(x.111, x.112, z.77),
+ cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83), r2.73, cip.65,
+ pkCe.70, cipe.66>,
+ pk(x.120))
+ z.5 = z.83
+
+ 34. IDc = IDc.61
+ certC = cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83)
+ certT = cert(x.111, x.112, z.77)
+ cip = cip.65
+ cipe = cipe.66
+ pkCe = pkCe.70
+ pkT = pk(x.120)
+ r1 = r1.72
+ r2 = r2.73
+ sC = sign(<'CA', cert(x.111, x.112, z.77),
+ cert(x.109, sign(<x.109, z.83, 'chip'>, ca_sk), z.83), r2.73, cip.65,
+ pkCe.70, cipe.66>,
+ x.120)
+ sT = sign(<'TA', IDc.61, r1.72>, x.120)
+ z = z.77
+ z.1 = verify(x.112, <x.111, z.77, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.83
+
+ 35. IDc = IDc.62
+ certC = cert(x.110, x.111, z.84)
+ certT = cert(x.113, x.114, z.78)
+ cip = cip.66
+ cipe = cipe.67
+ pkCe = pkCe.71
+ pkT = pk(x.122)
+ r1 = r1.73
+ r2 = r2.74
+ sC = sC.75
+ sT = sign(<'TA', IDc.62, r1.73>, x.122)
+ z = z.78
+ z.1 = verify(x.114, <x.113, z.78, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.111, <x.110, z.84, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.75,
+ <'CA', cert(x.113, x.114, z.78), cert(x.110, x.111, z.84), r2.74,
+ cip.66, pkCe.71, cipe.67>,
+ pk(x.122))
+ z.5 = z.84
+
+ 36. IDc = IDc.62
+ certC = cert(x.110, x.111, z.84)
+ certT = cert(x.113, x.114, z.78)
+ cip = cip.66
+ cipe = cipe.67
+ pkCe = pkCe.71
+ pkT = pk(x.122)
+ r1 = r1.73
+ r2 = r2.74
+ sC = sign(<'CA', cert(x.113, x.114, z.78), cert(x.110, x.111, z.84),
+ r2.74, cip.66, pkCe.71, cipe.67>,
+ x.122)
+ sT = sign(<'TA', IDc.62, r1.73>, x.122)
+ z = z.78
+ z.1 = verify(x.114, <x.113, z.78, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.111, <x.110, z.84, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.84
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.7 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.39 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.33 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.39 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.22 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.26 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe) ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.23 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.25 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
+ skCe.1, r2.1
+ ) ▶₁ #i2 )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip, pk(~skCe.1), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip, pk(~skCe.1), cipe>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>, <z.1, cipe>, pk(~skCe.1)
+ ) ▶₁ #j2 )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.7 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1),
+ encaps(~ke.1, pk(~skCe.1))>,
+ ~ltk.1)
+ ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.63 )
+ case CA_Sign_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.71 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.53 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2.1 ) @ #vk.64 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.66 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.67 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c.1 ) @ #vk.70 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.71 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T)
+ ) @ #vk.42 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>,
+ ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk)), pk(~skCe),
+ encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.45 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C)
+ ) @ #vk.59 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe) ) @ #vk.60 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.42 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.64 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<pk(~skC), $C,
+ 'chip'>,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1, pk(~skC)),
+ pk(~skCe.1),
+ encaps(~ke.1, pk(~skCe.1))
+ >,
+ <~k.1, ~ke.1>)
+ ) @ #vk.65 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~skC),
+ sign(<pk(~skC), $C,
+ 'chip'>,
+ ca_sk),
+ $C)
+ ) @ #vk.68 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe.1) ) @ #vk.69 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~k.1, pk(~skC))
+ ) @ #vk.66 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~ke.1,
+ pk(~skCe.1))
+ ) @ #vk.67 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.28 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.22 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.25 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.4 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.28 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
+ <ke.1, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.28 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe,
+ ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
+ <~ke, encaps(~ke, pkCe)>, pkCe
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe,
+ ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe,
+ encaps(~ke, pkCe)>,
+ <~k, ~ke>),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
+ <ke, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.7 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.16 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.48 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.22 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.53 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.55 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.33 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.8 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.17 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.47 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.20 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.48 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.50 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.8 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.3 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.52 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.53 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.49 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.6 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.55 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.56 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.9 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.47 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.48 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.5 )
+ case c_sign
+ solve( !KU( sign(<'CA',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ x)
+ ) @ #vk.7 )
+ case c_sign
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.16 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk ) @ #vk.22 )
+ case Corrupt_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( ~iid ) @ #vk.21 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.26 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.27 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1), sign(<pk(~ltk.1), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.30 )
+ case CA_Sign_ltk
+ solve( !KU( pk(~skCe) ) @ #vk.31 )
+ case TA_CHALLENGE_C
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !KU( sign(<'CA',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(x.1, sign(<x.1, $A, 'chip'>, ca_sk), $A), r2, cip, pkCe, cipe>,
+ x)
+ ) @ #vk.17 )
+ case c_sign
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.2 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk ) @ #vk.28 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.13 )
+ case c_sign
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), r2,
+ cip, pkCe, cipe>,
+ <z, z.1>)
+ ) @ #vk.29 )
+ case c_kdf
+ solve( splitEqs(0) )
+ case split_case_3
+ solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.29 )
+ case c_encaps
+ solve( !KU( decaps(cipe, skCe) ) @ #vk.37 )
+ case c_decaps
+ solve( !KU( pk(~ltk.2) ) @ #vk.38 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Pk( T, pk(x.1), 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.7 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ <z, z.1>),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip,
+ pk(~skCe), cipe>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+ <z.1, cipe>, pk(~skCe)
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.8 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.3 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.51 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.52 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.53 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.54 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.49 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.6 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.54 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.55 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.56 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.57 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ ~ltk.1)
+ ) @ #vk.9 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.47 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.48 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.49 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.50 )
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+ <~k, ~ke>)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ke ) @ #vk.50 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by solve( !KU( ~skCe ) @ #vk.52 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 981.75s
+
+ session_exist (exists-trace): verified (21 steps)
+ two_session_exist (exists-trace): verified (40 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (20 steps)
+ agreement_C (all-traces): verified (20 steps)
+ agreement_T (all-traces): verified (20 steps)
+ aliveness (all-traces): verified (21 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (35 steps)
+ key_secrecy (all-traces): verified (37 steps)
+ chip_hiding (all-traces): falsified - found trace (16 steps)
+ nonRepudiation_terminal (exists-trace): verified (14 steps)
+ nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
+ pfs (all-traces): verified (37 steps)
+
+==============================================================================
diff --git a/results/45991790.err.ALL_SigPQEAC_TAMARIN b/results/45991790.err.ALL_SigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..e8b69d9cbe3f08bce37f20bdff07736861fc19fc
--- /dev/null
+++ b/results/45991790.err.ALL_SigPQEAC_TAMARIN
@@ -0,0 +1,28 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991790.out.ALL_SigPQEAC_TAMARIN b/results/45991790.out.ALL_SigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..9a2b1ad6282a96d5e99de8f14487fb6f3813f7b1
--- /dev/null
+++ b/results/45991790.out.ALL_SigPQEAC_TAMARIN
@@ -0,0 +1,3694 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory FastSigPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, pair/2, pk/1, sign/2,
+ snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( z, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.15
+ z = verify(cert_sig(certT.15),
+ <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17)
+ z = true
+
+ 3. certT = cert(x.17, x.18, x.19)
+ z = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( verify_cert(certC, 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(certC)), sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '3',
+ 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( z.1, true ) ]->
+ [
+ Out( <encaps(~k, z), sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '3', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.20
+ z = cert_pk(certC.20)
+ z.1 = verify(cert_sig(certC.20),
+ <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
+
+ 2. certC = cert(z.57, sign(<z.57, x.100, 'chip'>, ca_sk), x.100)
+ z = z.57
+ z.1 = true
+
+ 3. certC = cert(z.58, x.101, x.102)
+ z = z.58
+ z.1 = verify(x.101, <z.58, x.102, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <cip, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
+ Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
+ CompletedTA( $C, iid, cert_id(certT) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
+ <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <cip, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( z.1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3 ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
+ <certT, certC, r2, cip>, $C, 'chip', z.3
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.32
+ certC = certC.33
+ certT = certT.34
+ cip = cip.35
+ id_c = id_c.36
+ r1 = r1.38
+ r2 = r2.39
+ s1 = s1.40
+ s2 = s2.41
+ z = decaps(cip.35, ~skC.32)
+ z.1 = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34))
+ z.2 = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>,
+ cert_pk(certT.34))
+ z.3 = cert_id(certT.34)
+
+ 2. ~skC = ~skC.37
+ certC = certC.38
+ certT = certT.39
+ cip = encaps(z.51, pk(~skC.37))
+ id_c = id_c.41
+ r1 = r1.43
+ r2 = r2.44
+ s1 = s1.45
+ s2 = s2.46
+ z = z.51
+ z.1 = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39))
+ z.2 = verify(s2.46,
+ <'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>,
+ cert_pk(certT.39))
+ z.3 = cert_id(certT.39)
+
+ 3. ~skC = ~skC.150
+ certC = certC.151
+ certT = cert(x.296, x.297, z.169)
+ cip = cip.153
+ id_c = id_c.154
+ r1 = r1.156
+ r2 = r2.157
+ s1 = s1.158
+ s2 = s2.159
+ z = decaps(cip.153, ~skC.150)
+ z.1 = verify(s1.158, <'TA', id_c.154, r1.156>, x.296)
+ z.2 = verify(s2.159,
+ <'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296)
+ z.3 = z.169
+
+ 4. ~skC = ~skC.150
+ certC = certC.151
+ certT = cert(pk(x.296), x.297, z.169)
+ cip = cip.153
+ id_c = id_c.154
+ r1 = r1.156
+ r2 = r2.157
+ s1 = sign(<'TA', id_c.154, r1.156>, x.296)
+ s2 = s2.159
+ z = decaps(cip.153, ~skC.150)
+ z.1 = true
+ z.2 = verify(s2.159,
+ <'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>,
+ pk(x.296))
+ z.3 = z.169
+
+ 5. ~skC = ~skC.151
+ certC = certC.152
+ certT = cert(pk(x.298), x.299, z.170)
+ cip = cip.154
+ id_c = id_c.155
+ r1 = r1.157
+ r2 = r2.158
+ s1 = s1.159
+ s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
+ cip.154>,
+ x.298)
+ z = decaps(cip.154, ~skC.151)
+ z.1 = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298))
+ z.2 = true
+ z.3 = z.170
+
+ 6. ~skC = ~skC.151
+ certC = certC.152
+ certT = cert(pk(x.298), x.299, z.170)
+ cip = cip.154
+ id_c = id_c.155
+ r1 = r1.157
+ r2 = r2.158
+ s1 = sign(<'TA', id_c.155, r1.157>, x.298)
+ s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
+ cip.154>,
+ x.298)
+ z = decaps(cip.154, ~skC.151)
+ z.1 = true
+ z.2 = true
+ z.3 = z.170
+
+ 7. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(x.300, x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = s1.160
+ s2 = s2.161
+ z = z.166
+ z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, x.300)
+ z.2 = verify(s2.161,
+ <'CA', cert(x.300, x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z.3 = z.171
+
+ 8. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = s1.160
+ s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z = z.166
+ z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300))
+ z.2 = true
+ z.3 = z.171
+
+ 9. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = sign(<'TA', id_c.156, r1.158>, x.300)
+ s2 = s2.161
+ z = z.166
+ z.1 = true
+ z.2 = verify(s2.161,
+ <'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ pk(x.300))
+ z.3 = z.171
+
+ 10. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = sign(<'TA', id_c.156, r1.158>, x.300)
+ s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z = z.166
+ z.1 = true
+ z.2 = true
+ z.3 = z.171
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.15
+ z = cert_id(certC.15)
+
+ 2. certC = cert(x.41, x.42, z.28)
+ z = z.28
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(certC) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, cert_pk(certT)), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, skC)) ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ), Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, z.5) ),
+ ValidTrans( C, 'chip', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.31
+ certC = certC.32
+ certT = certT.33
+ cip = cip.34
+ r1 = r1.36
+ r2 = r2.37
+ sC = sC.38
+ sT = sT.39
+ skC = skC.40
+ z = cert_id(certC.32)
+ z.1 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.39, <'TA', IDc.31, r1.36>, cert_pk(certT.33))
+ z.4 = verify(sC.38, <'CA', certT.33, certC.32, r2.37, cip.34>,
+ cert_pk(certT.33))
+ z.5 = decaps(cip.34, skC.40)
+ z.6 = cert_id(certT.33)
+
+ 2. IDc = IDc.39
+ certC = certC.40
+ certT = certT.41
+ cip = encaps(z.56, pk(skC.48))
+ r1 = r1.44
+ r2 = r2.45
+ sC = sC.46
+ sT = sT.47
+ skC = skC.48
+ z = cert_id(certC.40)
+ z.1 = verify(cert_sig(certT.41),
+ <cert_pk(certT.41), cert_id(certT.41), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.40),
+ <cert_pk(certC.40), cert_id(certC.40), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.47, <'TA', IDc.39, r1.44>, cert_pk(certT.41))
+ z.4 = verify(sC.46,
+ <'CA', certT.41, certC.40, r2.45, encaps(z.56, pk(skC.48))>,
+ cert_pk(certT.41))
+ z.5 = z.56
+ z.6 = cert_id(certT.41)
+
+ 3. IDc = IDc.41
+ certC = certC.42
+ certT = cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59)
+ cip = cip.44
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = cert_id(certC.42)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.42),
+ <cert_pk(certC.42), cert_id(certC.42), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, x.79)
+ z.4 = verify(sC.48,
+ <'CA', cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59),
+ certC.42, r2.47, cip.44>,
+ x.79)
+ z.5 = decaps(cip.44, skC.50)
+ z.6 = z.59
+
+ 4. IDc = IDc.41
+ certC = certC.42
+ certT = cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59)
+ cip = encaps(z.58, pk(skC.50))
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = cert_id(certC.42)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.42),
+ <cert_pk(certC.42), cert_id(certC.42), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, x.79)
+ z.4 = verify(sC.48,
+ <'CA', cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59),
+ certC.42, r2.47, encaps(z.58, pk(skC.50))>,
+ x.79)
+ z.5 = z.58
+ z.6 = z.59
+
+ 5. IDc = IDc.41
+ certC = cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52)
+ certT = certT.43
+ cip = cip.44
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = z.52
+ z.1 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, cert_pk(certT.43))
+ z.4 = verify(sC.48,
+ <'CA', certT.43, cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52),
+ r2.47, cip.44>,
+ cert_pk(certT.43))
+ z.5 = decaps(cip.44, skC.50)
+ z.6 = cert_id(certT.43)
+
+ 6. IDc = IDc.41
+ certC = cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52)
+ certT = certT.43
+ cip = encaps(z.58, pk(skC.50))
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = z.52
+ z.1 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, cert_pk(certT.43))
+ z.4 = verify(sC.48,
+ <'CA', certT.43, cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52),
+ r2.47, encaps(z.58, pk(skC.50))>,
+ cert_pk(certT.43))
+ z.5 = z.58
+ z.6 = cert_id(certT.43)
+
+ 7. IDc = IDc.42
+ certC = certC.43
+ certT = cert(x.80, x.81, z.60)
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = verify(x.81, <x.80, z.60, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, x.80)
+ z.4 = verify(sC.49,
+ <'CA', cert(x.80, x.81, z.60), certC.43, r2.48, cip.45>, x.80)
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = z.60
+
+ 8. IDc = IDc.42
+ certC = certC.43
+ certT = cert(x.80, x.81, z.60)
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = verify(x.81, <x.80, z.60, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, x.80)
+ z.4 = verify(sC.49,
+ <'CA', cert(x.80, x.81, z.60), certC.43, r2.48, encaps(z.59, pk(skC.51))
+ >,
+ x.80)
+ z.5 = z.59
+ z.6 = z.60
+
+ 9. IDc = IDc.42
+ certC = certC.43
+ certT = cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60)
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sign(<'CA',
+ cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60),
+ certC.43, r2.48, cip.45>,
+ x.81)
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, pk(x.81))
+ z.4 = true
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = z.60
+
+ 10. IDc = IDc.42
+ certC = certC.43
+ certT = cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60)
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sign(<'CA',
+ cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60),
+ certC.43, r2.48, encaps(z.59, pk(skC.51))>,
+ x.81)
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, pk(x.81))
+ z.4 = true
+ z.5 = z.59
+ z.6 = z.60
+
+ 11. IDc = IDc.42
+ certC = cert(x.80, x.81, z.53)
+ certT = certT.44
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = z.53
+ z.1 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.81, <x.80, z.53, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, cert_pk(certT.44))
+ z.4 = verify(sC.49,
+ <'CA', certT.44, cert(x.80, x.81, z.53), r2.48, cip.45>,
+ cert_pk(certT.44))
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = cert_id(certT.44)
+
+ 12. IDc = IDc.42
+ certC = cert(x.80, x.81, z.53)
+ certT = certT.44
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = z.53
+ z.1 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.81, <x.80, z.53, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, cert_pk(certT.44))
+ z.4 = verify(sC.49,
+ <'CA', certT.44, cert(x.80, x.81, z.53), r2.48, encaps(z.59, pk(skC.51))
+ >,
+ cert_pk(certT.44))
+ z.5 = z.59
+ z.6 = cert_id(certT.44)
+
+ 13. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.82), x.83, z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA', cert(pk(x.82), x.83, z.61), certC.44, r2.49, cip.46>,
+ x.82)
+ sT = sT.51
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = verify(x.83, <pk(x.82), z.61, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.82))
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 14. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.82), x.83, z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA', cert(pk(x.82), x.83, z.61), certC.44, r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.82)
+ sT = sT.51
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = verify(x.83, <pk(x.82), z.61, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.82))
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 15. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.50,
+ <'CA', cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, cip.46>,
+ pk(x.83))
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 16. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, cip.46>,
+ x.83)
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 17. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.50,
+ <'CA', cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, encaps(z.60, pk(skC.52))>,
+ pk(x.83))
+ z.5 = z.60
+ z.6 = z.61
+
+ 18. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, encaps(z.60, pk(skC.52))>,
+ x.83)
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 19. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, x.83)
+ z.4 = verify(sC.50,
+ <'CA', cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49, cip.46>,
+ x.83)
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 20. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, x.83)
+ z.4 = verify(sC.50,
+ <'CA', cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.83)
+ z.5 = z.60
+ z.6 = z.61
+
+ 21. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49, cip.46>,
+ x.83)
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.83))
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 22. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.83)
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.83))
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 23. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50, cip.47>, pk(x.84))
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 24. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50, cip.47>,
+ x.84)
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 25. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50,
+ encaps(z.61, pk(skC.53))>,
+ pk(x.84))
+ z.5 = z.61
+ z.6 = z.62
+
+ 26. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 27. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.85)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, cip.47>,
+ x.85)
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 28. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.85)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, encaps(z.61, pk(skC.53))>,
+ x.85)
+ z.5 = z.61
+ z.6 = z.62
+
+ 29. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, cip.47>,
+ x.85)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.85))
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 30. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, encaps(z.61, pk(skC.53))>,
+ x.85)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.85))
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 31. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(x.84, x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <x.84, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.84)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.84, x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.84)
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 32. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(x.84, x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <x.84, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.84)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.84, x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ z.5 = z.61
+ z.6 = z.62
+
+ 33. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.84)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.84))
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 34. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.84))
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 35. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ pk(x.85))
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 36. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.85)
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 37. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ pk(x.85))
+ z.5 = z.61
+ z.6 = z.62
+
+ 38. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.85)
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 39. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(x.86, x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <x.86, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, x.86)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.86, x.87, z.63), cert(x.83, x.84, z.56), r2.51, cip.48>,
+ x.86)
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 40. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(x.86, x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <x.86, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, x.86)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.86, x.87, z.63), cert(x.83, x.84, z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ x.86)
+ z.5 = z.62
+ z.6 = z.63
+
+ 41. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63), cert(x.83, x.84, z.56),
+ r2.51, cip.48>,
+ x.86)
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, pk(x.86))
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 42. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63), cert(x.83, x.84, z.56),
+ r2.51, encaps(z.62, pk(skC.54))>,
+ x.86)
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, pk(x.86))
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 43. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, cip.48>,
+ pk(x.87))
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 44. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA',
+ cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, cip.48>,
+ x.87)
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 45. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, encaps(z.62, pk(skC.54))>,
+ pk(x.87))
+ z.5 = z.62
+ z.6 = z.63
+
+ 46. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA',
+ cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, encaps(z.62, pk(skC.54))>,
+ x.87)
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 47. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51, cip.48>,
+ pk(x.86))
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 48. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51, cip.48>,
+ x.86)
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 49. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ pk(x.86))
+ z.5 = z.62
+ z.6 = z.63
+
+ 50. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ x.86)
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 51. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = cip.49
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.53,
+ <'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57), r2.52, cip.49
+ >,
+ pk(x.88))
+ z.5 = decaps(cip.49, skC.55)
+ z.6 = z.64
+
+ 52. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = cip.49
+ r1 = r1.51
+ r2 = r2.52
+ sC = sign(<'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57),
+ r2.52, cip.49>,
+ x.88)
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.49, skC.55)
+ z.6 = z.64
+
+ 53. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = encaps(z.63, pk(skC.55))
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.53,
+ <'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57), r2.52,
+ encaps(z.63, pk(skC.55))>,
+ pk(x.88))
+ z.5 = z.63
+ z.6 = z.64
+
+ 54. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = encaps(z.63, pk(skC.55))
+ r1 = r1.51
+ r2 = r2.52
+ sC = sign(<'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57),
+ r2.52, encaps(z.63, pk(skC.55))>,
+ x.88)
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.63
+ z.6 = z.64
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ), In( kKDF ),
+ !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, pkT), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip>, pkT), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', cert_id(certC) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ), In( kKDF ),
+ !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ), Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.33
+ certC = certC.35
+ certT = certT.36
+ cip = cip.37
+ pkT = pkT.40
+ r1 = r1.41
+ r2 = r2.42
+ sC = sC.43
+ sT = sT.44
+ z = cert_id(certT.36)
+ z.1 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.44, <'TA', IDc.33, r1.41>, pkT.40)
+ z.4 = verify(sC.43, <'CA', certT.36, certC.35, r2.42, cip.37>, pkT.40)
+ z.5 = cert_id(certC.35)
+
+ 2. IDc = IDc.42
+ certC = certC.44
+ certT = cert(x.82, sign(<x.82, z.55, 'terminal'>, ca_sk), z.55)
+ cip = cip.46
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.42, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.82, sign(<x.82, z.55, 'terminal'>, ca_sk), z.55),
+ certC.44, r2.51, cip.46>,
+ pkT.49)
+ z.5 = cert_id(certC.44)
+
+ 3. IDc = IDc.42
+ certC = cert(x.82, sign(<x.82, z.61, 'chip'>, ca_sk), z.61)
+ certT = certT.45
+ cip = cip.46
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = cert_id(certT.45)
+ z.1 = verify(cert_sig(certT.45),
+ <cert_pk(certT.45), cert_id(certT.45), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.53, <'TA', IDc.42, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', certT.45, cert(x.82, sign(<x.82, z.61, 'chip'>, ca_sk), z.61),
+ r2.51, cip.46>,
+ pkT.49)
+ z.5 = z.61
+
+ 4. IDc = IDc.43
+ certC = certC.45
+ certT = cert(x.83, x.84, z.56)
+ cip = cip.47
+ pkT = pkT.50
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sT.54
+ z = z.56
+ z.1 = verify(x.84, <x.83, z.56, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.54, <'TA', IDc.43, r1.51>, pkT.50)
+ z.4 = verify(sC.53,
+ <'CA', cert(x.83, x.84, z.56), certC.45, r2.52, cip.47>, pkT.50)
+ z.5 = cert_id(certC.45)
+
+ 5. IDc = IDc.43
+ certC = cert(x.83, x.84, z.62)
+ certT = certT.46
+ cip = cip.47
+ pkT = pkT.50
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sT.54
+ z = cert_id(certT.46)
+ z.1 = verify(cert_sig(certT.46),
+ <cert_pk(certT.46), cert_id(certT.46), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.62, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.54, <'TA', IDc.43, r1.51>, pkT.50)
+ z.4 = verify(sC.53,
+ <'CA', certT.46, cert(x.83, x.84, z.62), r2.52, cip.47>, pkT.50)
+ z.5 = z.62
+
+ 6. IDc = IDc.44
+ certC = cert(x.84, sign(<x.84, z.63, 'chip'>, ca_sk), z.63)
+ certT = cert(x.86, sign(<x.86, z.57, 'terminal'>, ca_sk), z.57)
+ cip = cip.48
+ pkT = pkT.51
+ r1 = r1.52
+ r2 = r2.53
+ sC = sC.54
+ sT = sT.55
+ z = z.57
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.55, <'TA', IDc.44, r1.52>, pkT.51)
+ z.4 = verify(sC.54,
+ <'CA', cert(x.86, sign(<x.86, z.57, 'terminal'>, ca_sk), z.57),
+ cert(x.84, sign(<x.84, z.63, 'chip'>, ca_sk), z.63), r2.53, cip.48>,
+ pkT.51)
+ z.5 = z.63
+
+ 7. IDc = IDc.45
+ certC = cert(x.85, x.86, z.64)
+ certT = cert(x.88, sign(<x.88, z.58, 'terminal'>, ca_sk), z.58)
+ cip = cip.49
+ pkT = pkT.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ z = z.58
+ z.1 = true
+ z.2 = verify(x.86, <x.85, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.56, <'TA', IDc.45, r1.53>, pkT.52)
+ z.4 = verify(sC.55,
+ <'CA', cert(x.88, sign(<x.88, z.58, 'terminal'>, ca_sk), z.58),
+ cert(x.85, x.86, z.64), r2.54, cip.49>,
+ pkT.52)
+ z.5 = z.64
+
+ 8. IDc = IDc.45
+ certC = cert(x.85, sign(<x.85, z.64, 'chip'>, ca_sk), z.64)
+ certT = cert(x.87, x.88, z.58)
+ cip = cip.49
+ pkT = pkT.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ z = z.58
+ z.1 = verify(x.88, <x.87, z.58, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.56, <'TA', IDc.45, r1.53>, pkT.52)
+ z.4 = verify(sC.55,
+ <'CA', cert(x.87, x.88, z.58),
+ cert(x.85, sign(<x.85, z.64, 'chip'>, ca_sk), z.64), r2.54, cip.49>,
+ pkT.52)
+ z.5 = z.64
+
+ 9. IDc = IDc.46
+ certC = cert(x.86, x.87, z.65)
+ certT = cert(x.89, x.90, z.59)
+ cip = cip.50
+ pkT = pkT.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ z = z.59
+ z.1 = verify(x.90, <x.89, z.59, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.87, <x.86, z.65, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.46, r1.54>, pkT.53)
+ z.4 = verify(sC.56,
+ <'CA', cert(x.89, x.90, z.59), cert(x.86, x.87, z.65), r2.55, cip.50>,
+ pkT.53)
+ z.5 = z.65
+
+ 10. IDc = IDc.47
+ certC = certC.49
+ certT = certT.50
+ cip = cip.51
+ pkT = pk(x.92)
+ r1 = r1.55
+ r2 = r2.56
+ sC = sign(<'CA', certT.50, certC.49, r2.56, cip.51>, x.92)
+ sT = sT.58
+ z = cert_id(certT.50)
+ z.1 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.49),
+ <cert_pk(certC.49), cert_id(certC.49), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.58, <'TA', IDc.47, r1.55>, pk(x.92))
+ z.4 = true
+ z.5 = cert_id(certC.49)
+
+ 11. IDc = IDc.48
+ certC = certC.50
+ certT = cert(x.89, sign(<x.89, z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.52
+ pkT = pk(x.94)
+ r1 = r1.56
+ r2 = r2.57
+ sC = sign(<'CA',
+ cert(x.89, sign(<x.89, z.61, 'terminal'>, ca_sk), z.61), certC.50,
+ r2.57, cip.52>,
+ x.94)
+ sT = sT.59
+ z = z.61
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.48, r1.56>, pk(x.94))
+ z.4 = true
+ z.5 = cert_id(certC.50)
+
+ 12. IDc = IDc.48
+ certC = cert(x.88, sign(<x.88, z.67, 'chip'>, ca_sk), z.67)
+ certT = certT.51
+ cip = cip.52
+ pkT = pk(x.94)
+ r1 = r1.56
+ r2 = r2.57
+ sC = sign(<'CA', certT.51,
+ cert(x.88, sign(<x.88, z.67, 'chip'>, ca_sk), z.67), r2.57, cip.52>,
+ x.94)
+ sT = sT.59
+ z = cert_id(certT.51)
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.48, r1.56>, pk(x.94))
+ z.4 = true
+ z.5 = z.67
+
+ 13. IDc = IDc.49
+ certC = certC.51
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sign(<'TA', IDc.49, r1.57>, x.96)
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.59, <'CA', certT.52, certC.51, r2.58, cip.53>,
+ pk(x.96))
+ z.5 = cert_id(certC.51)
+
+ 14. IDc = IDc.49
+ certC = certC.51
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', certT.52, certC.51, r2.58, cip.53>, x.96)
+ sT = sign(<'TA', IDc.49, r1.57>, x.96)
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.51)
+
+ 15. IDc = IDc.49
+ certC = certC.51
+ certT = cert(x.90, x.91, z.62)
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', cert(x.90, x.91, z.62), certC.51, r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = z.62
+ z.1 = verify(x.91, <x.90, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = cert_id(certC.51)
+
+ 16. IDc = IDc.49
+ certC = cert(x.89, x.90, z.68)
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', certT.52, cert(x.89, x.90, z.68), r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.90, <x.89, z.68, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = z.68
+
+ 17. IDc = IDc.49
+ certC = cert(x.89, sign(<x.89, z.68, 'chip'>, ca_sk), z.68)
+ certT = cert(x.91, sign(<x.91, z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(x.91, sign(<x.91, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.89, sign(<x.89, z.68, 'chip'>, ca_sk), z.68), r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = z.62
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = z.68
+
+ 18. IDc = IDc.50
+ certC = certC.52
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = z.63
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63),
+ certC.52, r2.59, cip.54>,
+ pk(x.98))
+ z.5 = cert_id(certC.52)
+
+ 19. IDc = IDc.50
+ certC = certC.52
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63), certC.52,
+ r2.59, cip.54>,
+ x.98)
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = z.63
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.52)
+
+ 20. IDc = IDc.50
+ certC = cert(x.90, x.91, z.69)
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.90, x.91, z.69), r2.59, cip.54>,
+ x.98)
+ sT = sT.61
+ z = z.63
+ z.1 = true
+ z.2 = verify(x.91, <x.90, z.69, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.50, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.69
+
+ 21. IDc = IDc.50
+ certC = cert(x.90, sign(<x.90, z.69, 'chip'>, ca_sk), z.69)
+ certT = cert(x.92, x.93, z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(x.92, x.93, z.63),
+ cert(x.90, sign(<x.90, z.69, 'chip'>, ca_sk), z.69), r2.59, cip.54>,
+ x.98)
+ sT = sT.61
+ z = z.63
+ z.1 = verify(x.93, <x.92, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.50, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.69
+
+ 22. IDc = IDc.50
+ certC = cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69)
+ certT = certT.53
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = cert_id(certT.53)
+ z.1 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', certT.53, cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69),
+ r2.59, cip.54>,
+ pk(x.98))
+ z.5 = z.69
+
+ 23. IDc = IDc.50
+ certC = cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69)
+ certT = certT.53
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', certT.53,
+ cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69), r2.59, cip.54>,
+ x.98)
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = cert_id(certT.53)
+ z.1 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.69
+
+ 24. IDc = IDc.51
+ certC = certC.53
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(x.94, x.95, z.64), certC.53, r2.60, cip.55>, pk(x.100))
+ z.5 = cert_id(certC.53)
+
+ 25. IDc = IDc.51
+ certC = certC.53
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(x.94, x.95, z.64), certC.53, r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.53)
+
+ 26. IDc = IDc.51
+ certC = cert(x.91, x.92, z.70)
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(x.94, x.95, z.64), cert(x.91, x.92, z.70),
+ r2.60, cip.55>,
+ x.100)
+ sT = sT.62
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.92, <x.91, z.70, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.51, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.70
+
+ 27. IDc = IDc.51
+ certC = cert(x.93, x.94, z.70)
+ certT = certT.54
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = cert_id(certT.54)
+ z.1 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.94, <x.93, z.70, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', certT.54, cert(x.93, x.94, z.70), r2.60, cip.55>, pk(x.100))
+ z.5 = z.70
+
+ 28. IDc = IDc.51
+ certC = cert(x.93, x.94, z.70)
+ certT = certT.54
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', certT.54, cert(x.93, x.94, z.70), r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = cert_id(certT.54)
+ z.1 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.94, <x.93, z.70, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.70
+
+ 29. IDc = IDc.51
+ certC = cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70)
+ certT = cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64),
+ cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70), r2.60, cip.55>,
+ pk(x.100))
+ z.5 = z.70
+
+ 30. IDc = IDc.51
+ certC = cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70)
+ certT = cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64),
+ cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70), r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.70
+
+ 31. IDc = IDc.52
+ certC = cert(x.94, x.95, z.71)
+ certT = cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = true
+ z.2 = verify(x.95, <x.94, z.71, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65),
+ cert(x.94, x.95, z.71), r2.61, cip.56>,
+ pk(x.102))
+ z.5 = z.71
+
+ 32. IDc = IDc.52
+ certC = cert(x.94, x.95, z.71)
+ certT = cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65),
+ cert(x.94, x.95, z.71), r2.61, cip.56>,
+ x.102)
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = true
+ z.2 = verify(x.95, <x.94, z.71, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+
+ 33. IDc = IDc.52
+ certC = cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71)
+ certT = cert(x.96, x.97, z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = verify(x.97, <x.96, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(x.96, x.97, z.65),
+ cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71), r2.61, cip.56>,
+ pk(x.102))
+ z.5 = z.71
+
+ 34. IDc = IDc.52
+ certC = cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71)
+ certT = cert(x.96, x.97, z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(x.96, x.97, z.65),
+ cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71), r2.61, cip.56>,
+ x.102)
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = verify(x.97, <x.96, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+
+ 35. IDc = IDc.53
+ certC = cert(x.95, x.96, z.72)
+ certT = cert(x.98, x.99, z.66)
+ cip = cip.57
+ pkT = pk(x.104)
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.53, r1.61>, x.104)
+ z = z.66
+ z.1 = verify(x.99, <x.98, z.66, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.72, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(x.98, x.99, z.66), cert(x.95, x.96, z.72), r2.62, cip.57>,
+ pk(x.104))
+ z.5 = z.72
+
+ 36. IDc = IDc.53
+ certC = cert(x.95, x.96, z.72)
+ certT = cert(x.98, x.99, z.66)
+ cip = cip.57
+ pkT = pk(x.104)
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(x.98, x.99, z.66), cert(x.95, x.96, z.72),
+ r2.62, cip.57>,
+ x.104)
+ sT = sign(<'TA', IDc.53, r1.61>, x.104)
+ z = z.66
+ z.1 = verify(x.99, <x.98, z.66, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.72, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.34 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.33 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.34 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.20 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.24 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.21 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
+ r2.1
+ ) ▶₁ #i2 )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>
+ ) ▶₁ #j2 )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ ~ltk.1)
+ ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.54 )
+ case CA_Sign_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.60 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2.1 ) @ #vk.55 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.56 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.57 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c.1 ) @ #vk.59 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.60 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T)
+ ) @ #vk.39 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>,
+ ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.42 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C)
+ ) @ #vk.52 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.37 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.55 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ ~k.1)
+ ) @ #vk.56 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>,
+ ca_sk),
+ $C)
+ ) @ #vk.59 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k.1, pk(~skC))
+ ) @ #vk.57 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.21 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.4 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.14 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.15 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.38 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.17 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.3 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.6 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.44 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.46 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.7 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.39 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.41 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ ~skT)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 )
+ case CA_Sign_ltk
+ solve( !KU( ~iid ) @ #vk.12 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.17 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.19 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.32 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.19 )
+ case CA_Sign_ltk
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₁ #i )
+ case Generate_chip_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( sign(<'CA',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(x.1, sign(<x.1, $A, 'chip'>, ca_sk), $A), r2, encaps(z, pk(~ltk))>,
+ x)
+ ) @ #vk.15 )
+ case c_sign
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.2 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk ) @ #vk.21 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.13 )
+ case c_sign
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), r2,
+ encaps(z, pk(~ltk.2))>,
+ z)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.24 )
+ case c_encaps
+ solve( !KU( pk(~ltk.2) ) @ #vk.29 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Pk( T, pk(x.1), 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.7 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.20 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.3 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.41 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.41 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.27 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.31 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.40 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.28 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 754.39s
+
+ session_exist (exists-trace): verified (19 steps)
+ two_session_exist (exists-trace): verified (36 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (19 steps)
+ agreement_C (all-traces): verified (19 steps)
+ agreement_T (all-traces): verified (19 steps)
+ aliveness (all-traces): verified (20 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (31 steps)
+ key_secrecy (all-traces): verified (33 steps)
+ chip_hiding (all-traces): falsified - found trace (16 steps)
+ nonRepudiation_terminal (exists-trace): verified (13 steps)
+ nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
+ pfs (all-traces): falsified - found trace (22 steps)
+
+==============================================================================
diff --git a/results/45991792.err.ALL_FastSigPQEAC_TAMARIN b/results/45991792.err.ALL_FastSigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..e8b69d9cbe3f08bce37f20bdff07736861fc19fc
--- /dev/null
+++ b/results/45991792.err.ALL_FastSigPQEAC_TAMARIN
@@ -0,0 +1,28 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991792.out.ALL_FastSigPQEAC_TAMARIN b/results/45991792.out.ALL_FastSigPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..6571991f96ef0a51397af234fd23e51c413ad472
--- /dev/null
+++ b/results/45991792.out.ALL_FastSigPQEAC_TAMARIN
@@ -0,0 +1,3694 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory FastSigPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, pair/2, pk/1, sign/2,
+ snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( z, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.15
+ z = verify(cert_sig(certT.15),
+ <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17)
+ z = true
+
+ 3. certT = cert(x.17, x.18, x.19)
+ z = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( verify_cert(certC, 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(certC)), sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '3',
+ 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( z.1, true ) ]->
+ [
+ Out( <encaps(~k, z), sign(<'TA', id_c, r1>, ~skT),
+ sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '3', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.20
+ z = cert_pk(certC.20)
+ z.1 = verify(cert_sig(certC.20),
+ <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
+
+ 2. certC = cert(z.57, sign(<z.57, x.100, 'chip'>, ca_sk), x.100)
+ z = z.57
+ z.1 = true
+
+ 3. certC = cert(z.58, x.101, x.102)
+ z = z.58
+ z.1 = verify(x.101, <z.58, x.102, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <cip, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
+ Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
+ CompletedTA( $C, iid, cert_id(certT) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
+ <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <cip, s1, s2, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
+ !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( z.1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3 ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
+ <certT, certC, r2, cip>, $C, 'chip', z.3
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.32
+ certC = certC.33
+ certT = certT.34
+ cip = cip.35
+ id_c = id_c.36
+ r1 = r1.38
+ r2 = r2.39
+ s1 = s1.40
+ s2 = s2.41
+ z = decaps(cip.35, ~skC.32)
+ z.1 = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34))
+ z.2 = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>,
+ cert_pk(certT.34))
+ z.3 = cert_id(certT.34)
+
+ 2. ~skC = ~skC.37
+ certC = certC.38
+ certT = certT.39
+ cip = encaps(z.51, pk(~skC.37))
+ id_c = id_c.41
+ r1 = r1.43
+ r2 = r2.44
+ s1 = s1.45
+ s2 = s2.46
+ z = z.51
+ z.1 = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39))
+ z.2 = verify(s2.46,
+ <'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>,
+ cert_pk(certT.39))
+ z.3 = cert_id(certT.39)
+
+ 3. ~skC = ~skC.150
+ certC = certC.151
+ certT = cert(x.296, x.297, z.169)
+ cip = cip.153
+ id_c = id_c.154
+ r1 = r1.156
+ r2 = r2.157
+ s1 = s1.158
+ s2 = s2.159
+ z = decaps(cip.153, ~skC.150)
+ z.1 = verify(s1.158, <'TA', id_c.154, r1.156>, x.296)
+ z.2 = verify(s2.159,
+ <'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296)
+ z.3 = z.169
+
+ 4. ~skC = ~skC.150
+ certC = certC.151
+ certT = cert(pk(x.296), x.297, z.169)
+ cip = cip.153
+ id_c = id_c.154
+ r1 = r1.156
+ r2 = r2.157
+ s1 = sign(<'TA', id_c.154, r1.156>, x.296)
+ s2 = s2.159
+ z = decaps(cip.153, ~skC.150)
+ z.1 = true
+ z.2 = verify(s2.159,
+ <'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>,
+ pk(x.296))
+ z.3 = z.169
+
+ 5. ~skC = ~skC.151
+ certC = certC.152
+ certT = cert(pk(x.298), x.299, z.170)
+ cip = cip.154
+ id_c = id_c.155
+ r1 = r1.157
+ r2 = r2.158
+ s1 = s1.159
+ s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
+ cip.154>,
+ x.298)
+ z = decaps(cip.154, ~skC.151)
+ z.1 = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298))
+ z.2 = true
+ z.3 = z.170
+
+ 6. ~skC = ~skC.151
+ certC = certC.152
+ certT = cert(pk(x.298), x.299, z.170)
+ cip = cip.154
+ id_c = id_c.155
+ r1 = r1.157
+ r2 = r2.158
+ s1 = sign(<'TA', id_c.155, r1.157>, x.298)
+ s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
+ cip.154>,
+ x.298)
+ z = decaps(cip.154, ~skC.151)
+ z.1 = true
+ z.2 = true
+ z.3 = z.170
+
+ 7. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(x.300, x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = s1.160
+ s2 = s2.161
+ z = z.166
+ z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, x.300)
+ z.2 = verify(s2.161,
+ <'CA', cert(x.300, x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z.3 = z.171
+
+ 8. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = s1.160
+ s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z = z.166
+ z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300))
+ z.2 = true
+ z.3 = z.171
+
+ 9. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = sign(<'TA', id_c.156, r1.158>, x.300)
+ s2 = s2.161
+ z = z.166
+ z.1 = true
+ z.2 = verify(s2.161,
+ <'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ pk(x.300))
+ z.3 = z.171
+
+ 10. ~skC = ~skC.152
+ certC = certC.153
+ certT = cert(pk(x.300), x.301, z.171)
+ cip = encaps(z.166, pk(~skC.152))
+ id_c = id_c.156
+ r1 = r1.158
+ r2 = r2.159
+ s1 = sign(<'TA', id_c.156, r1.158>, x.300)
+ s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
+ encaps(z.166, pk(~skC.152))>,
+ x.300)
+ z = z.166
+ z.1 = true
+ z.2 = true
+ z.3 = z.171
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.15
+ z = cert_id(certC.15)
+
+ 2. certC = cert(x.41, x.42, z.28)
+ z = z.28
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(certC) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, cert_pk(certT)), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, skC)) ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ), Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, z.5) ),
+ ValidTrans( C, 'chip', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.31
+ certC = certC.32
+ certT = certT.33
+ cip = cip.34
+ r1 = r1.36
+ r2 = r2.37
+ sC = sC.38
+ sT = sT.39
+ skC = skC.40
+ z = cert_id(certC.32)
+ z.1 = verify(cert_sig(certT.33),
+ <cert_pk(certT.33), cert_id(certT.33), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.32),
+ <cert_pk(certC.32), cert_id(certC.32), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.39, <'TA', IDc.31, r1.36>, cert_pk(certT.33))
+ z.4 = verify(sC.38, <'CA', certT.33, certC.32, r2.37, cip.34>,
+ cert_pk(certT.33))
+ z.5 = decaps(cip.34, skC.40)
+ z.6 = cert_id(certT.33)
+
+ 2. IDc = IDc.39
+ certC = certC.40
+ certT = certT.41
+ cip = encaps(z.56, pk(skC.48))
+ r1 = r1.44
+ r2 = r2.45
+ sC = sC.46
+ sT = sT.47
+ skC = skC.48
+ z = cert_id(certC.40)
+ z.1 = verify(cert_sig(certT.41),
+ <cert_pk(certT.41), cert_id(certT.41), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.40),
+ <cert_pk(certC.40), cert_id(certC.40), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.47, <'TA', IDc.39, r1.44>, cert_pk(certT.41))
+ z.4 = verify(sC.46,
+ <'CA', certT.41, certC.40, r2.45, encaps(z.56, pk(skC.48))>,
+ cert_pk(certT.41))
+ z.5 = z.56
+ z.6 = cert_id(certT.41)
+
+ 3. IDc = IDc.41
+ certC = certC.42
+ certT = cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59)
+ cip = cip.44
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = cert_id(certC.42)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.42),
+ <cert_pk(certC.42), cert_id(certC.42), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, x.79)
+ z.4 = verify(sC.48,
+ <'CA', cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59),
+ certC.42, r2.47, cip.44>,
+ x.79)
+ z.5 = decaps(cip.44, skC.50)
+ z.6 = z.59
+
+ 4. IDc = IDc.41
+ certC = certC.42
+ certT = cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59)
+ cip = encaps(z.58, pk(skC.50))
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = cert_id(certC.42)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.42),
+ <cert_pk(certC.42), cert_id(certC.42), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, x.79)
+ z.4 = verify(sC.48,
+ <'CA', cert(x.79, sign(<x.79, z.59, 'terminal'>, ca_sk), z.59),
+ certC.42, r2.47, encaps(z.58, pk(skC.50))>,
+ x.79)
+ z.5 = z.58
+ z.6 = z.59
+
+ 5. IDc = IDc.41
+ certC = cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52)
+ certT = certT.43
+ cip = cip.44
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = z.52
+ z.1 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, cert_pk(certT.43))
+ z.4 = verify(sC.48,
+ <'CA', certT.43, cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52),
+ r2.47, cip.44>,
+ cert_pk(certT.43))
+ z.5 = decaps(cip.44, skC.50)
+ z.6 = cert_id(certT.43)
+
+ 6. IDc = IDc.41
+ certC = cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52)
+ certT = certT.43
+ cip = encaps(z.58, pk(skC.50))
+ r1 = r1.46
+ r2 = r2.47
+ sC = sC.48
+ sT = sT.49
+ skC = skC.50
+ z = z.52
+ z.1 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.49, <'TA', IDc.41, r1.46>, cert_pk(certT.43))
+ z.4 = verify(sC.48,
+ <'CA', certT.43, cert(x.79, sign(<x.79, z.52, 'chip'>, ca_sk), z.52),
+ r2.47, encaps(z.58, pk(skC.50))>,
+ cert_pk(certT.43))
+ z.5 = z.58
+ z.6 = cert_id(certT.43)
+
+ 7. IDc = IDc.42
+ certC = certC.43
+ certT = cert(x.80, x.81, z.60)
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = verify(x.81, <x.80, z.60, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, x.80)
+ z.4 = verify(sC.49,
+ <'CA', cert(x.80, x.81, z.60), certC.43, r2.48, cip.45>, x.80)
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = z.60
+
+ 8. IDc = IDc.42
+ certC = certC.43
+ certT = cert(x.80, x.81, z.60)
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = verify(x.81, <x.80, z.60, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, x.80)
+ z.4 = verify(sC.49,
+ <'CA', cert(x.80, x.81, z.60), certC.43, r2.48, encaps(z.59, pk(skC.51))
+ >,
+ x.80)
+ z.5 = z.59
+ z.6 = z.60
+
+ 9. IDc = IDc.42
+ certC = certC.43
+ certT = cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60)
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sign(<'CA',
+ cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60),
+ certC.43, r2.48, cip.45>,
+ x.81)
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, pk(x.81))
+ z.4 = true
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = z.60
+
+ 10. IDc = IDc.42
+ certC = certC.43
+ certT = cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60)
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sign(<'CA',
+ cert(pk(x.81), sign(<pk(x.81), z.60, 'terminal'>, ca_sk), z.60),
+ certC.43, r2.48, encaps(z.59, pk(skC.51))>,
+ x.81)
+ sT = sT.50
+ skC = skC.51
+ z = cert_id(certC.43)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.43),
+ <cert_pk(certC.43), cert_id(certC.43), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, pk(x.81))
+ z.4 = true
+ z.5 = z.59
+ z.6 = z.60
+
+ 11. IDc = IDc.42
+ certC = cert(x.80, x.81, z.53)
+ certT = certT.44
+ cip = cip.45
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = z.53
+ z.1 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.81, <x.80, z.53, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, cert_pk(certT.44))
+ z.4 = verify(sC.49,
+ <'CA', certT.44, cert(x.80, x.81, z.53), r2.48, cip.45>,
+ cert_pk(certT.44))
+ z.5 = decaps(cip.45, skC.51)
+ z.6 = cert_id(certT.44)
+
+ 12. IDc = IDc.42
+ certC = cert(x.80, x.81, z.53)
+ certT = certT.44
+ cip = encaps(z.59, pk(skC.51))
+ r1 = r1.47
+ r2 = r2.48
+ sC = sC.49
+ sT = sT.50
+ skC = skC.51
+ z = z.53
+ z.1 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.81, <x.80, z.53, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.50, <'TA', IDc.42, r1.47>, cert_pk(certT.44))
+ z.4 = verify(sC.49,
+ <'CA', certT.44, cert(x.80, x.81, z.53), r2.48, encaps(z.59, pk(skC.51))
+ >,
+ cert_pk(certT.44))
+ z.5 = z.59
+ z.6 = cert_id(certT.44)
+
+ 13. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.82), x.83, z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA', cert(pk(x.82), x.83, z.61), certC.44, r2.49, cip.46>,
+ x.82)
+ sT = sT.51
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = verify(x.83, <pk(x.82), z.61, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.82))
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 14. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.82), x.83, z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA', cert(pk(x.82), x.83, z.61), certC.44, r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.82)
+ sT = sT.51
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = verify(x.83, <pk(x.82), z.61, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.82))
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 15. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.50,
+ <'CA', cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, cip.46>,
+ pk(x.83))
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 16. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, cip.46>,
+ x.83)
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 17. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.50,
+ <'CA', cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, encaps(z.60, pk(skC.52))>,
+ pk(x.83))
+ z.5 = z.60
+ z.6 = z.61
+
+ 18. IDc = IDc.43
+ certC = certC.44
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ certC.44, r2.49, encaps(z.60, pk(skC.52))>,
+ x.83)
+ sT = sign(<'TA', IDc.43, r1.48>, x.83)
+ skC = skC.52
+ z = cert_id(certC.44)
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 19. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, x.83)
+ z.4 = verify(sC.50,
+ <'CA', cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49, cip.46>,
+ x.83)
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 20. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sC.50
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, x.83)
+ z.4 = verify(sC.50,
+ <'CA', cert(x.83, sign(<x.83, z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.83)
+ z.5 = z.60
+ z.6 = z.61
+
+ 21. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.46
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49, cip.46>,
+ x.83)
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.83))
+ z.4 = true
+ z.5 = decaps(cip.46, skC.52)
+ z.6 = z.61
+
+ 22. IDc = IDc.43
+ certC = cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54)
+ certT = cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61)
+ cip = encaps(z.60, pk(skC.52))
+ r1 = r1.48
+ r2 = r2.49
+ sC = sign(<'CA',
+ cert(pk(x.83), sign(<pk(x.83), z.61, 'terminal'>, ca_sk), z.61),
+ cert(x.81, sign(<x.81, z.54, 'chip'>, ca_sk), z.54), r2.49,
+ encaps(z.60, pk(skC.52))>,
+ x.83)
+ sT = sT.51
+ skC = skC.52
+ z = z.54
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.51, <'TA', IDc.43, r1.48>, pk(x.83))
+ z.4 = true
+ z.5 = z.60
+ z.6 = z.61
+
+ 23. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50, cip.47>, pk(x.84))
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 24. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50, cip.47>,
+ x.84)
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 25. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50,
+ encaps(z.61, pk(skC.53))>,
+ pk(x.84))
+ z.5 = z.61
+ z.6 = z.62
+
+ 26. IDc = IDc.44
+ certC = certC.45
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62), certC.45, r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ sT = sign(<'TA', IDc.44, r1.49>, x.84)
+ skC = skC.53
+ z = cert_id(certC.45)
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 27. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.85)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, cip.47>,
+ x.85)
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 28. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.85)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.85, sign(<x.85, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, encaps(z.61, pk(skC.53))>,
+ x.85)
+ z.5 = z.61
+ z.6 = z.62
+
+ 29. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, cip.47>,
+ x.85)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.85))
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 30. IDc = IDc.44
+ certC = cert(x.82, x.83, z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.82, x.83, z.55), r2.50, encaps(z.61, pk(skC.53))>,
+ x.85)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(x.83, <x.82, z.55, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.85))
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 31. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(x.84, x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <x.84, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.84)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.84, x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.84)
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 32. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(x.84, x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <x.84, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, x.84)
+ z.4 = verify(sC.51,
+ <'CA', cert(x.84, x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ z.5 = z.61
+ z.6 = z.62
+
+ 33. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.84)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.84))
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 34. IDc = IDc.44
+ certC = cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.84), x.85, z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA', cert(pk(x.84), x.85, z.62),
+ cert(x.82, sign(<x.82, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.84)
+ sT = sT.52
+ skC = skC.53
+ z = z.55
+ z.1 = verify(x.85, <pk(x.84), z.62, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.52, <'TA', IDc.44, r1.49>, pk(x.84))
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 35. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ pk(x.85))
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 36. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.47
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50, cip.47>,
+ x.85)
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.47, skC.53)
+ z.6 = z.62
+
+ 37. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sC.51
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.51,
+ <'CA', cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ pk(x.85))
+ z.5 = z.61
+ z.6 = z.62
+
+ 38. IDc = IDc.44
+ certC = cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55)
+ certT = cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62)
+ cip = encaps(z.61, pk(skC.53))
+ r1 = r1.49
+ r2 = r2.50
+ sC = sign(<'CA',
+ cert(pk(x.85), sign(<pk(x.85), z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.83, sign(<x.83, z.55, 'chip'>, ca_sk), z.55), r2.50,
+ encaps(z.61, pk(skC.53))>,
+ x.85)
+ sT = sign(<'TA', IDc.44, r1.49>, x.85)
+ skC = skC.53
+ z = z.55
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.61
+ z.6 = z.62
+
+ 39. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(x.86, x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <x.86, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, x.86)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.86, x.87, z.63), cert(x.83, x.84, z.56), r2.51, cip.48>,
+ x.86)
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 40. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(x.86, x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <x.86, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, x.86)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.86, x.87, z.63), cert(x.83, x.84, z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ x.86)
+ z.5 = z.62
+ z.6 = z.63
+
+ 41. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63), cert(x.83, x.84, z.56),
+ r2.51, cip.48>,
+ x.86)
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, pk(x.86))
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 42. IDc = IDc.45
+ certC = cert(x.83, x.84, z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63), cert(x.83, x.84, z.56),
+ r2.51, encaps(z.62, pk(skC.54))>,
+ x.86)
+ sT = sT.53
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.56, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.45, r1.50>, pk(x.86))
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 43. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, cip.48>,
+ pk(x.87))
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 44. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA',
+ cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, cip.48>,
+ x.87)
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 45. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, encaps(z.62, pk(skC.54))>,
+ pk(x.87))
+ z.5 = z.62
+ z.6 = z.63
+
+ 46. IDc = IDc.45
+ certC = cert(x.84, x.85, z.56)
+ certT = cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA',
+ cert(pk(x.87), sign(<pk(x.87), z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.84, x.85, z.56), r2.51, encaps(z.62, pk(skC.54))>,
+ x.87)
+ sT = sign(<'TA', IDc.45, r1.50>, x.87)
+ skC = skC.54
+ z = z.56
+ z.1 = true
+ z.2 = verify(x.85, <x.84, z.56, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 47. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51, cip.48>,
+ pk(x.86))
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 48. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = cip.48
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51, cip.48>,
+ x.86)
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.48, skC.54)
+ z.6 = z.63
+
+ 49. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.52,
+ <'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ pk(x.86))
+ z.5 = z.62
+ z.6 = z.63
+
+ 50. IDc = IDc.45
+ certC = cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56)
+ certT = cert(pk(x.86), x.87, z.63)
+ cip = encaps(z.62, pk(skC.54))
+ r1 = r1.50
+ r2 = r2.51
+ sC = sign(<'CA', cert(pk(x.86), x.87, z.63),
+ cert(x.84, sign(<x.84, z.56, 'chip'>, ca_sk), z.56), r2.51,
+ encaps(z.62, pk(skC.54))>,
+ x.86)
+ sT = sign(<'TA', IDc.45, r1.50>, x.86)
+ skC = skC.54
+ z = z.56
+ z.1 = verify(x.87, <pk(x.86), z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.62
+ z.6 = z.63
+
+ 51. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = cip.49
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.53,
+ <'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57), r2.52, cip.49
+ >,
+ pk(x.88))
+ z.5 = decaps(cip.49, skC.55)
+ z.6 = z.64
+
+ 52. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = cip.49
+ r1 = r1.51
+ r2 = r2.52
+ sC = sign(<'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57),
+ r2.52, cip.49>,
+ x.88)
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = decaps(cip.49, skC.55)
+ z.6 = z.64
+
+ 53. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = encaps(z.63, pk(skC.55))
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.53,
+ <'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57), r2.52,
+ encaps(z.63, pk(skC.55))>,
+ pk(x.88))
+ z.5 = z.63
+ z.6 = z.64
+
+ 54. IDc = IDc.46
+ certC = cert(x.85, x.86, z.57)
+ certT = cert(pk(x.88), x.89, z.64)
+ cip = encaps(z.63, pk(skC.55))
+ r1 = r1.51
+ r2 = r2.52
+ sC = sign(<'CA', cert(pk(x.88), x.89, z.64), cert(x.85, x.86, z.57),
+ r2.52, encaps(z.63, pk(skC.55))>,
+ x.88)
+ sT = sign(<'TA', IDc.46, r1.51>, x.88)
+ skC = skC.55
+ z = z.57
+ z.1 = verify(x.89, <pk(x.88), z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.86, <x.85, z.57, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.63
+ z.6 = z.64
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ), In( kKDF ),
+ !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ), Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( verify_cert(certC, 'chip'), true ),
+ Eq( verify(sT, <'TA', IDc, r1>, pkT), true ),
+ Eq( verify(sC, <'CA', certT, certC, r2, cip>, pkT), true ),
+ Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', cert_id(certC) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, sT, certC, r2, cip, sC, kCNF> ), In( kKDF ),
+ !Pk( T, pkT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ), Eq( z.3, true ),
+ Eq( z.4, true ), Eq( kCNF, kdf(<'CNF', certT, certC, r2, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', z.5 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. IDc = IDc.33
+ certC = certC.35
+ certT = certT.36
+ cip = cip.37
+ pkT = pkT.40
+ r1 = r1.41
+ r2 = r2.42
+ sC = sC.43
+ sT = sT.44
+ z = cert_id(certT.36)
+ z.1 = verify(cert_sig(certT.36),
+ <cert_pk(certT.36), cert_id(certT.36), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.35),
+ <cert_pk(certC.35), cert_id(certC.35), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.44, <'TA', IDc.33, r1.41>, pkT.40)
+ z.4 = verify(sC.43, <'CA', certT.36, certC.35, r2.42, cip.37>, pkT.40)
+ z.5 = cert_id(certC.35)
+
+ 2. IDc = IDc.42
+ certC = certC.44
+ certT = cert(x.82, sign(<x.82, z.55, 'terminal'>, ca_sk), z.55)
+ cip = cip.46
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = z.55
+ z.1 = true
+ z.2 = verify(cert_sig(certC.44),
+ <cert_pk(certC.44), cert_id(certC.44), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.53, <'TA', IDc.42, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', cert(x.82, sign(<x.82, z.55, 'terminal'>, ca_sk), z.55),
+ certC.44, r2.51, cip.46>,
+ pkT.49)
+ z.5 = cert_id(certC.44)
+
+ 3. IDc = IDc.42
+ certC = cert(x.82, sign(<x.82, z.61, 'chip'>, ca_sk), z.61)
+ certT = certT.45
+ cip = cip.46
+ pkT = pkT.49
+ r1 = r1.50
+ r2 = r2.51
+ sC = sC.52
+ sT = sT.53
+ z = cert_id(certT.45)
+ z.1 = verify(cert_sig(certT.45),
+ <cert_pk(certT.45), cert_id(certT.45), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.53, <'TA', IDc.42, r1.50>, pkT.49)
+ z.4 = verify(sC.52,
+ <'CA', certT.45, cert(x.82, sign(<x.82, z.61, 'chip'>, ca_sk), z.61),
+ r2.51, cip.46>,
+ pkT.49)
+ z.5 = z.61
+
+ 4. IDc = IDc.43
+ certC = certC.45
+ certT = cert(x.83, x.84, z.56)
+ cip = cip.47
+ pkT = pkT.50
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sT.54
+ z = z.56
+ z.1 = verify(x.84, <x.83, z.56, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.45),
+ <cert_pk(certC.45), cert_id(certC.45), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.54, <'TA', IDc.43, r1.51>, pkT.50)
+ z.4 = verify(sC.53,
+ <'CA', cert(x.83, x.84, z.56), certC.45, r2.52, cip.47>, pkT.50)
+ z.5 = cert_id(certC.45)
+
+ 5. IDc = IDc.43
+ certC = cert(x.83, x.84, z.62)
+ certT = certT.46
+ cip = cip.47
+ pkT = pkT.50
+ r1 = r1.51
+ r2 = r2.52
+ sC = sC.53
+ sT = sT.54
+ z = cert_id(certT.46)
+ z.1 = verify(cert_sig(certT.46),
+ <cert_pk(certT.46), cert_id(certT.46), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.84, <x.83, z.62, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.54, <'TA', IDc.43, r1.51>, pkT.50)
+ z.4 = verify(sC.53,
+ <'CA', certT.46, cert(x.83, x.84, z.62), r2.52, cip.47>, pkT.50)
+ z.5 = z.62
+
+ 6. IDc = IDc.44
+ certC = cert(x.84, sign(<x.84, z.63, 'chip'>, ca_sk), z.63)
+ certT = cert(x.86, sign(<x.86, z.57, 'terminal'>, ca_sk), z.57)
+ cip = cip.48
+ pkT = pkT.51
+ r1 = r1.52
+ r2 = r2.53
+ sC = sC.54
+ sT = sT.55
+ z = z.57
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.55, <'TA', IDc.44, r1.52>, pkT.51)
+ z.4 = verify(sC.54,
+ <'CA', cert(x.86, sign(<x.86, z.57, 'terminal'>, ca_sk), z.57),
+ cert(x.84, sign(<x.84, z.63, 'chip'>, ca_sk), z.63), r2.53, cip.48>,
+ pkT.51)
+ z.5 = z.63
+
+ 7. IDc = IDc.45
+ certC = cert(x.85, x.86, z.64)
+ certT = cert(x.88, sign(<x.88, z.58, 'terminal'>, ca_sk), z.58)
+ cip = cip.49
+ pkT = pkT.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ z = z.58
+ z.1 = true
+ z.2 = verify(x.86, <x.85, z.64, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.56, <'TA', IDc.45, r1.53>, pkT.52)
+ z.4 = verify(sC.55,
+ <'CA', cert(x.88, sign(<x.88, z.58, 'terminal'>, ca_sk), z.58),
+ cert(x.85, x.86, z.64), r2.54, cip.49>,
+ pkT.52)
+ z.5 = z.64
+
+ 8. IDc = IDc.45
+ certC = cert(x.85, sign(<x.85, z.64, 'chip'>, ca_sk), z.64)
+ certT = cert(x.87, x.88, z.58)
+ cip = cip.49
+ pkT = pkT.52
+ r1 = r1.53
+ r2 = r2.54
+ sC = sC.55
+ sT = sT.56
+ z = z.58
+ z.1 = verify(x.88, <x.87, z.58, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.56, <'TA', IDc.45, r1.53>, pkT.52)
+ z.4 = verify(sC.55,
+ <'CA', cert(x.87, x.88, z.58),
+ cert(x.85, sign(<x.85, z.64, 'chip'>, ca_sk), z.64), r2.54, cip.49>,
+ pkT.52)
+ z.5 = z.64
+
+ 9. IDc = IDc.46
+ certC = cert(x.86, x.87, z.65)
+ certT = cert(x.89, x.90, z.59)
+ cip = cip.50
+ pkT = pkT.53
+ r1 = r1.54
+ r2 = r2.55
+ sC = sC.56
+ sT = sT.57
+ z = z.59
+ z.1 = verify(x.90, <x.89, z.59, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.87, <x.86, z.65, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.57, <'TA', IDc.46, r1.54>, pkT.53)
+ z.4 = verify(sC.56,
+ <'CA', cert(x.89, x.90, z.59), cert(x.86, x.87, z.65), r2.55, cip.50>,
+ pkT.53)
+ z.5 = z.65
+
+ 10. IDc = IDc.47
+ certC = certC.49
+ certT = certT.50
+ cip = cip.51
+ pkT = pk(x.92)
+ r1 = r1.55
+ r2 = r2.56
+ sC = sign(<'CA', certT.50, certC.49, r2.56, cip.51>, x.92)
+ sT = sT.58
+ z = cert_id(certT.50)
+ z.1 = verify(cert_sig(certT.50),
+ <cert_pk(certT.50), cert_id(certT.50), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.49),
+ <cert_pk(certC.49), cert_id(certC.49), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.58, <'TA', IDc.47, r1.55>, pk(x.92))
+ z.4 = true
+ z.5 = cert_id(certC.49)
+
+ 11. IDc = IDc.48
+ certC = certC.50
+ certT = cert(x.89, sign(<x.89, z.61, 'terminal'>, ca_sk), z.61)
+ cip = cip.52
+ pkT = pk(x.94)
+ r1 = r1.56
+ r2 = r2.57
+ sC = sign(<'CA',
+ cert(x.89, sign(<x.89, z.61, 'terminal'>, ca_sk), z.61), certC.50,
+ r2.57, cip.52>,
+ x.94)
+ sT = sT.59
+ z = z.61
+ z.1 = true
+ z.2 = verify(cert_sig(certC.50),
+ <cert_pk(certC.50), cert_id(certC.50), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.59, <'TA', IDc.48, r1.56>, pk(x.94))
+ z.4 = true
+ z.5 = cert_id(certC.50)
+
+ 12. IDc = IDc.48
+ certC = cert(x.88, sign(<x.88, z.67, 'chip'>, ca_sk), z.67)
+ certT = certT.51
+ cip = cip.52
+ pkT = pk(x.94)
+ r1 = r1.56
+ r2 = r2.57
+ sC = sign(<'CA', certT.51,
+ cert(x.88, sign(<x.88, z.67, 'chip'>, ca_sk), z.67), r2.57, cip.52>,
+ x.94)
+ sT = sT.59
+ z = cert_id(certT.51)
+ z.1 = verify(cert_sig(certT.51),
+ <cert_pk(certT.51), cert_id(certT.51), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.59, <'TA', IDc.48, r1.56>, pk(x.94))
+ z.4 = true
+ z.5 = z.67
+
+ 13. IDc = IDc.49
+ certC = certC.51
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sC.59
+ sT = sign(<'TA', IDc.49, r1.57>, x.96)
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.59, <'CA', certT.52, certC.51, r2.58, cip.53>,
+ pk(x.96))
+ z.5 = cert_id(certC.51)
+
+ 14. IDc = IDc.49
+ certC = certC.51
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', certT.52, certC.51, r2.58, cip.53>, x.96)
+ sT = sign(<'TA', IDc.49, r1.57>, x.96)
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.51)
+
+ 15. IDc = IDc.49
+ certC = certC.51
+ certT = cert(x.90, x.91, z.62)
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', cert(x.90, x.91, z.62), certC.51, r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = z.62
+ z.1 = verify(x.91, <x.90, z.62, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.51),
+ <cert_pk(certC.51), cert_id(certC.51), 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = cert_id(certC.51)
+
+ 16. IDc = IDc.49
+ certC = cert(x.89, x.90, z.68)
+ certT = certT.52
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA', certT.52, cert(x.89, x.90, z.68), r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = cert_id(certT.52)
+ z.1 = verify(cert_sig(certT.52),
+ <cert_pk(certT.52), cert_id(certT.52), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.90, <x.89, z.68, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = z.68
+
+ 17. IDc = IDc.49
+ certC = cert(x.89, sign(<x.89, z.68, 'chip'>, ca_sk), z.68)
+ certT = cert(x.91, sign(<x.91, z.62, 'terminal'>, ca_sk), z.62)
+ cip = cip.53
+ pkT = pk(x.96)
+ r1 = r1.57
+ r2 = r2.58
+ sC = sign(<'CA',
+ cert(x.91, sign(<x.91, z.62, 'terminal'>, ca_sk), z.62),
+ cert(x.89, sign(<x.89, z.68, 'chip'>, ca_sk), z.68), r2.58, cip.53>,
+ x.96)
+ sT = sT.60
+ z = z.62
+ z.1 = true
+ z.2 = true
+ z.3 = verify(sT.60, <'TA', IDc.49, r1.57>, pk(x.96))
+ z.4 = true
+ z.5 = z.68
+
+ 18. IDc = IDc.50
+ certC = certC.52
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = z.63
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63),
+ certC.52, r2.59, cip.54>,
+ pk(x.98))
+ z.5 = cert_id(certC.52)
+
+ 19. IDc = IDc.50
+ certC = certC.52
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63), certC.52,
+ r2.59, cip.54>,
+ x.98)
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = z.63
+ z.1 = true
+ z.2 = verify(cert_sig(certC.52),
+ <cert_pk(certC.52), cert_id(certC.52), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.52)
+
+ 20. IDc = IDc.50
+ certC = cert(x.90, x.91, z.69)
+ certT = cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA',
+ cert(x.93, sign(<x.93, z.63, 'terminal'>, ca_sk), z.63),
+ cert(x.90, x.91, z.69), r2.59, cip.54>,
+ x.98)
+ sT = sT.61
+ z = z.63
+ z.1 = true
+ z.2 = verify(x.91, <x.90, z.69, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.61, <'TA', IDc.50, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.69
+
+ 21. IDc = IDc.50
+ certC = cert(x.90, sign(<x.90, z.69, 'chip'>, ca_sk), z.69)
+ certT = cert(x.92, x.93, z.63)
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', cert(x.92, x.93, z.63),
+ cert(x.90, sign(<x.90, z.69, 'chip'>, ca_sk), z.69), r2.59, cip.54>,
+ x.98)
+ sT = sT.61
+ z = z.63
+ z.1 = verify(x.93, <x.92, z.63, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = verify(sT.61, <'TA', IDc.50, r1.58>, pk(x.98))
+ z.4 = true
+ z.5 = z.69
+
+ 22. IDc = IDc.50
+ certC = cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69)
+ certT = certT.53
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sC.60
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = cert_id(certT.53)
+ z.1 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.60,
+ <'CA', certT.53, cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69),
+ r2.59, cip.54>,
+ pk(x.98))
+ z.5 = z.69
+
+ 23. IDc = IDc.50
+ certC = cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69)
+ certT = certT.53
+ cip = cip.54
+ pkT = pk(x.98)
+ r1 = r1.58
+ r2 = r2.59
+ sC = sign(<'CA', certT.53,
+ cert(x.92, sign(<x.92, z.69, 'chip'>, ca_sk), z.69), r2.59, cip.54>,
+ x.98)
+ sT = sign(<'TA', IDc.50, r1.58>, x.98)
+ z = cert_id(certT.53)
+ z.1 = verify(cert_sig(certT.53),
+ <cert_pk(certT.53), cert_id(certT.53), 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.69
+
+ 24. IDc = IDc.51
+ certC = certC.53
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(x.94, x.95, z.64), certC.53, r2.60, cip.55>, pk(x.100))
+ z.5 = cert_id(certC.53)
+
+ 25. IDc = IDc.51
+ certC = certC.53
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(x.94, x.95, z.64), certC.53, r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certC.53),
+ <cert_pk(certC.53), cert_id(certC.53), 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = cert_id(certC.53)
+
+ 26. IDc = IDc.51
+ certC = cert(x.91, x.92, z.70)
+ certT = cert(x.94, x.95, z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', cert(x.94, x.95, z.64), cert(x.91, x.92, z.70),
+ r2.60, cip.55>,
+ x.100)
+ sT = sT.62
+ z = z.64
+ z.1 = verify(x.95, <x.94, z.64, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.92, <x.91, z.70, 'chip'>, pk(ca_sk))
+ z.3 = verify(sT.62, <'TA', IDc.51, r1.59>, pk(x.100))
+ z.4 = true
+ z.5 = z.70
+
+ 27. IDc = IDc.51
+ certC = cert(x.93, x.94, z.70)
+ certT = certT.54
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = cert_id(certT.54)
+ z.1 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.94, <x.93, z.70, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', certT.54, cert(x.93, x.94, z.70), r2.60, cip.55>, pk(x.100))
+ z.5 = z.70
+
+ 28. IDc = IDc.51
+ certC = cert(x.93, x.94, z.70)
+ certT = certT.54
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA', certT.54, cert(x.93, x.94, z.70), r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = cert_id(certT.54)
+ z.1 = verify(cert_sig(certT.54),
+ <cert_pk(certT.54), cert_id(certT.54), 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.94, <x.93, z.70, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.70
+
+ 29. IDc = IDc.51
+ certC = cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70)
+ certT = cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sC.61
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.61,
+ <'CA', cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64),
+ cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70), r2.60, cip.55>,
+ pk(x.100))
+ z.5 = z.70
+
+ 30. IDc = IDc.51
+ certC = cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70)
+ certT = cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64)
+ cip = cip.55
+ pkT = pk(x.100)
+ r1 = r1.59
+ r2 = r2.60
+ sC = sign(<'CA',
+ cert(x.95, sign(<x.95, z.64, 'terminal'>, ca_sk), z.64),
+ cert(x.93, sign(<x.93, z.70, 'chip'>, ca_sk), z.70), r2.60, cip.55>,
+ x.100)
+ sT = sign(<'TA', IDc.51, r1.59>, x.100)
+ z = z.64
+ z.1 = true
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.70
+
+ 31. IDc = IDc.52
+ certC = cert(x.94, x.95, z.71)
+ certT = cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = true
+ z.2 = verify(x.95, <x.94, z.71, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65),
+ cert(x.94, x.95, z.71), r2.61, cip.56>,
+ pk(x.102))
+ z.5 = z.71
+
+ 32. IDc = IDc.52
+ certC = cert(x.94, x.95, z.71)
+ certT = cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA',
+ cert(x.97, sign(<x.97, z.65, 'terminal'>, ca_sk), z.65),
+ cert(x.94, x.95, z.71), r2.61, cip.56>,
+ x.102)
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = true
+ z.2 = verify(x.95, <x.94, z.71, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+
+ 33. IDc = IDc.52
+ certC = cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71)
+ certT = cert(x.96, x.97, z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sC.62
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = verify(x.97, <x.96, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = verify(sC.62,
+ <'CA', cert(x.96, x.97, z.65),
+ cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71), r2.61, cip.56>,
+ pk(x.102))
+ z.5 = z.71
+
+ 34. IDc = IDc.52
+ certC = cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71)
+ certT = cert(x.96, x.97, z.65)
+ cip = cip.56
+ pkT = pk(x.102)
+ r1 = r1.60
+ r2 = r2.61
+ sC = sign(<'CA', cert(x.96, x.97, z.65),
+ cert(x.94, sign(<x.94, z.71, 'chip'>, ca_sk), z.71), r2.61, cip.56>,
+ x.102)
+ sT = sign(<'TA', IDc.52, r1.60>, x.102)
+ z = z.65
+ z.1 = verify(x.97, <x.96, z.65, 'terminal'>, pk(ca_sk))
+ z.2 = true
+ z.3 = true
+ z.4 = true
+ z.5 = z.71
+
+ 35. IDc = IDc.53
+ certC = cert(x.95, x.96, z.72)
+ certT = cert(x.98, x.99, z.66)
+ cip = cip.57
+ pkT = pk(x.104)
+ r1 = r1.61
+ r2 = r2.62
+ sC = sC.63
+ sT = sign(<'TA', IDc.53, r1.61>, x.104)
+ z = z.66
+ z.1 = verify(x.99, <x.98, z.66, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.72, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = verify(sC.63,
+ <'CA', cert(x.98, x.99, z.66), cert(x.95, x.96, z.72), r2.62, cip.57>,
+ pk(x.104))
+ z.5 = z.72
+
+ 36. IDc = IDc.53
+ certC = cert(x.95, x.96, z.72)
+ certT = cert(x.98, x.99, z.66)
+ cip = cip.57
+ pkT = pk(x.104)
+ r1 = r1.61
+ r2 = r2.62
+ sC = sign(<'CA', cert(x.98, x.99, z.66), cert(x.95, x.96, z.72),
+ r2.62, cip.57>,
+ x.104)
+ sT = sign(<'TA', IDc.53, r1.61>, x.104)
+ z = z.66
+ z.1 = verify(x.99, <x.98, z.66, 'terminal'>, pk(ca_sk))
+ z.2 = verify(x.96, <x.95, z.72, 'chip'>, pk(ca_sk))
+ z.3 = true
+ z.4 = true
+ z.5 = z.72
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.34 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.30 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.33 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.34 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.20 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.24 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.21 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
+ r2.1
+ ) ▶₁ #i2 )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>
+ ) ▶₁ #j2 )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ ~ltk.1)
+ ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.54 )
+ case CA_Sign_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.60 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.47 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2.1 ) @ #vk.55 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.56 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.57 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c.1 ) @ #vk.59 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.60 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T)
+ ) @ #vk.39 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>,
+ ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.42 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C)
+ ) @ #vk.52 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.37 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.55 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ ~k.1)
+ ) @ #vk.56 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>,
+ ca_sk),
+ $C)
+ ) @ #vk.59 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k.1, pk(~skC))
+ ) @ #vk.57 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.21 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.4 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.13 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.23 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.24 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.29 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.14 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.40 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.15 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.38 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.40 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.17 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.40 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.3 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.6 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.44 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.46 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.7 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.39 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.41 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_sign
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.5 )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ ~skT)
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 )
+ case CA_Sign_ltk
+ solve( !KU( ~iid ) @ #vk.12 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.17 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.19 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.32 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.19 )
+ case CA_Sign_ltk
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.32 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₁ #i )
+ case Generate_chip_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( sign(<'CA',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(x.1, sign(<x.1, $A, 'chip'>, ca_sk), $A), r2, encaps(z, pk(~ltk))>,
+ x)
+ ) @ #vk.15 )
+ case c_sign
+ solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
+ ) @ #vk.2 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk ) @ #vk.21 )
+ case Corrupt_ltk
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.13 )
+ case c_sign
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.17 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), r2,
+ encaps(z, pk(~ltk.2))>,
+ z)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.24 )
+ case c_encaps
+ solve( !KU( pk(~ltk.2) ) @ #vk.29 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Pk( T, pk(x.1), 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( !KU( sign(<'TA', IDc, r1>, ~ltk) ) @ #vk.7 )
+ case TA_RESPONSE_T
+ by contradiction /* from formulas */
+ next
+ case c_sign
+ solve( !KU( ~ltk ) @ #vk.20 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C
+ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z),
+ <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( sign(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~ltk.1)
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.3 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.41 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.41 )
+ case CA_Sign_ltk
+ solve( !KU( ~r2 ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~id_c ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.41 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.27 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.31 )
+ case TA_COMPLETE_C
+ solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.40 )
+ case CA_Sign_ltk
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.28 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 750.72s
+
+ session_exist (exists-trace): verified (19 steps)
+ two_session_exist (exists-trace): verified (36 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (19 steps)
+ agreement_C (all-traces): verified (19 steps)
+ agreement_T (all-traces): verified (19 steps)
+ aliveness (all-traces): verified (20 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (31 steps)
+ key_secrecy (all-traces): verified (33 steps)
+ chip_hiding (all-traces): falsified - found trace (16 steps)
+ nonRepudiation_terminal (exists-trace): verified (13 steps)
+ nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
+ pfs (all-traces): falsified - found trace (22 steps)
+
+==============================================================================
diff --git a/results/Basic/session_exist.err.45215033 b/results/45991793.err.ALL_KemPQEAC_TAMARIN
similarity index 86%
rename from results/Basic/session_exist.err.45215033
rename to results/45991793.err.ALL_KemPQEAC_TAMARIN
index 1f61aae55c21ecd2bc906c49f8eb899cc6d49e2d..35cf59a4de87742e8526e575ef29d8946ab1831a 100644
--- a/results/Basic/session_exist.err.45215033
+++ b/results/45991793.err.ALL_KemPQEAC_TAMARIN
@@ -30,3 +30,5 @@
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991793.out.ALL_KemPQEAC_TAMARIN b/results/45991793.out.ALL_KemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..fcb4fe90e83adeca286d1eacde9254d1a2103d69
--- /dev/null
+++ b/results/45991793.out.ALL_KemPQEAC_TAMARIN
@@ -0,0 +1,3595 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory KemPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, mac/2, pair/2, pk/1,
+ sdec/2, senc/2, sign/2, snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ sdec(senc(x.1, x.2), x.2) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1,
+ <~kTA, encaps(~kTA, cert_pk(certT))>
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
+ ]
+ --[ Eq( z.1, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.14
+ z = cert_pk(certT.14)
+ z.1 = verify(cert_sig(certT.14),
+ <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44)
+ z = z.27
+ z.1 = true
+
+ 3. certT = cert(z.28, x.45, x.46)
+ z = z.28
+ z.1 = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ),
+ TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
+ kdf(<'TENC', r1>, decaps(cTA, ~skT))
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' )
+ ]
+ -->
+ [
+ Out( <kdf(<'TCNF', r1>, z), '3', 't'> ),
+ TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z)
+ )
+ ]
+ variants (modulo AC)
+ 1. ~skT = ~skT.14
+ cTA = cTA.15
+ z = decaps(cTA.15, ~skT.14)
+
+ 2. ~skT = ~skT.22
+ cTA = encaps(z.31, pk(~skT.22))
+ z = z.31
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+ ]
+ --[
+ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ),
+ CompletedTA( $C, iid, cert_id(certT) )
+ ]->
+ [
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
+ kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+ ]
+ --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]->
+ [
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
+ kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+ )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.16
+ z = cert_id(certT.16)
+
+ 2. certT = cert(x.26, x.27, z.21)
+ z = z.21
+ */
+
+rule (modulo E) CA_INIT_C:
+ [
+ !Cert( $C, certC, 'chip' ), Fr( ~r2 ),
+ TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC )
+ ]
+ -->
+ [
+ Out( <senc(<certC, ~r2>, kTENC), '4', 'c'> ), Out( senc(iid, kTENC) ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2 )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_INIT_T:
+ [
+ In( <cCA, 'CA_INIT', '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+ !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]->
+ [
+ Out( <encaps(~k, cert_pk(fst(sdec(cCA, kTENC)))),
+ mac(<'CA', certT, fst(sdec(cCA, kTENC)), snd(sdec(cCA, kTENC)),
+ encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>,
+ kTMAC),
+ '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
+ snd(sdec(cCA, kTENC)), <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_INIT_T:
+ [
+ In( <cCA, 'CA_INIT', '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+ !Cert( $T, certT, 'terminal' ), Fr( ~k )
+ ]
+ --[ Eq( z.3, true ) ]->
+ [
+ Out( <encaps(~k, z), mac(<'CA', certT, z.1, z.2, encaps(~k, z)>, kTMAC),
+ '5', 't'>
+ ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)> )
+ ]
+ variants (modulo AC)
+ 1. cCA = cCA.25
+ kTENC = kTENC.29
+ z = cert_pk(fst(sdec(cCA.25, kTENC.29)))
+ z.1 = fst(sdec(cCA.25, kTENC.29))
+ z.2 = snd(sdec(cCA.25, kTENC.29))
+ z.3 = verify(cert_sig(fst(sdec(cCA.25, kTENC.29))),
+ <cert_pk(fst(sdec(cCA.25, kTENC.29))),
+ cert_id(fst(sdec(cCA.25, kTENC.29))), 'chip'>,
+ pk(ca_sk))
+
+ 2. cCA = senc(x.190, kTENC.99)
+ kTENC = kTENC.99
+ z = cert_pk(fst(x.190))
+ z.1 = fst(x.190)
+ z.2 = snd(x.190)
+ z.3 = verify(cert_sig(fst(x.190)),
+ <cert_pk(fst(x.190)), cert_id(fst(x.190)), 'chip'>, pk(ca_sk))
+
+ 3. cCA = senc(<z.38, z.39>, kTENC.30)
+ kTENC = kTENC.30
+ z = cert_pk(z.38)
+ z.1 = z.38
+ z.2 = z.39
+ z.3 = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>,
+ pk(ca_sk))
+
+ 4. cCA = senc(<
+ cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192), z.109>,
+ kTENC.100)
+ kTENC = kTENC.100
+ z = z.106
+ z.1 = cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192)
+ z.2 = z.109
+ z.3 = true
+
+ 5. cCA = senc(<cert(z.107, x.193, x.194), z.110>, kTENC.101)
+ kTENC = kTENC.101
+ z = z.107
+ z.1 = cert(z.107, x.193, x.194)
+ z.2 = z.110
+ z.3 = verify(x.193, <z.107, x.194, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) CA_FINISH_C:
+ [
+ In( <cip, s, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
+ <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'>
+ ),
+ CAFinishC( $C, cert_id(certT),
+ kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_C:
+ [
+ In( <cip, s, '5', 't'> ),
+ CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
+ <certT, certC, r2, cip>, $C, 'chip', z.1
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ),
+ CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.28
+ certT = certT.31
+ cip = cip.32
+ z = decaps(cip.32, ~skC.28)
+ z.1 = cert_id(certT.31)
+
+ 2. ~skC = ~skC.41
+ certT = certT.44
+ cip = encaps(z.58, pk(~skC.41))
+ z = z.58
+ z.1 = cert_id(certT.44)
+
+ 3. ~skC = ~skC.186
+ certT = cert(x.368, x.369, z.206)
+ cip = cip.190
+ z = decaps(cip.190, ~skC.186)
+ z.1 = z.206
+
+ 4. ~skC = ~skC.189
+ certT = cert(x.374, x.375, z.209)
+ cip = encaps(z.206, pk(~skC.189))
+ z = z.206
+ z.1 = z.209
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_c, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_c ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_c, '6', 'c'> ),
+ CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_c ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.17
+ z = cert_id(certC.17)
+
+ 2. certC = cert(x.43, x.44, z.30)
+ z = z.30
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kTA ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, kTA)))) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, kTA))), 'chip'), true ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip>,
+ kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip>,
+ decaps(cip, skC))
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kTA ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s, mac(<'CA', certT, z.3, z.4, cip>, kdf(<'TMAC', r1>, kTA)) ),
+ Eq( kCNF, kdf(<'CNF', certT, z.3, z.4, cip>, z.5) ),
+ ValidTrans( C, 'chip', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.35
+ certT = certT.37
+ cip = cip.38
+ kTA = kTA.40
+ r1 = r1.42
+ skC = skC.44
+ z = cert_id(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))),
+ <cert_pk(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))),
+ cert_id(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))
+ z.4 = snd(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))
+ z.5 = decaps(cip.38, skC.44)
+ z.6 = cert_id(certT.37)
+
+ 2. cCA = cCA.46
+ certT = certT.48
+ cip = encaps(z.66, pk(skC.55))
+ kTA = kTA.51
+ r1 = r1.53
+ skC = skC.55
+ z = cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))),
+ <cert_pk(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))),
+ cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))
+ z.4 = snd(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))
+ z.5 = z.66
+ z.6 = cert_id(certT.48)
+
+ 3. cCA = cCA.114
+ certT = cert(x.224, sign(<x.224, z.135, 'terminal'>, ca_sk), z.135)
+ cip = cip.117
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ z = cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, kTA.119)))),
+ <cert_pk(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))),
+ cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.4 = snd(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.5 = decaps(cip.117, skC.123)
+ z.6 = z.135
+
+ 4. cCA = cCA.114
+ certT = cert(x.224, sign(<x.224, z.135, 'terminal'>, ca_sk), z.135)
+ cip = encaps(z.134, pk(skC.123))
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ z = cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, kTA.119)))),
+ <cert_pk(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))),
+ cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.4 = snd(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.5 = z.134
+ z.6 = z.135
+
+ 5. cCA = cCA.115
+ certT = cert(x.225, x.226, z.136)
+ cip = cip.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ z = cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, kTA.120)))),
+ <cert_pk(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))),
+ cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.136, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.4 = snd(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.5 = decaps(cip.118, skC.124)
+ z.6 = z.136
+
+ 6. cCA = cCA.115
+ certT = cert(x.225, x.226, z.136)
+ cip = encaps(z.135, pk(skC.124))
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ z = cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, kTA.120)))),
+ <cert_pk(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))),
+ cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.136, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.4 = snd(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.5 = z.135
+ z.6 = z.136
+
+ 7. cCA = senc(x.183, kdf(<'TENC', r1.100>, kTA.98))
+ certT = cert(x.187, sign(<x.187, z.114, 'terminal'>, ca_sk), z.114)
+ cip = encaps(z.113, pk(skC.102))
+ kTA = kTA.98
+ r1 = r1.100
+ skC = skC.102
+ z = cert_id(fst(x.183))
+ z.1 = verify(cert_sig(fst(x.183)),
+ <cert_pk(fst(x.183)), cert_id(fst(x.183)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.183)
+ z.4 = snd(x.183)
+ z.5 = z.113
+ z.6 = z.114
+
+ 8. cCA = senc(x.184, kdf(<'TENC', r1.101>, kTA.99))
+ certT = cert(x.188, x.189, z.115)
+ cip = encaps(z.114, pk(skC.103))
+ kTA = kTA.99
+ r1 = r1.101
+ skC = skC.103
+ z = cert_id(fst(x.184))
+ z.1 = verify(cert_sig(fst(x.184)),
+ <cert_pk(fst(x.184)), cert_id(fst(x.184)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.189, <x.188, z.115, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.184)
+ z.4 = snd(x.184)
+ z.5 = z.114
+ z.6 = z.115
+
+ 9. cCA = senc(x.201, kdf(<'TENC', r1.110>, kTA.108))
+ certT = cert(x.205, sign(<x.205, z.124, 'terminal'>, ca_sk), z.124)
+ cip = cip.106
+ kTA = kTA.108
+ r1 = r1.110
+ skC = skC.112
+ z = cert_id(fst(x.201))
+ z.1 = verify(cert_sig(fst(x.201)),
+ <cert_pk(fst(x.201)), cert_id(fst(x.201)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.201)
+ z.4 = snd(x.201)
+ z.5 = decaps(cip.106, skC.112)
+ z.6 = z.124
+
+ 10. cCA = senc(x.202, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.206, x.207, z.125)
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.202))
+ z.1 = verify(cert_sig(fst(x.202)),
+ <cert_pk(fst(x.202)), cert_id(fst(x.202)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.207, <x.206, z.125, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.202)
+ z.4 = snd(x.202)
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = z.125
+
+ 11. cCA = senc(x.206, kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.206))
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.206)
+ z.4 = snd(x.206)
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = cert_id(certT.106)
+
+ 12. cCA = senc(x.206, kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = encaps(z.124, pk(skC.113))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.206))
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.206)
+ z.4 = snd(x.206)
+ z.5 = z.124
+ z.6 = cert_id(certT.106)
+
+ 13. cCA = senc(<z.55, z.56>, kdf(<'TENC', r1.46>, kTA.44))
+ certT = certT.41
+ cip = cip.42
+ kTA = kTA.44
+ r1 = r1.46
+ skC = skC.48
+ z = cert_id(z.55)
+ z.1 = verify(cert_sig(z.55), <cert_pk(z.55), cert_id(z.55), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.41),
+ <cert_pk(certT.41), cert_id(certT.41), 'terminal'>, pk(ca_sk))
+ z.3 = z.55
+ z.4 = z.56
+ z.5 = decaps(cip.42, skC.48)
+ z.6 = cert_id(certT.41)
+
+ 14. cCA = senc(<z.58, z.59>, kdf(<'TENC', r1.49>, kTA.47))
+ certT = certT.44
+ cip = encaps(z.62, pk(skC.51))
+ kTA = kTA.47
+ r1 = r1.49
+ skC = skC.51
+ z = cert_id(z.58)
+ z.1 = verify(cert_sig(z.58), <cert_pk(z.58), cert_id(z.58), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.3 = z.58
+ z.4 = z.59
+ z.5 = z.62
+ z.6 = cert_id(certT.44)
+
+ 15. cCA = senc(<z.110, z.111>, kdf(<'TENC', r1.101>, kTA.99))
+ certT = cert(x.189, sign(<x.189, z.115, 'terminal'>, ca_sk), z.115)
+ cip = encaps(z.114, pk(skC.103))
+ kTA = kTA.99
+ r1 = r1.101
+ skC = skC.103
+ z = cert_id(z.110)
+ z.1 = verify(cert_sig(z.110), <cert_pk(z.110), cert_id(z.110), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.110
+ z.4 = z.111
+ z.5 = z.114
+ z.6 = z.115
+
+ 16. cCA = senc(<z.111, z.112>, kdf(<'TENC', r1.102>, kTA.100))
+ certT = cert(x.190, x.191, z.116)
+ cip = encaps(z.115, pk(skC.104))
+ kTA = kTA.100
+ r1 = r1.102
+ skC = skC.104
+ z = cert_id(z.111)
+ z.1 = verify(cert_sig(z.111), <cert_pk(z.111), cert_id(z.111), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.191, <x.190, z.116, 'terminal'>, pk(ca_sk))
+ z.3 = z.111
+ z.4 = z.112
+ z.5 = z.115
+ z.6 = z.116
+
+ 17. cCA = senc(<z.120, z.121>, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.207, sign(<x.207, z.125, 'terminal'>, ca_sk), z.125)
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(z.120)
+ z.1 = verify(cert_sig(z.120), <cert_pk(z.120), cert_id(z.120), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.120
+ z.4 = z.121
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = z.125
+
+ 18. cCA = senc(<z.121, z.122>, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.208, x.209, z.126)
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = cert_id(z.121)
+ z.1 = verify(cert_sig(z.121), <cert_pk(z.121), cert_id(z.121), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.209, <x.208, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = z.121
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = z.126
+
+ 19. cCA = senc(<
+ cert(x.185, sign(<x.185, z.106, 'chip'>, ca_sk), z.106), z.112>,
+ kdf(<'TENC', r1.102>, kTA.100))
+ certT = cert(x.191, sign(<x.191, z.116, 'terminal'>, ca_sk), z.116)
+ cip = encaps(z.115, pk(skC.104))
+ kTA = kTA.100
+ r1 = r1.102
+ skC = skC.104
+ z = z.106
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.185, sign(<x.185, z.106, 'chip'>, ca_sk), z.106)
+ z.4 = z.112
+ z.5 = z.115
+ z.6 = z.116
+
+ 20. cCA = senc(<cert(x.186, x.187, z.107), z.113>,
+ kdf(<'TENC', r1.103>, kTA.101))
+ certT = cert(x.193, sign(<x.193, z.117, 'terminal'>, ca_sk), z.117)
+ cip = encaps(z.116, pk(skC.105))
+ kTA = kTA.101
+ r1 = r1.103
+ skC = skC.105
+ z = z.107
+ z.1 = verify(x.187, <x.186, z.107, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.186, x.187, z.107)
+ z.4 = z.113
+ z.5 = z.116
+ z.6 = z.117
+
+ 21. cCA = senc(<
+ cert(x.186, sign(<x.186, z.107, 'chip'>, ca_sk), z.107), z.113>,
+ kdf(<'TENC', r1.103>, kTA.101))
+ certT = cert(x.192, x.193, z.117)
+ cip = encaps(z.116, pk(skC.105))
+ kTA = kTA.101
+ r1 = r1.103
+ skC = skC.105
+ z = z.107
+ z.1 = true
+ z.2 = verify(x.193, <x.192, z.117, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.186, sign(<x.186, z.107, 'chip'>, ca_sk), z.107)
+ z.4 = z.113
+ z.5 = z.116
+ z.6 = z.117
+
+ 22. cCA = senc(<cert(x.187, x.188, z.108), z.114>,
+ kdf(<'TENC', r1.104>, kTA.102))
+ certT = cert(x.194, x.195, z.118)
+ cip = encaps(z.117, pk(skC.106))
+ kTA = kTA.102
+ r1 = r1.104
+ skC = skC.106
+ z = z.108
+ z.1 = verify(x.188, <x.187, z.108, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.195, <x.194, z.118, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.187, x.188, z.108)
+ z.4 = z.114
+ z.5 = z.117
+ z.6 = z.118
+
+ 23. cCA = senc(<
+ cert(x.203, sign(<x.203, z.116, 'chip'>, ca_sk), z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.209, sign(<x.209, z.126, 'terminal'>, ca_sk), z.126)
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.203, sign(<x.203, z.116, 'chip'>, ca_sk), z.116)
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = z.126
+
+ 24. cCA = senc(<cert(x.204, x.205, z.117), z.123>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.211, sign(<x.211, z.127, 'terminal'>, ca_sk), z.127)
+ cip = cip.109
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ z = z.117
+ z.1 = verify(x.205, <x.204, z.117, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.204, x.205, z.117)
+ z.4 = z.123
+ z.5 = decaps(cip.109, skC.115)
+ z.6 = z.127
+
+ 25. cCA = senc(<
+ cert(x.204, sign(<x.204, z.117, 'chip'>, ca_sk), z.117), z.123>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.210, x.211, z.127)
+ cip = cip.109
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ z = z.117
+ z.1 = true
+ z.2 = verify(x.211, <x.210, z.127, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.204, sign(<x.204, z.117, 'chip'>, ca_sk), z.117)
+ z.4 = z.123
+ z.5 = decaps(cip.109, skC.115)
+ z.6 = z.127
+
+ 26. cCA = senc(<cert(x.205, x.206, z.118), z.124>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.212, x.213, z.128)
+ cip = cip.110
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ z = z.118
+ z.1 = verify(x.206, <x.205, z.118, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.213, <x.212, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.205, x.206, z.118)
+ z.4 = z.124
+ z.5 = decaps(cip.110, skC.116)
+ z.6 = z.128
+
+ 27. cCA = senc(<
+ cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115), z.121>,
+ kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = z.115
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115)
+ z.4 = z.121
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = cert_id(certT.106)
+
+ 28. cCA = senc(<
+ cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115), z.121>,
+ kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = encaps(z.124, pk(skC.113))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = z.115
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115)
+ z.4 = z.121
+ z.5 = z.124
+ z.6 = cert_id(certT.106)
+
+ 29. cCA = senc(<cert(x.207, x.208, z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = certT.107
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = verify(x.208, <x.207, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, x.208, z.116)
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = cert_id(certT.107)
+
+ 30. cCA = senc(<cert(x.207, x.208, z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = certT.107
+ cip = encaps(z.125, pk(skC.114))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = verify(x.208, <x.207, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, x.208, z.116)
+ z.4 = z.122
+ z.5 = z.125
+ z.6 = cert_id(certT.107)
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kKDF ),
+ !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ 'chip'),
+ true
+ ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, decaps(cTA, skT)) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))), cip>,
+ kdf(<'TMAC', r1>, decaps(cTA, skT)))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))), cip>,
+ kKDF)
+ ),
+ ValidTrans( T, 'terminal',
+ cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))))
+ )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kKDF ),
+ !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, z.3) ),
+ Eq( s, mac(<'CA', certT, z.4, z.5, cip>, kdf(<'TMAC', r1>, z.3)) ),
+ Eq( kCNF, kdf(<'CNF', certT, z.4, z.5, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.35
+ cTA = cTA.36
+ certT = certT.37
+ r1 = r1.42
+ skT = skT.44
+ z = cert_id(certT.37)
+ z.1 = verify(cert_sig(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ <
+ cert_pk(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ cert_id(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.36, skT.44)
+ z.4 = fst(sdec(cCA.35, kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))
+ z.5 = snd(sdec(cCA.35, kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))
+ z.6 = cert_id(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44)))))
+
+ 2. cCA = cCA.41
+ cTA = encaps(z.56, pk(skT.50))
+ certT = certT.43
+ r1 = r1.48
+ skT = skT.50
+ z = cert_id(certT.43)
+ z.1 = verify(cert_sig(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))),
+ <cert_pk(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))),
+ cert_id(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.3 = z.56
+ z.4 = fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))
+ z.5 = snd(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))
+ z.6 = cert_id(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56))))
+
+ 3. cCA = cCA.114
+ cTA = cTA.115
+ certT = cert(x.224, sign(<x.224, z.125, 'terminal'>, ca_sk), z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ <
+ cert_pk(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ cert_id(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))
+ z.5 = snd(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))
+ z.6 = cert_id(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))))
+
+ 4. cCA = cCA.115
+ cTA = cTA.116
+ certT = cert(x.225, x.226, z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ <
+ cert_pk(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ cert_id(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))
+ z.5 = snd(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))
+ z.6 = cert_id(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))))
+
+ 5. cCA = cCA.116
+ cTA = encaps(z.131, pk(skT.125))
+ certT = cert(x.228, sign(<x.228, z.127, 'terminal'>, ca_sk), z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = verify(cert_sig(fst(sdec(cCA.116,
+ kdf(<'TENC', r1.123>, z.131)))),
+ <cert_pk(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))),
+ cert_id(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.131
+ z.4 = fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))
+ z.5 = snd(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))
+ z.6 = cert_id(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131))))
+
+ 6. cCA = cCA.117
+ cTA = encaps(z.132, pk(skT.126))
+ certT = cert(x.229, x.230, z.128)
+ r1 = r1.124
+ skT = skT.126
+ z = z.128
+ z.1 = verify(cert_sig(fst(sdec(cCA.117,
+ kdf(<'TENC', r1.124>, z.132)))),
+ <cert_pk(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))),
+ cert_id(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.230, <x.229, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = z.132
+ z.4 = fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))
+ z.5 = snd(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))
+ z.6 = cert_id(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132))))
+
+ 7. cCA = senc(x.165, kdf(<'TENC', r1.90>, z.98))
+ cTA = encaps(z.98, pk(skT.92))
+ certT = cert(x.169, sign(<x.169, z.94, 'terminal'>, ca_sk), z.94)
+ r1 = r1.90
+ skT = skT.92
+ z = z.94
+ z.1 = verify(cert_sig(fst(x.165)),
+ <cert_pk(fst(x.165)), cert_id(fst(x.165)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.98
+ z.4 = fst(x.165)
+ z.5 = snd(x.165)
+ z.6 = cert_id(fst(x.165))
+
+ 8. cCA = senc(x.166, kdf(<'TENC', r1.91>, z.99))
+ cTA = encaps(z.99, pk(skT.93))
+ certT = cert(x.170, x.171, z.95)
+ r1 = r1.91
+ skT = skT.93
+ z = z.95
+ z.1 = verify(cert_sig(fst(x.166)),
+ <cert_pk(fst(x.166)), cert_id(fst(x.166)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.171, <x.170, z.95, 'terminal'>, pk(ca_sk))
+ z.3 = z.99
+ z.4 = fst(x.166)
+ z.5 = snd(x.166)
+ z.6 = cert_id(fst(x.166))
+
+ 9. cCA = senc(x.206, kdf(<'TENC', r1.111>, z.119))
+ cTA = encaps(z.119, pk(skT.113))
+ certT = certT.106
+ r1 = r1.111
+ skT = skT.113
+ z = cert_id(certT.106)
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = z.119
+ z.4 = fst(x.206)
+ z.5 = snd(x.206)
+ z.6 = cert_id(fst(x.206))
+
+ 10. cCA = senc(x.215, kdf(<'TENC', r1.116>, decaps(cTA.110, skT.118)))
+ cTA = cTA.110
+ certT = certT.111
+ r1 = r1.116
+ skT = skT.118
+ z = cert_id(certT.111)
+ z.1 = verify(cert_sig(fst(x.215)),
+ <cert_pk(fst(x.215)), cert_id(fst(x.215)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.111),
+ <cert_pk(certT.111), cert_id(certT.111), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.110, skT.118)
+ z.4 = fst(x.215)
+ z.5 = snd(x.215)
+ z.6 = cert_id(fst(x.215))
+
+ 11. cCA = senc(x.219, kdf(<'TENC', r1.120>, decaps(cTA.114, skT.122)))
+ cTA = cTA.114
+ certT = cert(x.223, sign(<x.223, z.124, 'terminal'>, ca_sk), z.124)
+ r1 = r1.120
+ skT = skT.122
+ z = z.124
+ z.1 = verify(cert_sig(fst(x.219)),
+ <cert_pk(fst(x.219)), cert_id(fst(x.219)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.114, skT.122)
+ z.4 = fst(x.219)
+ z.5 = snd(x.219)
+ z.6 = cert_id(fst(x.219))
+
+ 12. cCA = senc(x.220, kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))
+ cTA = cTA.115
+ certT = cert(x.224, x.225, z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(fst(x.220)),
+ <cert_pk(fst(x.220)), cert_id(fst(x.220)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.225, <x.224, z.125, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = fst(x.220)
+ z.5 = snd(x.220)
+ z.6 = cert_id(fst(x.220))
+
+ 13. cCA = senc(<z.57, z.58>, kdf(<'TENC', r1.47>, z.55))
+ cTA = encaps(z.55, pk(skT.49))
+ certT = certT.42
+ r1 = r1.47
+ skT = skT.49
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(z.57), <cert_pk(z.57), cert_id(z.57), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = z.55
+ z.4 = z.57
+ z.5 = z.58
+ z.6 = cert_id(z.57)
+
+ 14. cCA = senc(<z.59, z.60>,
+ kdf(<'TENC', r1.49>, decaps(cTA.43, skT.51)))
+ cTA = cTA.43
+ certT = certT.44
+ r1 = r1.49
+ skT = skT.51
+ z = cert_id(certT.44)
+ z.1 = verify(cert_sig(z.59), <cert_pk(z.59), cert_id(z.59), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.43, skT.51)
+ z.4 = z.59
+ z.5 = z.60
+ z.6 = cert_id(z.59)
+
+ 15. cCA = senc(<z.101, z.102>, kdf(<'TENC', r1.91>, z.99))
+ cTA = encaps(z.99, pk(skT.93))
+ certT = cert(x.171, sign(<x.171, z.95, 'terminal'>, ca_sk), z.95)
+ r1 = r1.91
+ skT = skT.93
+ z = z.95
+ z.1 = verify(cert_sig(z.101), <cert_pk(z.101), cert_id(z.101), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.99
+ z.4 = z.101
+ z.5 = z.102
+ z.6 = cert_id(z.101)
+
+ 16. cCA = senc(<z.102, z.103>, kdf(<'TENC', r1.92>, z.100))
+ cTA = encaps(z.100, pk(skT.94))
+ certT = cert(x.172, x.173, z.96)
+ r1 = r1.92
+ skT = skT.94
+ z = z.96
+ z.1 = verify(cert_sig(z.102), <cert_pk(z.102), cert_id(z.102), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.173, <x.172, z.96, 'terminal'>, pk(ca_sk))
+ z.3 = z.100
+ z.4 = z.102
+ z.5 = z.103
+ z.6 = cert_id(z.102)
+
+ 17. cCA = senc(<z.131, z.132>,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))
+ cTA = cTA.115
+ certT = cert(x.225, sign(<x.225, z.125, 'terminal'>, ca_sk), z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(z.131), <cert_pk(z.131), cert_id(z.131), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = z.131
+ z.5 = z.132
+ z.6 = cert_id(z.131)
+
+ 18. cCA = senc(<z.132, z.133>,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))
+ cTA = cTA.116
+ certT = cert(x.226, x.227, z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = verify(cert_sig(z.132), <cert_pk(z.132), cert_id(z.132), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.227, <x.226, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = z.132
+ z.5 = z.133
+ z.6 = cert_id(z.132)
+
+ 19. cCA = senc(<
+ cert(x.167, sign(<x.167, z.106, 'chip'>, ca_sk), z.106), z.103>,
+ kdf(<'TENC', r1.92>, z.100))
+ cTA = encaps(z.100, pk(skT.94))
+ certT = cert(x.173, sign(<x.173, z.96, 'terminal'>, ca_sk), z.96)
+ r1 = r1.92
+ skT = skT.94
+ z = z.96
+ z.1 = true
+ z.2 = true
+ z.3 = z.100
+ z.4 = cert(x.167, sign(<x.167, z.106, 'chip'>, ca_sk), z.106)
+ z.5 = z.103
+ z.6 = z.106
+
+ 20. cCA = senc(<cert(x.168, x.169, z.107), z.104>,
+ kdf(<'TENC', r1.93>, z.101))
+ cTA = encaps(z.101, pk(skT.95))
+ certT = cert(x.175, sign(<x.175, z.97, 'terminal'>, ca_sk), z.97)
+ r1 = r1.93
+ skT = skT.95
+ z = z.97
+ z.1 = verify(x.169, <x.168, z.107, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.101
+ z.4 = cert(x.168, x.169, z.107)
+ z.5 = z.104
+ z.6 = z.107
+
+ 21. cCA = senc(<
+ cert(x.168, sign(<x.168, z.107, 'chip'>, ca_sk), z.107), z.104>,
+ kdf(<'TENC', r1.93>, z.101))
+ cTA = encaps(z.101, pk(skT.95))
+ certT = cert(x.174, x.175, z.97)
+ r1 = r1.93
+ skT = skT.95
+ z = z.97
+ z.1 = true
+ z.2 = verify(x.175, <x.174, z.97, 'terminal'>, pk(ca_sk))
+ z.3 = z.101
+ z.4 = cert(x.168, sign(<x.168, z.107, 'chip'>, ca_sk), z.107)
+ z.5 = z.104
+ z.6 = z.107
+
+ 22. cCA = senc(<cert(x.169, x.170, z.108), z.105>,
+ kdf(<'TENC', r1.94>, z.102))
+ cTA = encaps(z.102, pk(skT.96))
+ certT = cert(x.176, x.177, z.98)
+ r1 = r1.94
+ skT = skT.96
+ z = z.98
+ z.1 = verify(x.170, <x.169, z.108, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.177, <x.176, z.98, 'terminal'>, pk(ca_sk))
+ z.3 = z.102
+ z.4 = cert(x.169, x.170, z.108)
+ z.5 = z.105
+ z.6 = z.108
+
+ 23. cCA = senc(<
+ cert(x.206, sign(<x.206, z.125, 'chip'>, ca_sk), z.125), z.122>,
+ kdf(<'TENC', r1.111>, z.119))
+ cTA = encaps(z.119, pk(skT.113))
+ certT = certT.106
+ r1 = r1.111
+ skT = skT.113
+ z = cert_id(certT.106)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = z.119
+ z.4 = cert(x.206, sign(<x.206, z.125, 'chip'>, ca_sk), z.125)
+ z.5 = z.122
+ z.6 = z.125
+
+ 24. cCA = senc(<cert(x.207, x.208, z.126), z.123>,
+ kdf(<'TENC', r1.112>, z.120))
+ cTA = encaps(z.120, pk(skT.114))
+ certT = certT.107
+ r1 = r1.112
+ skT = skT.114
+ z = cert_id(certT.107)
+ z.1 = verify(x.208, <x.207, z.126, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = z.120
+ z.4 = cert(x.207, x.208, z.126)
+ z.5 = z.123
+ z.6 = z.126
+
+ 25. cCA = senc(<
+ cert(x.215, sign(<x.215, z.130, 'chip'>, ca_sk), z.130), z.127>,
+ kdf(<'TENC', r1.116>, decaps(cTA.110, skT.118)))
+ cTA = cTA.110
+ certT = certT.111
+ r1 = r1.116
+ skT = skT.118
+ z = cert_id(certT.111)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.111),
+ <cert_pk(certT.111), cert_id(certT.111), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.110, skT.118)
+ z.4 = cert(x.215, sign(<x.215, z.130, 'chip'>, ca_sk), z.130)
+ z.5 = z.127
+ z.6 = z.130
+
+ 26. cCA = senc(<cert(x.216, x.217, z.131), z.128>,
+ kdf(<'TENC', r1.117>, decaps(cTA.111, skT.119)))
+ cTA = cTA.111
+ certT = certT.112
+ r1 = r1.117
+ skT = skT.119
+ z = cert_id(certT.112)
+ z.1 = verify(x.217, <x.216, z.131, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.112),
+ <cert_pk(certT.112), cert_id(certT.112), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.111, skT.119)
+ z.4 = cert(x.216, x.217, z.131)
+ z.5 = z.128
+ z.6 = z.131
+
+ 27. cCA = senc(<
+ cert(x.221, sign(<x.221, z.136, 'chip'>, ca_sk), z.136), z.133>,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))
+ cTA = cTA.116
+ certT = cert(x.227, sign(<x.227, z.126, 'terminal'>, ca_sk), z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = cert(x.221, sign(<x.221, z.136, 'chip'>, ca_sk), z.136)
+ z.5 = z.133
+ z.6 = z.136
+
+ 28. cCA = senc(<cert(x.222, x.223, z.137), z.134>,
+ kdf(<'TENC', r1.123>, decaps(cTA.117, skT.125)))
+ cTA = cTA.117
+ certT = cert(x.229, sign(<x.229, z.127, 'terminal'>, ca_sk), z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = verify(x.223, <x.222, z.137, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.117, skT.125)
+ z.4 = cert(x.222, x.223, z.137)
+ z.5 = z.134
+ z.6 = z.137
+
+ 29. cCA = senc(<
+ cert(x.222, sign(<x.222, z.137, 'chip'>, ca_sk), z.137), z.134>,
+ kdf(<'TENC', r1.123>, decaps(cTA.117, skT.125)))
+ cTA = cTA.117
+ certT = cert(x.228, x.229, z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = true
+ z.2 = verify(x.229, <x.228, z.127, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.117, skT.125)
+ z.4 = cert(x.222, sign(<x.222, z.137, 'chip'>, ca_sk), z.137)
+ z.5 = z.134
+ z.6 = z.137
+
+ 30. cCA = senc(<cert(x.223, x.224, z.138), z.135>,
+ kdf(<'TENC', r1.124>, decaps(cTA.118, skT.126)))
+ cTA = cTA.118
+ certT = cert(x.230, x.231, z.128)
+ r1 = r1.124
+ skT = skT.126
+ z = z.128
+ z.1 = verify(x.224, <x.223, z.138, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.231, <x.230, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.118, skT.126)
+ z.4 = cert(x.223, x.224, z.138)
+ z.5 = z.135
+ z.6 = z.138
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
+ kdf(<'TENC', r1.1>, decaps(cTA, ~skT)))
+ ) @ #vk.33 )
+ case c_senc
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.42 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.52 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.54 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.48 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.53 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', r1.1>, decaps(cTA, ~skT)) ) @ #vk.54 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT) ) @ #vk.58 )
+ case c_decaps
+ solve( !KU( ~skT ) @ #vk.59 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.55 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.38 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.30 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.56 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1,
+ <kTA.1, cTA>, kTMAC, kTENC, r2.1
+ ) ▶₁ #i2 )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip>,
+ z),
+ <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ <z, cip>
+ ) ▶₁ #j2 )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.59 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.18 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2>,
+ kdf(<'TENC', r1.2>, decaps(cTA, ~skT)))
+ ) @ #vk.42 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.2),
+ sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ kdf(<'TMAC', ~r1.1>, ~kTA.1))
+ ) @ #vk.52 )
+ case CA_INIT_T
+ solve( !KU( senc(<
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1>,
+ kdf(<'TENC', ~r1.1>, ~kTA.1))
+ ) @ #vk.57 )
+ case CA_INIT_C
+ solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.60 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.61 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.70 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.72 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.66 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.71 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', r1.2>, decaps(cTA, ~skT.1))
+ ) @ #vk.72 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.76 )
+ case c_decaps
+ solve( !KU( ~skT.1 ) @ #vk.77 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.73 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.70 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.47 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1),
+ $T, 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C,
+ 'chip'>,
+ ca_sk),
+ $C),
+ ~r2, encaps(~k, pk(~ltk))
+ >,
+ ~k)
+ ) @ #vk.50 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k, pk(~ltk))
+ ) @ #vk.40 )
+ case CA_INIT_T
+ solve( !KU( kdf(<'TCNF', ~r1.1>,
+ ~kTA.1)
+ ) @ #vk.69 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA.1,
+ pk(~skT.2))
+ ) @ #vk.82 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T)
+ ) @ #vk.71 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<
+ pk(~skC),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1,
+ pk(~skC))
+ >,
+ ~k.1)
+ ) @ #vk.72 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k.1,
+ pk(~skC))
+ ) @ #vk.72 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<
+ pk(~ltk),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C)
+ ) @ #vk.75 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TENC',
+ ~r1.3>,
+ ~kTA.2)
+ ) @ #vk.82 )
+ case c_kdf
+ solve( !KU( ~kTA.2
+ ) @ #vk.86 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<
+ 'TCNF',
+ ~r1.3
+ >,
+ ~kTA.2)
+ ) @ #vk.85 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(sk),
+ sign(<
+ pk(sk),
+ z,
+ 'terminal'
+ >,
+ ca_sk),
+ z)
+ ) @ #vk.87 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.5
+ ) @ #vk.91 )
+ case Corrupt_ltk
+ solve( !KU( encaps(~kTA.2,
+ pk(~skT.2))
+ ) @ #vk.93 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.3
+ ) @ #vk.92 )
+ case TA_CHALLENGE_C
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.13 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.26 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.13 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.19 )
+ case CA_INIT_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.42 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.37 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.37 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.13 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.26 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.13 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.19 )
+ case CA_INIT_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.42 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #t )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.13 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.26 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.37 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.20 )
+ case CA_INIT_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.13 )
+ case CA_INIT_C
+ solve( !KU( ~r2 ) @ #vk.28 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.19 )
+ case CA_INIT_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.30 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.34 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.35 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.45 )
+ qed
+ qed
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.38 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.42 )
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.27 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.30 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.39 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
+ ) ▶₁ #j )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case CA_FINISH_C
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
+ ) ▶₁ #i )
+ case CA_INIT_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.44 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.47 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.3 )
+ case CA_INIT_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.16 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.37 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.42 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.41 )
+ case CA_INIT_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.14 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.50 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.52 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.44 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.47 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.23 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.49 )
+ case CA_INIT_T
+ solve( !KU( ~ltk ) @ #vk.51 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.38 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.42 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.38 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.42 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !KU( ~iid ) @ #vk.6 )
+ case CA_INIT_C
+ by contradiction /* cyclic */
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( cert(x, sign(<x, T, 'terminal'>, ca_sk), T) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>,
+ kdf(<'TENC', r1>, kTA))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, encaps(z.1, pk(~ltk.1))
+ >,
+ kdf(<'TMAC', r1>, kTA))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, encaps(z.1, pk(~ltk.1))
+ >,
+ z.1)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( encaps(z.1, pk(~ltk.1)) ) @ #vk.19 )
+ case c_encaps
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.26 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.29 )
+ case c_kdf
+ solve( !KU( pk(~ltk.2) ) @ #vk.34 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Ltk( T, skT, 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( cert(x, sign(<x, $A, 'terminal'>, ca_sk), $A) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip>,
+ kdf(<'TMAC', r1>, z))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip>,
+ kKDF)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.16 )
+ case c_encaps
+ solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', r1>, z) ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, z) ) @ #vk.26 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.29 )
+ case c_kdf
+ solve( !KU( pk(~ltk.1) ) @ #vk.34 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case CA_FINISH_C
+ solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+ ) ▶₁ #i )
+ case CA_INIT_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case CA_INIT_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.38 )
+ case CA_INIT_T
+ solve( !KU( ~r2 ) @ #vk.42 )
+ case CA_INIT_C
+ solve( !KU( ~ltk ) @ #vk.43 )
+ case Corrupt_ltk
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.11 )
+ case CA_INIT_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.35 )
+ case CA_INIT_C
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.44 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.46 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~skT ) @ #vk.48 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.43 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.29 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.53 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T)
+ ) @ #vk.33 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.36 )
+ case CA_FINISH_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.25 )
+ case CA_INIT_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.48 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 376.55s
+
+ session_exist (exists-trace): verified (27 steps)
+ two_session_exist (exists-trace): verified (51 steps)
+ weak_agreement_C (all-traces): verified (8 steps)
+ weak_agreement_T (all-traces): verified (74 steps)
+ agreement_C (all-traces): verified (22 steps)
+ agreement_T (all-traces): verified (74 steps)
+ aliveness (all-traces): verified (75 steps)
+ session_uniqueness (all-traces): verified (37 steps)
+ consistency (all-traces): verified (42 steps)
+ key_secrecy (all-traces): verified (21 steps)
+ chip_hiding (all-traces): verified (4 steps)
+ nonRepudiation_terminal (exists-trace): verified (15 steps)
+ nonRepudiation_chip (exists-trace): verified (15 steps)
+ pfs (all-traces): falsified - found trace (27 steps)
+
+==============================================================================
diff --git a/results/45991794.err.ALL_FastKemPQEAC_TAMARIN b/results/45991794.err.ALL_FastKemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..e8b69d9cbe3f08bce37f20bdff07736861fc19fc
--- /dev/null
+++ b/results/45991794.err.ALL_FastKemPQEAC_TAMARIN
@@ -0,0 +1,28 @@
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+[Saturating Sources] Step 1/5
+[Saturating Sources] Step 2/5
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991794.out.ALL_FastKemPQEAC_TAMARIN b/results/45991794.out.ALL_FastKemPQEAC_TAMARIN
new file mode 100644
index 0000000000000000000000000000000000000000..8fda0364a53474736ac31acde640d50cd03d06cb
--- /dev/null
+++ b/results/45991794.out.ALL_FastKemPQEAC_TAMARIN
@@ -0,0 +1,4080 @@
+maude tool: 'maude'
+ checking version: 3.3.1. OK.
+ checking installation: OK.
+theory FastKemPQEAC begin
+
+// Function signature and definition of the equational theory E
+
+functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
+ cert_sig/1, decaps/2, encaps/2, fst/1, kdf/2, mac/2, pair/2, pk/1,
+ sdec/2, senc/2, sign/2, snd/1, true/0, verify/3
+equations:
+ cert_id(cert(pk, s, id)) = id,
+ cert_pk(cert(pk, s, id)) = pk,
+ cert_sig(cert(pk, s, id)) = s,
+ decaps(encaps(k, pk(sk)), sk) = k,
+ fst(<x.1, x.2>) = x.1,
+ sdec(senc(x.1, x.2), x.2) = x.1,
+ snd(<x.1, x.2>) = x.2,
+ verify(sign(x.1, x.2), x.1, pk(x.2)) = true
+
+
+
+
+
+
+
+
+
+macros:
+ verify_cert( cert,
+ role ) = verify(cert_sig(cert),pair(cert_pk(cert),pair(cert_id(cert),role)),pk(ca_sk))
+
+rule (modulo E) Publish_ca_pk:
+ [ ] --> [ Out( pk(ca_sk) ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_chip_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [ !Pk( $A, pk(~ltk), 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Generate_terminal_key_pair:
+ [ Fr( ~ltk ) ]
+ -->
+ [
+ !Pk( $A, pk(~ltk), 'terminal' ), !Ltk( $A, ~ltk, 'terminal' ),
+ Out( pk(~ltk) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) CA_Sign_ltk:
+ [ !Pk( A, pk, role ) ]
+ --[ RegisteredRole( A, role ) ]->
+ [
+ !Cert( A, cert(pk, sign(<pk, A, role>, ca_sk), A), role ),
+ Out( cert(pk, sign(<pk, A, role>, ca_sk), A) )
+ ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Corrupt_ltk:
+ [ !Ltk( $A, ltk, role ) ] --[ Corrupted( $A ) ]-> [ Out( <ltk, role> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) Reveal_session:
+ [ !SessionReveal( sid, k ) ] --[ Revealed( sid ) ]-> [ Out( k ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_INIT_T:
+ [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+ --[ Started( ) ]->
+ [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+
+ /* has exactly the trivial AC variant */
+
+rule (modulo E) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
+ Fr( ~iid ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)),
+ senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
+ ),
+ Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2,
+ kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_CHALLENGE_C:
+ [
+ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
+ Fr( ~iid ), !Cert( $C, certC, 'chip' )
+ ]
+ --[ Eq( z.1, true ), Started( ) ]->
+ [
+ Out( <~id_c, ~r1, encaps(~kTA, z),
+ senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
+ ),
+ Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
+ TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2,
+ kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+ )
+ ]
+ variants (modulo AC)
+ 1. certT = certT.20
+ z = cert_pk(certT.20)
+ z.1 = verify(cert_sig(certT.20),
+ <cert_pk(certT.20), cert_id(certT.20), 'terminal'>, pk(ca_sk))
+
+ 2. certT = cert(z.70, sign(<z.70, x.127, 'terminal'>, ca_sk), x.127)
+ z = z.70
+ z.1 = true
+
+ 3. certT = cert(z.71, x.128, x.129)
+ z = z.71
+ z.1 = verify(x.128, <z.71, x.129, 'terminal'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ 'chip'),
+ true
+ )
+ ]->
+ [
+ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)),
+ encaps(~k,
+ cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))),
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ encaps(~k, cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))))
+ >,
+ kdf(<'TMAC', r1>, decaps(cTA, ~skT))),
+ '3', 't'>
+ ),
+ TAResponseT( <$T, iid>, id_c,
+ fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
+ <~k,
+ encaps(~k, cert_pk(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))))
+ >
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_RESPONSE_T:
+ [
+ In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ),
+ !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
+ ]
+ --[ Eq( z.4, true ) ]->
+ [
+ Out( <kdf(<'TCNF', r1>, z), encaps(~k, z.1),
+ mac(<'CA', certT, z.2, z.3, encaps(~k, z.1)>, kdf(<'TMAC', r1>, z)),
+ '3', 't'>
+ ),
+ TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)> )
+ ]
+ variants (modulo AC)
+ 1. ~skT = ~skT.30
+ cCA = cCA.31
+ cTA = cTA.32
+ r1 = r1.36
+ z = decaps(cTA.32, ~skT.30)
+ z.1 = cert_pk(fst(sdec(cCA.31,
+ kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30)))))
+ z.2 = fst(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))
+ z.3 = snd(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))
+ z.4 = verify(cert_sig(fst(sdec(cCA.31,
+ kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))),
+ <
+ cert_pk(fst(sdec(cCA.31,
+ kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))),
+ cert_id(fst(sdec(cCA.31,
+ kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))),
+ 'chip'>,
+ pk(ca_sk))
+
+ 2. ~skT = ~skT.35
+ cCA = cCA.36
+ cTA = encaps(z.46, pk(~skT.35))
+ r1 = r1.41
+ z = z.46
+ z.1 = cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46))))
+ z.2 = fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))
+ z.3 = snd(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))
+ z.4 = verify(cert_sig(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))),
+ <cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))),
+ cert_id(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), 'chip'>,
+ pk(ca_sk))
+
+ 3. ~skT = ~skT.39
+ cCA = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, z.50))
+ cTA = encaps(z.50, pk(~skT.39))
+ r1 = r1.45
+ z = z.50
+ z.1 = cert_pk(z.53)
+ z.2 = z.53
+ z.3 = z.54
+ z.4 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
+ pk(ca_sk))
+
+ 4. ~skT = ~skT.39
+ cCA = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, decaps(cTA.41, ~skT.39)))
+ cTA = cTA.41
+ r1 = r1.45
+ z = decaps(cTA.41, ~skT.39)
+ z.1 = cert_pk(z.53)
+ z.2 = z.53
+ z.3 = z.54
+ z.4 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
+ pk(ca_sk))
+
+ 5. ~skT = ~skT.165
+ cCA = senc(x.326, kdf(<'TENC', r1.171>, z.176))
+ cTA = encaps(z.176, pk(~skT.165))
+ r1 = r1.171
+ z = z.176
+ z.1 = cert_pk(fst(x.326))
+ z.2 = fst(x.326)
+ z.3 = snd(x.326)
+ z.4 = verify(cert_sig(fst(x.326)),
+ <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk))
+
+ 6. ~skT = ~skT.165
+ cCA = senc(x.326, kdf(<'TENC', r1.171>, decaps(cTA.167, ~skT.165)))
+ cTA = cTA.167
+ r1 = r1.171
+ z = decaps(cTA.167, ~skT.165)
+ z.1 = cert_pk(fst(x.326))
+ z.2 = fst(x.326)
+ z.3 = snd(x.326)
+ z.4 = verify(cert_sig(fst(x.326)),
+ <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk))
+
+ 7. ~skT = ~skT.166
+ cCA = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328),
+ z.181>,
+ kdf(<'TENC', r1.172>, z.177))
+ cTA = encaps(z.177, pk(~skT.166))
+ r1 = r1.172
+ z = z.177
+ z.1 = z.178
+ z.2 = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328)
+ z.3 = z.181
+ z.4 = true
+
+ 8. ~skT = ~skT.166
+ cCA = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328),
+ z.181>,
+ kdf(<'TENC', r1.172>, decaps(cTA.168, ~skT.166)))
+ cTA = cTA.168
+ r1 = r1.172
+ z = decaps(cTA.168, ~skT.166)
+ z.1 = z.178
+ z.2 = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328)
+ z.3 = z.181
+ z.4 = true
+
+ 9. ~skT = ~skT.167
+ cCA = senc(<cert(z.179, x.329, x.330), z.182>,
+ kdf(<'TENC', r1.173>, z.178))
+ cTA = encaps(z.178, pk(~skT.167))
+ r1 = r1.173
+ z = z.178
+ z.1 = z.179
+ z.2 = cert(z.179, x.329, x.330)
+ z.3 = z.182
+ z.4 = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk))
+
+ 10. ~skT = ~skT.167
+ cCA = senc(<cert(z.179, x.329, x.330), z.182>,
+ kdf(<'TENC', r1.173>, decaps(cTA.169, ~skT.167)))
+ cTA = cTA.169
+ r1 = r1.173
+ z = decaps(cTA.169, ~skT.167)
+ z.1 = z.179
+ z.2 = cert(z.179, x.329, x.330)
+ z.3 = z.182
+ z.4 = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk))
+ */
+
+rule (modulo E) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, cip, s, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
+ CompletedTA( $C, iid, cert_id(certT) ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
+ <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
+ ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
+ <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
+ ),
+ TACompleteC( <$C, iid>,
+ kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
+ )
+ ]
+
+ /*
+ rule (modulo AC) TA_COMPLETE_C:
+ [
+ In( <kTCNF_T, cip, s, '3', 't'> ),
+ TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ),
+ !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+ ]
+ --[
+ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
+ CompletedTA( $C, iid, z.1 ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
+ <certT, certC, r2, cip>, $C, 'chip', z.1
+ ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
+ <certT, certC, r2, cip>, $C, 'chip', z.1
+ )
+ ]->
+ [
+ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
+ TACompleteC( <$C, iid>, kdf(<'KEY', certT, certC, r2, cip>, z) )
+ ]
+ variants (modulo AC)
+ 1. ~skC = ~skC.28
+ certT = certT.30
+ cip = cip.31
+ z = decaps(cip.31, ~skC.28)
+ z.1 = cert_id(certT.30)
+
+ 2. ~skC = ~skC.41
+ certT = certT.43
+ cip = encaps(z.57, pk(~skC.41))
+ z = z.57
+ z.1 = cert_id(certT.43)
+
+ 3. ~skC = ~skC.180
+ certT = cert(x.356, x.357, z.201)
+ cip = cip.183
+ z = decaps(cip.183, ~skC.180)
+ z.1 = z.201
+
+ 4. ~skC = ~skC.182
+ certT = cert(x.360, x.361, z.203)
+ cip = encaps(z.198, pk(~skC.182))
+ z = z.198
+ z.1 = z.203
+ */
+
+rule (modulo E) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+
+ /*
+ rule (modulo AC) CA_FINISH_T:
+ [
+ In( <kCNF_C, '4', 'c'> ),
+ TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+ !Cert( $T, certT, 'terminal' )
+ ]
+ --[
+ Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
+ Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
+ <certT, certC, r2, cip>, $T, 'terminal', z
+ ),
+ Finished( <certT, certC, r2, cip> )
+ ]->
+ [
+ CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
+ !SessionReveal( <certT, certC, r2, cip>,
+ kdf(<'KEY', certT, certC, r2, cip>, k)
+ )
+ ]
+ variants (modulo AC)
+ 1. certC = certC.15
+ z = cert_id(certC.15)
+
+ 2. certC = cert(x.41, x.42, z.28)
+ z = z.28
+ */
+
+rule (modulo E) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kTA ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, kTA)))) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, kTA))), 'chip'), true ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip>,
+ kdf(<'TMAC', r1>, kTA))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, kTA))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, kTA))), cip>,
+ decaps(cip, skC))
+ ),
+ ValidTrans( C, 'chip', cert_id(certT) )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_C:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kTA ),
+ !Ltk( C, skC, 'chip' )
+ ]
+ --[
+ Eq( C, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, kTA) ),
+ Eq( s, mac(<'CA', certT, z.3, z.4, cip>, kdf(<'TMAC', r1>, kTA)) ),
+ Eq( kCNF, kdf(<'CNF', certT, z.3, z.4, cip>, z.5) ),
+ ValidTrans( C, 'chip', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.35
+ certT = certT.37
+ cip = cip.38
+ kTA = kTA.40
+ r1 = r1.42
+ skC = skC.44
+ z = cert_id(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))),
+ <cert_pk(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))),
+ cert_id(fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))
+ z.4 = snd(sdec(cCA.35, kdf(<'TENC', r1.42>, kTA.40)))
+ z.5 = decaps(cip.38, skC.44)
+ z.6 = cert_id(certT.37)
+
+ 2. cCA = cCA.46
+ certT = certT.48
+ cip = encaps(z.66, pk(skC.55))
+ kTA = kTA.51
+ r1 = r1.53
+ skC = skC.55
+ z = cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))),
+ <cert_pk(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))),
+ cert_id(fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.48),
+ <cert_pk(certT.48), cert_id(certT.48), 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))
+ z.4 = snd(sdec(cCA.46, kdf(<'TENC', r1.53>, kTA.51)))
+ z.5 = z.66
+ z.6 = cert_id(certT.48)
+
+ 3. cCA = cCA.114
+ certT = cert(x.224, sign(<x.224, z.135, 'terminal'>, ca_sk), z.135)
+ cip = cip.117
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ z = cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, kTA.119)))),
+ <cert_pk(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))),
+ cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.4 = snd(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.5 = decaps(cip.117, skC.123)
+ z.6 = z.135
+
+ 4. cCA = cCA.114
+ certT = cert(x.224, sign(<x.224, z.135, 'terminal'>, ca_sk), z.135)
+ cip = encaps(z.134, pk(skC.123))
+ kTA = kTA.119
+ r1 = r1.121
+ skC = skC.123
+ z = cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, kTA.119)))),
+ <cert_pk(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))),
+ cert_id(fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = fst(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.4 = snd(sdec(cCA.114, kdf(<'TENC', r1.121>, kTA.119)))
+ z.5 = z.134
+ z.6 = z.135
+
+ 5. cCA = cCA.115
+ certT = cert(x.225, x.226, z.136)
+ cip = cip.118
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ z = cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, kTA.120)))),
+ <cert_pk(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))),
+ cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.136, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.4 = snd(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.5 = decaps(cip.118, skC.124)
+ z.6 = z.136
+
+ 6. cCA = cCA.115
+ certT = cert(x.225, x.226, z.136)
+ cip = encaps(z.135, pk(skC.124))
+ kTA = kTA.120
+ r1 = r1.122
+ skC = skC.124
+ z = cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120))))
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, kTA.120)))),
+ <cert_pk(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))),
+ cert_id(fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.136, 'terminal'>, pk(ca_sk))
+ z.3 = fst(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.4 = snd(sdec(cCA.115, kdf(<'TENC', r1.122>, kTA.120)))
+ z.5 = z.135
+ z.6 = z.136
+
+ 7. cCA = senc(x.183, kdf(<'TENC', r1.100>, kTA.98))
+ certT = cert(x.187, sign(<x.187, z.114, 'terminal'>, ca_sk), z.114)
+ cip = encaps(z.113, pk(skC.102))
+ kTA = kTA.98
+ r1 = r1.100
+ skC = skC.102
+ z = cert_id(fst(x.183))
+ z.1 = verify(cert_sig(fst(x.183)),
+ <cert_pk(fst(x.183)), cert_id(fst(x.183)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.183)
+ z.4 = snd(x.183)
+ z.5 = z.113
+ z.6 = z.114
+
+ 8. cCA = senc(x.184, kdf(<'TENC', r1.101>, kTA.99))
+ certT = cert(x.188, x.189, z.115)
+ cip = encaps(z.114, pk(skC.103))
+ kTA = kTA.99
+ r1 = r1.101
+ skC = skC.103
+ z = cert_id(fst(x.184))
+ z.1 = verify(cert_sig(fst(x.184)),
+ <cert_pk(fst(x.184)), cert_id(fst(x.184)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.189, <x.188, z.115, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.184)
+ z.4 = snd(x.184)
+ z.5 = z.114
+ z.6 = z.115
+
+ 9. cCA = senc(x.201, kdf(<'TENC', r1.110>, kTA.108))
+ certT = cert(x.205, sign(<x.205, z.124, 'terminal'>, ca_sk), z.124)
+ cip = cip.106
+ kTA = kTA.108
+ r1 = r1.110
+ skC = skC.112
+ z = cert_id(fst(x.201))
+ z.1 = verify(cert_sig(fst(x.201)),
+ <cert_pk(fst(x.201)), cert_id(fst(x.201)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = fst(x.201)
+ z.4 = snd(x.201)
+ z.5 = decaps(cip.106, skC.112)
+ z.6 = z.124
+
+ 10. cCA = senc(x.202, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.206, x.207, z.125)
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.202))
+ z.1 = verify(cert_sig(fst(x.202)),
+ <cert_pk(fst(x.202)), cert_id(fst(x.202)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.207, <x.206, z.125, 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.202)
+ z.4 = snd(x.202)
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = z.125
+
+ 11. cCA = senc(x.206, kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.206))
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.206)
+ z.4 = snd(x.206)
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = cert_id(certT.106)
+
+ 12. cCA = senc(x.206, kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = encaps(z.124, pk(skC.113))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(fst(x.206))
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = fst(x.206)
+ z.4 = snd(x.206)
+ z.5 = z.124
+ z.6 = cert_id(certT.106)
+
+ 13. cCA = senc(<z.55, z.56>, kdf(<'TENC', r1.46>, kTA.44))
+ certT = certT.41
+ cip = cip.42
+ kTA = kTA.44
+ r1 = r1.46
+ skC = skC.48
+ z = cert_id(z.55)
+ z.1 = verify(cert_sig(z.55), <cert_pk(z.55), cert_id(z.55), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.41),
+ <cert_pk(certT.41), cert_id(certT.41), 'terminal'>, pk(ca_sk))
+ z.3 = z.55
+ z.4 = z.56
+ z.5 = decaps(cip.42, skC.48)
+ z.6 = cert_id(certT.41)
+
+ 14. cCA = senc(<z.58, z.59>, kdf(<'TENC', r1.49>, kTA.47))
+ certT = certT.44
+ cip = encaps(z.62, pk(skC.51))
+ kTA = kTA.47
+ r1 = r1.49
+ skC = skC.51
+ z = cert_id(z.58)
+ z.1 = verify(cert_sig(z.58), <cert_pk(z.58), cert_id(z.58), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.3 = z.58
+ z.4 = z.59
+ z.5 = z.62
+ z.6 = cert_id(certT.44)
+
+ 15. cCA = senc(<z.110, z.111>, kdf(<'TENC', r1.101>, kTA.99))
+ certT = cert(x.189, sign(<x.189, z.115, 'terminal'>, ca_sk), z.115)
+ cip = encaps(z.114, pk(skC.103))
+ kTA = kTA.99
+ r1 = r1.101
+ skC = skC.103
+ z = cert_id(z.110)
+ z.1 = verify(cert_sig(z.110), <cert_pk(z.110), cert_id(z.110), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.110
+ z.4 = z.111
+ z.5 = z.114
+ z.6 = z.115
+
+ 16. cCA = senc(<z.111, z.112>, kdf(<'TENC', r1.102>, kTA.100))
+ certT = cert(x.190, x.191, z.116)
+ cip = encaps(z.115, pk(skC.104))
+ kTA = kTA.100
+ r1 = r1.102
+ skC = skC.104
+ z = cert_id(z.111)
+ z.1 = verify(cert_sig(z.111), <cert_pk(z.111), cert_id(z.111), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.191, <x.190, z.116, 'terminal'>, pk(ca_sk))
+ z.3 = z.111
+ z.4 = z.112
+ z.5 = z.115
+ z.6 = z.116
+
+ 17. cCA = senc(<z.120, z.121>, kdf(<'TENC', r1.111>, kTA.109))
+ certT = cert(x.207, sign(<x.207, z.125, 'terminal'>, ca_sk), z.125)
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = cert_id(z.120)
+ z.1 = verify(cert_sig(z.120), <cert_pk(z.120), cert_id(z.120), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.120
+ z.4 = z.121
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = z.125
+
+ 18. cCA = senc(<z.121, z.122>, kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.208, x.209, z.126)
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = cert_id(z.121)
+ z.1 = verify(cert_sig(z.121), <cert_pk(z.121), cert_id(z.121), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.209, <x.208, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = z.121
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = z.126
+
+ 19. cCA = senc(<
+ cert(x.185, sign(<x.185, z.106, 'chip'>, ca_sk), z.106), z.112>,
+ kdf(<'TENC', r1.102>, kTA.100))
+ certT = cert(x.191, sign(<x.191, z.116, 'terminal'>, ca_sk), z.116)
+ cip = encaps(z.115, pk(skC.104))
+ kTA = kTA.100
+ r1 = r1.102
+ skC = skC.104
+ z = z.106
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.185, sign(<x.185, z.106, 'chip'>, ca_sk), z.106)
+ z.4 = z.112
+ z.5 = z.115
+ z.6 = z.116
+
+ 20. cCA = senc(<cert(x.186, x.187, z.107), z.113>,
+ kdf(<'TENC', r1.103>, kTA.101))
+ certT = cert(x.193, sign(<x.193, z.117, 'terminal'>, ca_sk), z.117)
+ cip = encaps(z.116, pk(skC.105))
+ kTA = kTA.101
+ r1 = r1.103
+ skC = skC.105
+ z = z.107
+ z.1 = verify(x.187, <x.186, z.107, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.186, x.187, z.107)
+ z.4 = z.113
+ z.5 = z.116
+ z.6 = z.117
+
+ 21. cCA = senc(<
+ cert(x.186, sign(<x.186, z.107, 'chip'>, ca_sk), z.107), z.113>,
+ kdf(<'TENC', r1.103>, kTA.101))
+ certT = cert(x.192, x.193, z.117)
+ cip = encaps(z.116, pk(skC.105))
+ kTA = kTA.101
+ r1 = r1.103
+ skC = skC.105
+ z = z.107
+ z.1 = true
+ z.2 = verify(x.193, <x.192, z.117, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.186, sign(<x.186, z.107, 'chip'>, ca_sk), z.107)
+ z.4 = z.113
+ z.5 = z.116
+ z.6 = z.117
+
+ 22. cCA = senc(<cert(x.187, x.188, z.108), z.114>,
+ kdf(<'TENC', r1.104>, kTA.102))
+ certT = cert(x.194, x.195, z.118)
+ cip = encaps(z.117, pk(skC.106))
+ kTA = kTA.102
+ r1 = r1.104
+ skC = skC.106
+ z = z.108
+ z.1 = verify(x.188, <x.187, z.108, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.195, <x.194, z.118, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.187, x.188, z.108)
+ z.4 = z.114
+ z.5 = z.117
+ z.6 = z.118
+
+ 23. cCA = senc(<
+ cert(x.203, sign(<x.203, z.116, 'chip'>, ca_sk), z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = cert(x.209, sign(<x.209, z.126, 'terminal'>, ca_sk), z.126)
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = true
+ z.2 = true
+ z.3 = cert(x.203, sign(<x.203, z.116, 'chip'>, ca_sk), z.116)
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = z.126
+
+ 24. cCA = senc(<cert(x.204, x.205, z.117), z.123>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.211, sign(<x.211, z.127, 'terminal'>, ca_sk), z.127)
+ cip = cip.109
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ z = z.117
+ z.1 = verify(x.205, <x.204, z.117, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = cert(x.204, x.205, z.117)
+ z.4 = z.123
+ z.5 = decaps(cip.109, skC.115)
+ z.6 = z.127
+
+ 25. cCA = senc(<
+ cert(x.204, sign(<x.204, z.117, 'chip'>, ca_sk), z.117), z.123>,
+ kdf(<'TENC', r1.113>, kTA.111))
+ certT = cert(x.210, x.211, z.127)
+ cip = cip.109
+ kTA = kTA.111
+ r1 = r1.113
+ skC = skC.115
+ z = z.117
+ z.1 = true
+ z.2 = verify(x.211, <x.210, z.127, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.204, sign(<x.204, z.117, 'chip'>, ca_sk), z.117)
+ z.4 = z.123
+ z.5 = decaps(cip.109, skC.115)
+ z.6 = z.127
+
+ 26. cCA = senc(<cert(x.205, x.206, z.118), z.124>,
+ kdf(<'TENC', r1.114>, kTA.112))
+ certT = cert(x.212, x.213, z.128)
+ cip = cip.110
+ kTA = kTA.112
+ r1 = r1.114
+ skC = skC.116
+ z = z.118
+ z.1 = verify(x.206, <x.205, z.118, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.213, <x.212, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.205, x.206, z.118)
+ z.4 = z.124
+ z.5 = decaps(cip.110, skC.116)
+ z.6 = z.128
+
+ 27. cCA = senc(<
+ cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115), z.121>,
+ kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = cip.107
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = z.115
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115)
+ z.4 = z.121
+ z.5 = decaps(cip.107, skC.113)
+ z.6 = cert_id(certT.106)
+
+ 28. cCA = senc(<
+ cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115), z.121>,
+ kdf(<'TENC', r1.111>, kTA.109))
+ certT = certT.106
+ cip = encaps(z.124, pk(skC.113))
+ kTA = kTA.109
+ r1 = r1.111
+ skC = skC.113
+ z = z.115
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.206, sign(<x.206, z.115, 'chip'>, ca_sk), z.115)
+ z.4 = z.121
+ z.5 = z.124
+ z.6 = cert_id(certT.106)
+
+ 29. cCA = senc(<cert(x.207, x.208, z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = certT.107
+ cip = cip.108
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = verify(x.208, <x.207, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, x.208, z.116)
+ z.4 = z.122
+ z.5 = decaps(cip.108, skC.114)
+ z.6 = cert_id(certT.107)
+
+ 30. cCA = senc(<cert(x.207, x.208, z.116), z.122>,
+ kdf(<'TENC', r1.112>, kTA.110))
+ certT = certT.107
+ cip = encaps(z.125, pk(skC.114))
+ kTA = kTA.110
+ r1 = r1.112
+ skC = skC.114
+ z = z.116
+ z.1 = verify(x.208, <x.207, z.116, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = cert(x.207, x.208, z.116)
+ z.4 = z.122
+ z.5 = z.125
+ z.6 = cert_id(certT.107)
+ */
+
+rule (modulo E) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kKDF ),
+ !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, cert_id(certT) ),
+ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ 'chip'),
+ true
+ ),
+ Eq( verify_cert(certT, 'terminal'), true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, decaps(cTA, skT)) ),
+ Eq( s,
+ mac(<'CA', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))), cip>,
+ kdf(<'TMAC', r1>, decaps(cTA, skT)))
+ ),
+ Eq( kCNF,
+ kdf(<'CNF', certT, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))),
+ snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))), cip>,
+ kKDF)
+ ),
+ ValidTrans( T, 'terminal',
+ cert_id(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, skT)))))
+ )
+ ]->
+ [ ]
+
+ /*
+ rule (modulo AC) Verify_Transcript_T:
+ [
+ In( <certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF> ), In( kKDF ),
+ !Ltk( T, skT, 'terminal' )
+ ]
+ --[
+ Eq( T, z ), Eq( z.1, true ), Eq( z.2, true ),
+ Eq( kTCNF, kdf(<'TCNF', r1>, z.3) ),
+ Eq( s, mac(<'CA', certT, z.4, z.5, cip>, kdf(<'TMAC', r1>, z.3)) ),
+ Eq( kCNF, kdf(<'CNF', certT, z.4, z.5, cip>, kKDF) ),
+ ValidTrans( T, 'terminal', z.6 )
+ ]->
+ [ ]
+ variants (modulo AC)
+ 1. cCA = cCA.35
+ cTA = cTA.36
+ certT = certT.37
+ r1 = r1.42
+ skT = skT.44
+ z = cert_id(certT.37)
+ z.1 = verify(cert_sig(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ <
+ cert_pk(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ cert_id(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.37),
+ <cert_pk(certT.37), cert_id(certT.37), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.36, skT.44)
+ z.4 = fst(sdec(cCA.35, kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))
+ z.5 = snd(sdec(cCA.35, kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44))))
+ z.6 = cert_id(fst(sdec(cCA.35,
+ kdf(<'TENC', r1.42>, decaps(cTA.36, skT.44)))))
+
+ 2. cCA = cCA.41
+ cTA = encaps(z.56, pk(skT.50))
+ certT = certT.43
+ r1 = r1.48
+ skT = skT.50
+ z = cert_id(certT.43)
+ z.1 = verify(cert_sig(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))),
+ <cert_pk(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))),
+ cert_id(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.43),
+ <cert_pk(certT.43), cert_id(certT.43), 'terminal'>, pk(ca_sk))
+ z.3 = z.56
+ z.4 = fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))
+ z.5 = snd(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56)))
+ z.6 = cert_id(fst(sdec(cCA.41, kdf(<'TENC', r1.48>, z.56))))
+
+ 3. cCA = cCA.114
+ cTA = cTA.115
+ certT = cert(x.224, sign(<x.224, z.125, 'terminal'>, ca_sk), z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ <
+ cert_pk(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ cert_id(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))
+ z.5 = snd(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123))))
+ z.6 = cert_id(fst(sdec(cCA.114,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))))
+
+ 4. cCA = cCA.115
+ cTA = cTA.116
+ certT = cert(x.225, x.226, z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = verify(cert_sig(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ <
+ cert_pk(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ cert_id(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))),
+ 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.226, <x.225, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))
+ z.5 = snd(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124))))
+ z.6 = cert_id(fst(sdec(cCA.115,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))))
+
+ 5. cCA = cCA.116
+ cTA = encaps(z.131, pk(skT.125))
+ certT = cert(x.228, sign(<x.228, z.127, 'terminal'>, ca_sk), z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = verify(cert_sig(fst(sdec(cCA.116,
+ kdf(<'TENC', r1.123>, z.131)))),
+ <cert_pk(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))),
+ cert_id(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.131
+ z.4 = fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))
+ z.5 = snd(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131)))
+ z.6 = cert_id(fst(sdec(cCA.116, kdf(<'TENC', r1.123>, z.131))))
+
+ 6. cCA = cCA.117
+ cTA = encaps(z.132, pk(skT.126))
+ certT = cert(x.229, x.230, z.128)
+ r1 = r1.124
+ skT = skT.126
+ z = z.128
+ z.1 = verify(cert_sig(fst(sdec(cCA.117,
+ kdf(<'TENC', r1.124>, z.132)))),
+ <cert_pk(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))),
+ cert_id(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.230, <x.229, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = z.132
+ z.4 = fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))
+ z.5 = snd(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132)))
+ z.6 = cert_id(fst(sdec(cCA.117, kdf(<'TENC', r1.124>, z.132))))
+
+ 7. cCA = senc(x.165, kdf(<'TENC', r1.90>, z.98))
+ cTA = encaps(z.98, pk(skT.92))
+ certT = cert(x.169, sign(<x.169, z.94, 'terminal'>, ca_sk), z.94)
+ r1 = r1.90
+ skT = skT.92
+ z = z.94
+ z.1 = verify(cert_sig(fst(x.165)),
+ <cert_pk(fst(x.165)), cert_id(fst(x.165)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.98
+ z.4 = fst(x.165)
+ z.5 = snd(x.165)
+ z.6 = cert_id(fst(x.165))
+
+ 8. cCA = senc(x.166, kdf(<'TENC', r1.91>, z.99))
+ cTA = encaps(z.99, pk(skT.93))
+ certT = cert(x.170, x.171, z.95)
+ r1 = r1.91
+ skT = skT.93
+ z = z.95
+ z.1 = verify(cert_sig(fst(x.166)),
+ <cert_pk(fst(x.166)), cert_id(fst(x.166)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.171, <x.170, z.95, 'terminal'>, pk(ca_sk))
+ z.3 = z.99
+ z.4 = fst(x.166)
+ z.5 = snd(x.166)
+ z.6 = cert_id(fst(x.166))
+
+ 9. cCA = senc(x.206, kdf(<'TENC', r1.111>, z.119))
+ cTA = encaps(z.119, pk(skT.113))
+ certT = certT.106
+ r1 = r1.111
+ skT = skT.113
+ z = cert_id(certT.106)
+ z.1 = verify(cert_sig(fst(x.206)),
+ <cert_pk(fst(x.206)), cert_id(fst(x.206)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = z.119
+ z.4 = fst(x.206)
+ z.5 = snd(x.206)
+ z.6 = cert_id(fst(x.206))
+
+ 10. cCA = senc(x.215, kdf(<'TENC', r1.116>, decaps(cTA.110, skT.118)))
+ cTA = cTA.110
+ certT = certT.111
+ r1 = r1.116
+ skT = skT.118
+ z = cert_id(certT.111)
+ z.1 = verify(cert_sig(fst(x.215)),
+ <cert_pk(fst(x.215)), cert_id(fst(x.215)), 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.111),
+ <cert_pk(certT.111), cert_id(certT.111), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.110, skT.118)
+ z.4 = fst(x.215)
+ z.5 = snd(x.215)
+ z.6 = cert_id(fst(x.215))
+
+ 11. cCA = senc(x.219, kdf(<'TENC', r1.120>, decaps(cTA.114, skT.122)))
+ cTA = cTA.114
+ certT = cert(x.223, sign(<x.223, z.124, 'terminal'>, ca_sk), z.124)
+ r1 = r1.120
+ skT = skT.122
+ z = z.124
+ z.1 = verify(cert_sig(fst(x.219)),
+ <cert_pk(fst(x.219)), cert_id(fst(x.219)), 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.114, skT.122)
+ z.4 = fst(x.219)
+ z.5 = snd(x.219)
+ z.6 = cert_id(fst(x.219))
+
+ 12. cCA = senc(x.220, kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))
+ cTA = cTA.115
+ certT = cert(x.224, x.225, z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(fst(x.220)),
+ <cert_pk(fst(x.220)), cert_id(fst(x.220)), 'chip'>, pk(ca_sk))
+ z.2 = verify(x.225, <x.224, z.125, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = fst(x.220)
+ z.5 = snd(x.220)
+ z.6 = cert_id(fst(x.220))
+
+ 13. cCA = senc(<z.57, z.58>, kdf(<'TENC', r1.47>, z.55))
+ cTA = encaps(z.55, pk(skT.49))
+ certT = certT.42
+ r1 = r1.47
+ skT = skT.49
+ z = cert_id(certT.42)
+ z.1 = verify(cert_sig(z.57), <cert_pk(z.57), cert_id(z.57), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.42),
+ <cert_pk(certT.42), cert_id(certT.42), 'terminal'>, pk(ca_sk))
+ z.3 = z.55
+ z.4 = z.57
+ z.5 = z.58
+ z.6 = cert_id(z.57)
+
+ 14. cCA = senc(<z.59, z.60>,
+ kdf(<'TENC', r1.49>, decaps(cTA.43, skT.51)))
+ cTA = cTA.43
+ certT = certT.44
+ r1 = r1.49
+ skT = skT.51
+ z = cert_id(certT.44)
+ z.1 = verify(cert_sig(z.59), <cert_pk(z.59), cert_id(z.59), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(cert_sig(certT.44),
+ <cert_pk(certT.44), cert_id(certT.44), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.43, skT.51)
+ z.4 = z.59
+ z.5 = z.60
+ z.6 = cert_id(z.59)
+
+ 15. cCA = senc(<z.101, z.102>, kdf(<'TENC', r1.91>, z.99))
+ cTA = encaps(z.99, pk(skT.93))
+ certT = cert(x.171, sign(<x.171, z.95, 'terminal'>, ca_sk), z.95)
+ r1 = r1.91
+ skT = skT.93
+ z = z.95
+ z.1 = verify(cert_sig(z.101), <cert_pk(z.101), cert_id(z.101), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = z.99
+ z.4 = z.101
+ z.5 = z.102
+ z.6 = cert_id(z.101)
+
+ 16. cCA = senc(<z.102, z.103>, kdf(<'TENC', r1.92>, z.100))
+ cTA = encaps(z.100, pk(skT.94))
+ certT = cert(x.172, x.173, z.96)
+ r1 = r1.92
+ skT = skT.94
+ z = z.96
+ z.1 = verify(cert_sig(z.102), <cert_pk(z.102), cert_id(z.102), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.173, <x.172, z.96, 'terminal'>, pk(ca_sk))
+ z.3 = z.100
+ z.4 = z.102
+ z.5 = z.103
+ z.6 = cert_id(z.102)
+
+ 17. cCA = senc(<z.131, z.132>,
+ kdf(<'TENC', r1.121>, decaps(cTA.115, skT.123)))
+ cTA = cTA.115
+ certT = cert(x.225, sign(<x.225, z.125, 'terminal'>, ca_sk), z.125)
+ r1 = r1.121
+ skT = skT.123
+ z = z.125
+ z.1 = verify(cert_sig(z.131), <cert_pk(z.131), cert_id(z.131), 'chip'>,
+ pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.115, skT.123)
+ z.4 = z.131
+ z.5 = z.132
+ z.6 = cert_id(z.131)
+
+ 18. cCA = senc(<z.132, z.133>,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))
+ cTA = cTA.116
+ certT = cert(x.226, x.227, z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = verify(cert_sig(z.132), <cert_pk(z.132), cert_id(z.132), 'chip'>,
+ pk(ca_sk))
+ z.2 = verify(x.227, <x.226, z.126, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = z.132
+ z.5 = z.133
+ z.6 = cert_id(z.132)
+
+ 19. cCA = senc(<
+ cert(x.167, sign(<x.167, z.106, 'chip'>, ca_sk), z.106), z.103>,
+ kdf(<'TENC', r1.92>, z.100))
+ cTA = encaps(z.100, pk(skT.94))
+ certT = cert(x.173, sign(<x.173, z.96, 'terminal'>, ca_sk), z.96)
+ r1 = r1.92
+ skT = skT.94
+ z = z.96
+ z.1 = true
+ z.2 = true
+ z.3 = z.100
+ z.4 = cert(x.167, sign(<x.167, z.106, 'chip'>, ca_sk), z.106)
+ z.5 = z.103
+ z.6 = z.106
+
+ 20. cCA = senc(<cert(x.168, x.169, z.107), z.104>,
+ kdf(<'TENC', r1.93>, z.101))
+ cTA = encaps(z.101, pk(skT.95))
+ certT = cert(x.175, sign(<x.175, z.97, 'terminal'>, ca_sk), z.97)
+ r1 = r1.93
+ skT = skT.95
+ z = z.97
+ z.1 = verify(x.169, <x.168, z.107, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = z.101
+ z.4 = cert(x.168, x.169, z.107)
+ z.5 = z.104
+ z.6 = z.107
+
+ 21. cCA = senc(<
+ cert(x.168, sign(<x.168, z.107, 'chip'>, ca_sk), z.107), z.104>,
+ kdf(<'TENC', r1.93>, z.101))
+ cTA = encaps(z.101, pk(skT.95))
+ certT = cert(x.174, x.175, z.97)
+ r1 = r1.93
+ skT = skT.95
+ z = z.97
+ z.1 = true
+ z.2 = verify(x.175, <x.174, z.97, 'terminal'>, pk(ca_sk))
+ z.3 = z.101
+ z.4 = cert(x.168, sign(<x.168, z.107, 'chip'>, ca_sk), z.107)
+ z.5 = z.104
+ z.6 = z.107
+
+ 22. cCA = senc(<cert(x.169, x.170, z.108), z.105>,
+ kdf(<'TENC', r1.94>, z.102))
+ cTA = encaps(z.102, pk(skT.96))
+ certT = cert(x.176, x.177, z.98)
+ r1 = r1.94
+ skT = skT.96
+ z = z.98
+ z.1 = verify(x.170, <x.169, z.108, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.177, <x.176, z.98, 'terminal'>, pk(ca_sk))
+ z.3 = z.102
+ z.4 = cert(x.169, x.170, z.108)
+ z.5 = z.105
+ z.6 = z.108
+
+ 23. cCA = senc(<
+ cert(x.206, sign(<x.206, z.125, 'chip'>, ca_sk), z.125), z.122>,
+ kdf(<'TENC', r1.111>, z.119))
+ cTA = encaps(z.119, pk(skT.113))
+ certT = certT.106
+ r1 = r1.111
+ skT = skT.113
+ z = cert_id(certT.106)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.106),
+ <cert_pk(certT.106), cert_id(certT.106), 'terminal'>, pk(ca_sk))
+ z.3 = z.119
+ z.4 = cert(x.206, sign(<x.206, z.125, 'chip'>, ca_sk), z.125)
+ z.5 = z.122
+ z.6 = z.125
+
+ 24. cCA = senc(<cert(x.207, x.208, z.126), z.123>,
+ kdf(<'TENC', r1.112>, z.120))
+ cTA = encaps(z.120, pk(skT.114))
+ certT = certT.107
+ r1 = r1.112
+ skT = skT.114
+ z = cert_id(certT.107)
+ z.1 = verify(x.208, <x.207, z.126, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.107),
+ <cert_pk(certT.107), cert_id(certT.107), 'terminal'>, pk(ca_sk))
+ z.3 = z.120
+ z.4 = cert(x.207, x.208, z.126)
+ z.5 = z.123
+ z.6 = z.126
+
+ 25. cCA = senc(<
+ cert(x.215, sign(<x.215, z.130, 'chip'>, ca_sk), z.130), z.127>,
+ kdf(<'TENC', r1.116>, decaps(cTA.110, skT.118)))
+ cTA = cTA.110
+ certT = certT.111
+ r1 = r1.116
+ skT = skT.118
+ z = cert_id(certT.111)
+ z.1 = true
+ z.2 = verify(cert_sig(certT.111),
+ <cert_pk(certT.111), cert_id(certT.111), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.110, skT.118)
+ z.4 = cert(x.215, sign(<x.215, z.130, 'chip'>, ca_sk), z.130)
+ z.5 = z.127
+ z.6 = z.130
+
+ 26. cCA = senc(<cert(x.216, x.217, z.131), z.128>,
+ kdf(<'TENC', r1.117>, decaps(cTA.111, skT.119)))
+ cTA = cTA.111
+ certT = certT.112
+ r1 = r1.117
+ skT = skT.119
+ z = cert_id(certT.112)
+ z.1 = verify(x.217, <x.216, z.131, 'chip'>, pk(ca_sk))
+ z.2 = verify(cert_sig(certT.112),
+ <cert_pk(certT.112), cert_id(certT.112), 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.111, skT.119)
+ z.4 = cert(x.216, x.217, z.131)
+ z.5 = z.128
+ z.6 = z.131
+
+ 27. cCA = senc(<
+ cert(x.221, sign(<x.221, z.136, 'chip'>, ca_sk), z.136), z.133>,
+ kdf(<'TENC', r1.122>, decaps(cTA.116, skT.124)))
+ cTA = cTA.116
+ certT = cert(x.227, sign(<x.227, z.126, 'terminal'>, ca_sk), z.126)
+ r1 = r1.122
+ skT = skT.124
+ z = z.126
+ z.1 = true
+ z.2 = true
+ z.3 = decaps(cTA.116, skT.124)
+ z.4 = cert(x.221, sign(<x.221, z.136, 'chip'>, ca_sk), z.136)
+ z.5 = z.133
+ z.6 = z.136
+
+ 28. cCA = senc(<cert(x.222, x.223, z.137), z.134>,
+ kdf(<'TENC', r1.123>, decaps(cTA.117, skT.125)))
+ cTA = cTA.117
+ certT = cert(x.229, sign(<x.229, z.127, 'terminal'>, ca_sk), z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = verify(x.223, <x.222, z.137, 'chip'>, pk(ca_sk))
+ z.2 = true
+ z.3 = decaps(cTA.117, skT.125)
+ z.4 = cert(x.222, x.223, z.137)
+ z.5 = z.134
+ z.6 = z.137
+
+ 29. cCA = senc(<
+ cert(x.222, sign(<x.222, z.137, 'chip'>, ca_sk), z.137), z.134>,
+ kdf(<'TENC', r1.123>, decaps(cTA.117, skT.125)))
+ cTA = cTA.117
+ certT = cert(x.228, x.229, z.127)
+ r1 = r1.123
+ skT = skT.125
+ z = z.127
+ z.1 = true
+ z.2 = verify(x.229, <x.228, z.127, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.117, skT.125)
+ z.4 = cert(x.222, sign(<x.222, z.137, 'chip'>, ca_sk), z.137)
+ z.5 = z.134
+ z.6 = z.137
+
+ 30. cCA = senc(<cert(x.223, x.224, z.138), z.135>,
+ kdf(<'TENC', r1.124>, decaps(cTA.118, skT.126)))
+ cTA = cTA.118
+ certT = cert(x.230, x.231, z.128)
+ r1 = r1.124
+ skT = skT.126
+ z = z.128
+ z.1 = verify(x.224, <x.223, z.138, 'chip'>, pk(ca_sk))
+ z.2 = verify(x.231, <x.230, z.128, 'terminal'>, pk(ca_sk))
+ z.3 = decaps(cTA.118, skT.126)
+ z.4 = cert(x.223, x.224, z.138)
+ z.5 = z.135
+ z.6 = z.138
+ */
+
+restriction Equality:
+ "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
+ // safety formula
+
+lemma session_exist:
+ exists-trace
+ "∃ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ #i < #j"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.26 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.26 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.26 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.16 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.11 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.33 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), z.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.33 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.22 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.16 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma two_session_exist:
+ exists-trace
+ "∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (#i < #j)) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
+ (#i2 < #j2)) ∧
+ (¬(k = k2))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T k k2 sid sid2 #i #j #i2 #j2.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
+ (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
+ (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
+ ∧
+ (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1,
+ kTMAC, kTCNF
+ ) ▶₁ #i2 )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, cip>,
+ z),
+ <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
+ cip>,
+ $T, 'terminal', $C
+ ) @ #j2 )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.3>, id_c.3,
+ cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
+ ~r2.1, <z, cip>
+ ) ▶₁ #j2 )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j2 )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( splitEqs(5) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.53 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2>,
+ kdf(<'TENC', r1.2>, decaps(cTA, ~skT)))
+ ) @ #vk.41 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.2),
+ sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
+ $C),
+ ~r2.1, encaps(~k.1, pk(~skC))>,
+ kdf(<'TMAC', ~r1.1>, ~kTA.1))
+ ) @ #vk.47 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~skC),
+ sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
+ ~r2.1>,
+ kdf(<'TENC', ~r1.1>, ~kTA.1))
+ ) @ #vk.54 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.55 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.56 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.66 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.68 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.61 )
+ case c_kdf
+ solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.66 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(z, sign(<z, x, 'chip'>, ca_sk),
+ x),
+ z.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.67 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', r1.2>, decaps(cTA, ~skT.1))
+ ) @ #vk.68 )
+ case c_kdf
+ solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.72 )
+ case c_decaps
+ solve( !KU( ~skT.1 ) @ #vk.73 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.69 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1.1 ) @ #vk.66 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~ltk.1),
+ sign(<pk(~ltk.1), $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.50 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1),
+ sign(<pk(~ltk.1),
+ $T,
+ 'terminal'>,
+ ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk),
+ $C, 'chip'>,
+ ca_sk),
+ $C),
+ ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.53 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k, pk(~ltk))
+ ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~skT),
+ sign(<pk(~skT),
+ $T,
+ 'terminal'>,
+ ca_sk),
+ $T)
+ ) @ #vk.66 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1.1>,
+ ~kTA.1)
+ ) @ #vk.65 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA.1,
+ pk(~skT.2))
+ ) @ #vk.79 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(z,
+ sign(<
+ z,
+ x,
+ 'chip'
+ >,
+ ca_sk),
+ x),
+ z.1>,
+ kdf(<'TENC',
+ ~r1.1>,
+ ~kTA.1))
+ ) @ #vk.79 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<
+ pk(~skT),
+ $T,
+ 'terminal'
+ >,
+ ca_sk),
+ $T),
+ cert(pk(~skC),
+ sign(<
+ pk(~skC),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C),
+ ~r2.1,
+ encaps(~k.1,
+ pk(~skC))
+ >,
+ ~k.1)
+ ) @ #vk.68 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k.1,
+ pk(~skC))
+ ) @ #vk.68 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<
+ pk(~ltk),
+ $C,
+ 'chip'
+ >,
+ ca_sk),
+ $C)
+ ) @ #vk.71 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma weak_agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.14 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.22 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.33 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.14 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.24 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.25 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ next
+ case TA_RESPONSE_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.35 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_C:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ C, 'chip', T.1
+ ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>,
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+ r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+ ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.1 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma agreement_T:
+ all-traces
+ "∀ k sid C T #i #t.
+ ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+ (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+ (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ T.1, 'terminal', C
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.14 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.22 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.33 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.14 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.24 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.25 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ next
+ case TA_RESPONSE_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.35 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma aliveness:
+ all-traces
+ "∀ k sid A role B #i #t.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+ ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+ (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+ (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+ (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+ (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+ case CA_Sign_ltk
+ solve( Completed( k.1,
+ <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+ A, role, B
+ ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T.1, iid>, id_c,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+ ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( splitEqs(1) )
+ case split_case_1
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+ kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+ ) @ #vk.14 )
+ case c_senc
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.22 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.29 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.33 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k)
+ ) @ #vk.1 )
+ case TA_COMPLETE_C
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.16 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.14 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r2 ) @ #vk.24 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.25 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ next
+ case c_senc
+ solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.34 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.38 )
+ qed
+ qed
+ next
+ case TA_RESPONSE_T
+ solve( splitEqs(6) )
+ case split_case_1
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.31 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.41 )
+ qed
+ qed
+ qed
+ next
+ case c_encaps
+ solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+ ) @ #vk.23 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.26 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_cert
+ solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.31 )
+ case CA_Sign_ltk
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.27 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ next
+ case c_sign
+ by solve( !KU( ca_sk ) @ #vk.35 )
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+qed
+
+lemma session_uniqueness:
+ all-traces
+ "∀ A B k sid sid2 role #i #j.
+ ((Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)) ⇒
+ ((#i = #j) ∧ (sid = sid2))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ A B k sid sid2 role #i #j.
+ (Completed( k, sid, A, role, B ) @ #i) ∧
+ (Completed( k, sid2, A, role, B ) @ #j)
+ ∧
+ ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
+*/
+simplify
+solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
+ case case_1
+ solve( (#i < #j) ∥ (#j < #i) )
+ case case_1
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid.1>,
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
+ kTCNF
+ ) ▶₁ #j )
+ case TA_CHALLENGE_C
+ by contradiction /* cyclic */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case case_2
+ solve( Completed( k, sid, A, role, B ) @ #i )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
+ cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+ ~k),
+ sid2, $T, 'terminal', B
+ ) @ #j )
+ case CA_FINISH_T
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ sid2, $C, 'chip', B
+ ) @ #j )
+ case TA_COMPLETE_C_case_1
+ by contradiction /* from formulas */
+ next
+ case TA_COMPLETE_C_case_2
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma consistency:
+ all-traces
+ "∀ C T k k2 sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
+ ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k k2 sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k2, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.14 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( k2,
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(0) )
+ case split_case_1
+ by contradiction /* from formulas */
+ next
+ case split_case_2
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.5 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.14 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.31 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.36 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case c_mac
+ solve( !KU( ~r2 ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.4 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.46 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.48 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ next
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.38 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.41 )
+ case Corrupt_ltk
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.43 )
+ case TA_RESPONSE_T
+ solve( !KU( ~ltk ) @ #vk.45 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma key_secrecy:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
+ (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+ (∃ #m. Corrupted( C ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+next
+ case TA_COMPLETE_C_case_2
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ next
+ case split_case_2
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case Reveal_session
+ by contradiction /* from formulas */
+ next
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ by contradiction /* from formulas */
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma chip_hiding:
+ all-traces
+ "∀ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i) ⇒
+ ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T iid #i.
+ (CompletedTA( C, iid, T ) @ #i)
+ ∧
+ (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
+*/
+simplify
+solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( !KU( ~iid ) @ #vk.11 )
+ case TA_CHALLENGE_C
+ solve( splitEqs(0) )
+ case split_case_1
+ solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.6 )
+ case TA_RESPONSE_T
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.14 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.27 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk.1 ) @ #vk.29 )
+ case Corrupt_ltk
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.23 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.25 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~r1 ) @ #vk.23 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.21 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), z.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.35 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.20 )
+ case TA_RESPONSE_T
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_terminal:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( C ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( T, 'chip' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( C, 'chip', T ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( C ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( T, 'chip' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( C, 'chip', T ) @ #i )
+ case Verify_Transcript_C
+ solve( !Ltk( C, skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( cert(x, sign(<x, T, 'terminal'>, ca_sk), T) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>,
+ kdf(<'TENC', r1>, kTA))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, encaps(z.1, pk(~ltk.1))
+ >,
+ kdf(<'TMAC', r1>, kTA))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, encaps(z.1, pk(~ltk.1))
+ >,
+ z.1)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( encaps(z.1, pk(~ltk.1)) ) @ #vk.19 )
+ case c_encaps
+ solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.21 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.26 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.29 )
+ case c_kdf
+ solve( !KU( pk(~ltk.2) ) @ #vk.34 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma nonRepudiation_chip:
+ exists-trace
+ "∃ C T #i.
+ (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
+ (¬(∃ #k. Corrupted( T ) @ #k))) ∧
+ (¬(∃ #k. RegisteredRole( C, 'terminal' ) @ #k))"
+/*
+guarded formula characterizing all satisfying traces:
+"∃ C T #i.
+ (ValidTrans( T, 'terminal', C ) @ #i)
+ ∧
+ (∀ #k. (Started( ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (Corrupted( T ) @ #k) ⇒ ⊥) ∧
+ (∀ #k. (RegisteredRole( C, 'terminal' ) @ #k) ⇒ ⊥)"
+*/
+simplify
+solve( ValidTrans( T, 'terminal', C ) @ #i )
+ case Verify_Transcript_T
+ solve( !Ltk( T, skT, 'terminal' ) ▶₂ #i )
+ case Generate_terminal_key_pair
+ solve( splitEqs(0) )
+ case split_case_2
+ solve( !KU( cert(x, sign(<x, $A, 'terminal'>, ca_sk), $A) ) @ #vk.1 )
+ case CA_Sign_ltk
+ solve( !KU( senc(<cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1>,
+ kdf(<'TENC', r1>, z))
+ ) @ #vk.11 )
+ case c_senc
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip>,
+ kdf(<'TMAC', r1>, z))
+ ) @ #vk.15 )
+ case c_mac
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A),
+ cert(x, sign(<x, C, 'chip'>, ca_sk), C), z.1, cip>,
+ kKDF)
+ ) @ #vk.18 )
+ case c_kdf
+ solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.16 )
+ case c_encaps
+ solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.25 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', r1>, z) ) @ #vk.19 )
+ case c_kdf
+ solve( !KU( kdf(<'TENC', r1>, z) ) @ #vk.26 )
+ case c_kdf
+ solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.29 )
+ case c_kdf
+ solve( !KU( pk(~ltk.1) ) @ #vk.34 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+lemma pfs:
+ all-traces
+ "∀ C T k sid #i #j.
+ ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+ (¬(∃ #m. (Corrupted( C ) @ #m) ∧ (#m < #j)))) ∧
+ (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+ ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+ (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+ (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+ (∀ #m. (Corrupted( C ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+ (∃ #m. (K( k ) @ #m)) ∧
+ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+ case TA_COMPLETE_C_case_1
+ solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
+ ) ▶₁ #i )
+ case TA_CHALLENGE_C
+ solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+ case Generate_chip_key_pair
+ solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+ case CA_Sign_ltk
+ solve( Completed( kdf(<'KEY',
+ cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ z.1),
+ <cert(z, sign(<z, T, 'terminal'>, ca_sk), T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
+ T, 'terminal', $C
+ ) @ #j )
+ case CA_FINISH_T
+ solve( TAResponseT( <$T, iid.1>, id_c.1,
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
+ ) ▶₁ #j )
+ case TA_RESPONSE_T
+ solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
+ 'terminal'
+ ) ▶₂ #j )
+ case CA_Sign_ltk
+ solve( splitEqs(2) )
+ case split_case_1
+ solve( !KU( kdf(<'KEY',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk )
+ case c_kdf
+ solve( !KU( ~k ) @ #vk.32 )
+ case TA_RESPONSE_T
+ solve( !KU( ~r2 ) @ #vk.36 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~ltk ) @ #vk.37 )
+ case Corrupt_ltk
+ solve( !KU( mac(<'CA',
+ cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
+ encaps(~k, pk(~ltk))>,
+ kdf(<'TMAC', ~r1>, ~kTA))
+ ) @ #vk.13 )
+ case TA_RESPONSE_T
+ solve( !KU( senc(<
+ cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.34 )
+ case TA_CHALLENGE_C
+ solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.34 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.38 )
+ case c_kdf
+ solve( !KU( ~kTA ) @ #vk.40 )
+ case TA_CHALLENGE_C
+ solve( !KU( ~skT ) @ #vk.42 )
+ case Corrupt_ltk
+ solve( !KU( ~r1 ) @ #vk.37 )
+ case TA_CHALLENGE_C
+ solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
+ ) @ #vk.29 )
+ case CA_Sign_ltk
+ solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.25 )
+ case TA_RESPONSE_T
+ solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.48 )
+ case TA_CHALLENGE_C
+ solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), z.1>,
+ kdf(<'TENC', ~r1>, ~kTA))
+ ) @ #vk.48 )
+ case TA_CHALLENGE_C
+ solve( !KU( kdf(<'CNF',
+ cert(pk(~skT),
+ sign(<pk(~skT), $T, 'terminal'>, ca_sk),
+ $T),
+ cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
+ ~r2, encaps(~k, pk(~ltk))>,
+ ~k)
+ ) @ #vk.34 )
+ case TA_COMPLETE_C
+ solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.24 )
+ case TA_RESPONSE_T
+ solve( !KU( cert(pk(~ltk),
+ sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
+ ) @ #vk.42 )
+ case CA_Sign_ltk
+ SOLVED // trace found
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+ qed
+qed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/* All wellformedness checks were successful. */
+
+/*
+Generated from:
+Tamarin version 1.8.0
+Maude version 3.3.1
+Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
+Compiled at: 2024-01-16 15:38:46.116852601 UTC
+*/
+
+end
+
+==============================================================================
+summary of summaries:
+
+analyzed: tmp.spthy
+
+ processing time: 1594.74s
+
+ session_exist (exists-trace): verified (20 steps)
+ two_session_exist (exists-trace): verified (46 steps)
+ weak_agreement_C (all-traces): verified (12 steps)
+ weak_agreement_T (all-traces): verified (74 steps)
+ agreement_C (all-traces): verified (40 steps)
+ agreement_T (all-traces): verified (74 steps)
+ aliveness (all-traces): verified (76 steps)
+ session_uniqueness (all-traces): verified (64 steps)
+ consistency (all-traces): verified (82 steps)
+ key_secrecy (all-traces): verified (40 steps)
+ chip_hiding (all-traces): falsified - found trace (19 steps)
+ nonRepudiation_terminal (exists-trace): verified (15 steps)
+ nonRepudiation_chip (exists-trace): verified (15 steps)
+ pfs (all-traces): falsified - found trace (28 steps)
+
+==============================================================================
diff --git a/results/Basic/eac_tamarin.out.45221786 b/results/Basic/eac_tamarin.out.45221786
deleted file mode 100644
index fbcf283d06803d970736be3365645fa6879e6675..0000000000000000000000000000000000000000
--- a/results/Basic/eac_tamarin.out.45221786
+++ /dev/null
@@ -1,5578 +0,0 @@
-maude tool: 'maude'
- checking version: 3.3.1. OK.
- checking installation: OK.
-theory BasicEAC begin
-
-// Function signature and definition of the equational theory E
-
-builtins: diffie-hellman
-functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
- cert_sig/1, fst/1, kdf_enc/2, kdf_mac/2, mac/2, pair/2, pk/1, sign/2,
- snd/1, true/0, verify/3
-equations:
- cert_id(cert(pk, s, id)) = id,
- cert_pk(cert(pk, s, id)) = pk,
- cert_sig(cert(pk, s, id)) = s,
- fst(<x.1, x.2>) = x.1,
- snd(<x.1, x.2>) = x.2,
- verify(sign(x.1, x.2), x.1, pk(x.2)) = true
-
-
-
-
-
-
-
-
-
-macros:
- verify_cert( cert ) = verify(cert_sig(cert),pair(cert_pk(cert),cert_id(cert)),pk(ca_sk))
-
-rule (modulo E) Publish_ca_pk:
- [ ] --> [ Out( pk(ca_sk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_ltk:
- [ Fr( ~ltk ) ]
- -->
- [ !Pk( $A, pk(~ltk) ), !Ltk( $A, ~ltk ), Out( pk(~ltk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_dh:
- [ Fr( ~ltk ) ]
- -->
- [ !PkDH( $A, 'g'^~ltk ), !LtkDH( $A, ~ltk ), Out( 'g'^~ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_ltk:
- [ !Pk( A, pk ) ]
- -->
- [
- !Cert( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_dh:
- [ !PkDH( A, pk ) ]
- -->
- [
- !CertDH( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk:
- [ !Ltk( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_dh:
- [ !LtkDH( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_session:
- [ !SessionReveal( uid, k ) ] --[ Revealed( uid ) ]-> [ Out( k ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_INIT_T:
- [ !Cert( $T, certT ), Fr( ~skTe ), Fr( ~iid ) ]
- -->
- [
- Out( <certT, 'g'^~skTe, 'TA_INIT', '1', 't'> ),
- TAInitT( <$T, ~iid>, ~skTe )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( verify_cert(certT), true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
-
- /*
- rule (modulo AC) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( z, true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
- variants (modulo AC)
- 1. certT = certT.15
- z = verify(cert_sig(certT.15),
- <cert_pk(certT.15), cert_id(certT.15)>, pk(ca_sk))
-
- 2. certT = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- z = true
-
- 3. certT = cert(x.17, x.18, x.19)
- z = verify(x.18, <x.17, x.19>, pk(ca_sk))
- */
-
-rule (modulo E) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
-
- /*
- rule (modulo AC) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, z>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
- variants (modulo AC)
- 1. skTe = skTe.12
- z = 'g'^skTe.12
-
- 2. skTe = one
- z = 'g'
- */
-
-rule (modulo E) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-
- /*
- rule (modulo AC) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( z, true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
- variants (modulo AC)
- 1. certT = certT.18
- id_c = id_c.19
- pkTe = pkTe.21
- r1 = r1.22
- s = s.23
- z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
-
- 2. certT = cert(x.60, x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = s.37
- z = verify(s.37, <id_c.33, r1.36, pkTe.35>, x.60)
-
- 3. certT = cert(pk(x.60), x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = sign(<id_c.33, r1.36, pkTe.35>, x.60)
- z = true
- */
-
-rule (modulo E) CA_INIT_C:
- [
- !CertDH( $C, certC ), Fr( ~r2 ),
- TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- -->
- [
- Out( <certC, 'CA_INIT', '4', 'c'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( verify_cert(certC), true ) ]->
- [
- Out( <'g'^skTe, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
-
- /*
- rule (modulo AC) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( z.1, true ) ]->
- [
- Out( <z, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- variants (modulo AC)
- 1. certC = certC.15
- skTe = one
- z = 'g'
- z.1 = verify(cert_sig(certC.15),
- <cert_pk(certC.15), cert_id(certC.15)>, pk(ca_sk))
-
- 2. certC = certC.18
- skTe = skTe.21
- z = 'g'^skTe.21
- z.1 = verify(cert_sig(certC.18),
- <cert_pk(certC.18), cert_id(certC.18)>, pk(ca_sk))
-
- 3. certC = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- skTe = one
- z = 'g'
- z.1 = true
-
- 4. certC = cert(x.17, x.18, x.19)
- skTe = one
- z = 'g'
- z.1 = verify(x.18, <x.17, x.19>, pk(ca_sk))
-
- 5. certC = cert(x.115, sign(<x.115, x.116>, ca_sk), x.116)
- skTe = skTe.61
- z = 'g'^skTe.61
- z.1 = true
-
- 6. certC = cert(x.116, x.117, x.118)
- skTe = skTe.62
- z = 'g'^skTe.62
- z.1 = verify(x.117, <x.116, x.118>, pk(ca_sk))
- */
-
-rule (modulo E) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
- <pkTe, pkC, id_c, r2>, $C, 'chip', cert_id(certT)
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(pkTe^~skC, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, <pkTe, pkC, id_c, r2>, $C,
- 'chip', z.1
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(z, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, z.1, kdf_enc(z, r2) ), Out( iid )
- ]
- variants (modulo AC)
- 1. ~skC = ~skC.25
- certT = certT.26
- pkTe = pkTe.30
- z = pkTe.30^~skC.25
- z.1 = cert_id(certT.26)
-
- 2. ~skC = ~skC.32
- certT = certT.33
- pkTe = z.44^inv(~skC.32)
- z = z.44
- z.1 = cert_id(certT.33)
-
- 3. ~skC = ~skC.129
- certT = certT.130
- pkTe = x.254^x.255
- z = x.254^(~skC.129*x.255)
- z.1 = cert_id(certT.130)
-
- 4. ~skC = ~skC.129
- certT = cert(x.254, x.255, z.145)
- pkTe = pkTe.134
- z = pkTe.134^~skC.129
- z.1 = z.145
-
- 5. ~skC = ~skC.130
- certT = cert(x.256, x.257, z.146)
- pkTe = z.142^inv(~skC.130)
- z = z.142
- z.1 = z.146
-
- 6. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^inv((~skC.134*x.265))
- z = x.264^inv(x.265)
- z.1 = cert_id(certT.135)
-
- 7. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^(x.265*inv(~skC.134))
- z = x.264^x.265
- z.1 = cert_id(certT.135)
-
- 8. ~skC = ~skC.135
- certT = certT.136
- pkTe = x.265^(x.266*inv((~skC.135*x.267)))
- z = x.265^(x.266*inv(x.267))
- z.1 = cert_id(certT.136)
-
- 9. ~skC = ~skC.135
- certT = cert(x.260, x.261, z.151)
- pkTe = x.266^x.267
- z = x.266^(~skC.135*x.267)
- z.1 = z.151
-
- 10. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^inv((~skC.136*x.269))
- z = x.268^inv(x.269)
- z.1 = z.152
-
- 11. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^(x.269*inv(~skC.136))
- z = x.268^x.269
- z.1 = z.152
-
- 12. ~skC = ~skC.137
- certT = cert(x.263, x.264, z.153)
- pkTe = x.269^(x.270*inv((~skC.137*x.271)))
- z = x.269^(x.270*inv(x.271))
- z.1 = z.153
-
- 13. certT = certT.20
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = cert_id(certT.20)
-
- 14. certT = cert(x.46, x.47, z.33)
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = z.33
- */
-
-rule (modulo E) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(cert_pk(certC)^skTe, r2), 'g'^skTe), tag ),
- Completed( <kdf_enc(cert_pk(certC)^skTe, r2),
- kdf_mac(cert_pk(certC)^skTe, r2)>,
- <'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal', cert_id(certC)
- ),
- Finished( <'g'^skTe, cert_pk(certC), id_c, r2> )
- ]->
- [
- CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
- !SessionReveal( <$T, iid>, skTe ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(z.1, r2), z.2), tag ),
- Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>, <z.2, z.3, id_c, r2>,
- $T, 'terminal', z
- ),
- Finished( <z.2, z.3, id_c, r2> )
- ]->
- [
- CAFinishT( z, $T, kdf_enc(z.1, r2) ), !SessionReveal( <$T, iid>, skTe ),
- Out( iid )
- ]
- variants (modulo AC)
- 1. certC = certC.16
- skTe = one
- z = cert_id(certC.16)
- z.1 = cert_pk(certC.16)
- z.2 = 'g'
- z.3 = cert_pk(certC.16)
-
- 2. certC = certC.20
- skTe = skTe.24
- z = cert_id(certC.20)
- z.1 = cert_pk(certC.20)^skTe.24
- z.2 = 'g'^skTe.24
- z.3 = cert_pk(certC.20)
-
- 3. certC = cert(z.33, x.52, z.32)
- skTe = one
- z = z.32
- z.1 = z.33
- z.2 = 'g'
- z.3 = z.33
-
- 4. certC = cert(z.55, x.87, z.52)
- skTe = skTe.47
- z = z.52
- z.1 = z.55^skTe.47
- z.2 = 'g'^skTe.47
- z.3 = z.55
-
- 5. certC = cert(DH_neutral, x.85, z.51)
- skTe = skTe.46
- z = z.51
- z.1 = DH_neutral
- z.2 = 'g'^skTe.46
- z.3 = DH_neutral
-
- 6. certC = cert(z.34^x.53, x.54, z.33)
- skTe = inv(x.53)
- z = z.33
- z.1 = z.34
- z.2 = 'g'^inv(x.53)
- z.3 = z.34^x.53
-
- 7. certC = cert(z.35^(x.54*inv(x.55)), x.56, z.34)
- skTe = (x.55*inv(x.54))
- z = z.34
- z.1 = z.35
- z.2 = 'g'^(x.55*inv(x.54))
- z.3 = z.35^(x.54*inv(x.55))
-
- 8. certC = cert(x.53^(x.54*x.55), x.56, z.34)
- skTe = inv(x.54)
- z = z.34
- z.1 = x.53^x.55
- z.2 = 'g'^inv(x.54)
- z.3 = x.53^(x.54*x.55)
-
- 9. certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.35)
- skTe = (x.57*inv(x.56))
- z = z.35
- z.1 = x.54^x.55
- z.2 = 'g'^(x.57*inv(x.56))
- z.3 = x.54^(x.55*x.56*inv(x.57))
-
- 10. certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.35)
- skTe = (x.57*inv(x.55))
- z = z.35
- z.1 = x.54^inv(x.56)
- z.2 = 'g'^(x.57*inv(x.55))
- z.3 = x.54^(x.55*inv((x.56*x.57)))
-
- 11. certC = cert(z.54^inv(skTe.48), x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = z.54
- z.2 = 'g'^skTe.48
- z.3 = z.54^inv(skTe.48)
-
- 12. certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.36)
- skTe = (x.59*inv(x.57))
- z = z.36
- z.1 = x.55^(x.56*inv(x.58))
- z.2 = 'g'^(x.59*inv(x.57))
- z.3 = x.55^(x.56*x.57*inv((x.58*x.59)))
-
- 13. certC = cert(x.57^x.58, x.59, z.38)
- skTe = inv((x.58*x.64))
- z = z.38
- z.1 = x.57^inv(x.64)
- z.2 = 'g'^inv((x.58*x.64))
- z.3 = x.57^x.58
-
- 14. certC = cert(x.57^x.58, x.59, z.38)
- skTe = (x.64*inv(x.58))
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.64*inv(x.58))
- z.3 = x.57^x.58
-
- 15. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = inv(x.64)
- z = z.38
- z.1 = x.57^inv((x.58*x.64))
- z.2 = 'g'^inv(x.64)
- z.3 = x.57^inv(x.58)
-
- 16. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = (x.58*x.64)
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.58*x.64)
- z.3 = x.57^inv(x.58)
-
- 17. certC = cert(x.58^x.59, x.60, z.39)
- skTe = (x.65*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^(x.65*inv(x.66))
- z.2 = 'g'^(x.65*inv((x.59*x.66)))
- z.3 = x.58^x.59
-
- 18. certC = cert(x.58^inv(x.59), x.60, z.39)
- skTe = (x.65*inv(x.66))
- z = z.39
- z.1 = x.58^(x.65*inv((x.59*x.66)))
- z.2 = 'g'^(x.65*inv(x.66))
- z.3 = x.58^inv(x.59)
-
- 19. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*x.66)
- z = z.39
- z.1 = x.58^(x.66*inv(x.60))
- z.2 = 'g'^(x.59*x.66)
- z.3 = x.58^inv((x.59*x.60))
-
- 20. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*inv(x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^(x.59*inv(x.66))
- z.3 = x.58^inv((x.59*x.60))
-
- 21. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^(x.60*inv(x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*x.60)
-
- 22. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = (x.66*inv(x.59))
- z = z.39
- z.1 = x.58^(x.60*x.66)
- z.2 = 'g'^(x.66*inv(x.59))
- z.3 = x.58^(x.59*x.60)
-
- 23. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv(x.66)
- z = z.39
- z.1 = x.58^(x.59*inv((x.60*x.66)))
- z.2 = 'g'^inv(x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 24. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*inv(x.60))
-
- 25. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66)
- z = z.39
- z.1 = x.58^(x.59*x.66)
- z.2 = 'g'^(x.60*x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 26. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66*inv(x.59))
- z = z.39
- z.1 = x.58^x.66
- z.2 = 'g'^(x.60*x.66*inv(x.59))
- z.3 = x.58^(x.59*inv(x.60))
-
- 27. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^inv(x.66)
- z.2 = 'g'^(x.60*inv((x.59*x.66)))
- z.3 = x.58^(x.59*inv(x.60))
-
- 28. certC = cert(x.59^inv((x.60*x.61)), x.62, z.40)
- skTe = (x.60*x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.60*x.67*inv(x.68))
- z.3 = x.59^inv((x.60*x.61))
-
- 29. certC = cert(x.59^(x.60*x.61), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*x.67*inv(x.68))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61)
-
- 30. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = inv((x.61*x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^inv((x.61*x.68))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 31. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.61*x.68)
- z.2 = 'g'^(x.62*x.68*inv(x.60))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 32. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*inv(x.68))
- z.2 = 'g'^(x.62*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 33. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.61*x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv(x.68))
- z.2 = 'g'^(x.61*x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 34. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv(x.68))
- z.3 = x.59^(x.60*inv(x.61))
-
- 35. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 36. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68)
- z = z.40
- z.1 = x.59^(x.60*x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68)
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 37. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68*inv(x.60))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 38. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^(x.61*inv(x.68))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 39. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^inv((x.62*x.68))
- z.2 = 'g'^(x.61*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 40. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.63*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv(x.70))
- z.2 = 'g'^(x.63*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 41. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 42. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*x.70*inv(x.61))
- z = z.41
- z.1 = x.60^(x.62*x.70*inv(x.64))
- z.2 = 'g'^(x.63*x.70*inv(x.61))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 43. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*inv((x.64*x.70)))
- z.2 = 'g'^(x.63*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 44. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv(x.70))
- z = z.41
- z.1 = x.60^(x.61*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv(x.70))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 45. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 46. certC = cert(x.61^(x.62*x.63*inv((x.64*x.65))), x.66, z.42)
- skTe = (x.64*x.71*inv((x.62*x.72)))
- z = z.42
- z.1 = x.61^(x.63*x.71*inv((x.65*x.72)))
- z.2 = 'g'^(x.64*x.71*inv((x.62*x.72)))
- z.3 = x.61^(x.62*x.63*inv((x.64*x.65)))
-
- 47. certC = cert(x.87^x.88, x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = x.87^(skTe.48*x.88)
- z.2 = 'g'^skTe.48
- z.3 = x.87^x.88
-
- 48. certC = cert(x.88^inv((skTe.49*x.89)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^inv(x.89)
- z.2 = 'g'^skTe.49
- z.3 = x.88^inv((skTe.49*x.89))
-
- 49. certC = cert(x.88^(x.89*inv(skTe.49)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^x.89
- z.2 = 'g'^skTe.49
- z.3 = x.88^(x.89*inv(skTe.49))
-
- 50. certC = cert(x.89^(x.90*inv((skTe.50*x.91))), x.93, z.55)
- skTe = skTe.50
- z = z.55
- z.1 = x.89^(x.90*inv(x.91))
- z.2 = 'g'^skTe.50
- z.3 = x.89^(x.90*inv((skTe.50*x.91)))
- */
-
-restriction Equality:
- "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
- // safety formula
-
-lemma aliveness:
- all-traces
- "∀ k sid A role B #i #t.
- (((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ∧
- (¬(∃ #k.1. Corrupted( B ) @ #k.1))) ⇒
- (∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
- (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥) ∧
- (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, 'g'^~skTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, z ) ▶₃ #i )
- case Generate_static_dh
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( !KU( cert('g'^~ltk, sign(<'g'^~ltk, z>, ca_sk), z) ) @ #vk.18 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.45 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.54 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.55 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.58 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.40 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~ltk, z>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.48 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.46 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.57 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.41 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.43 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- solve( !KU( cert('g'^~ltk, sign(<'g'^~ltk, z>, ca_sk), z) ) @ #vk.23 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.48 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.48 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.57 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.43 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~ltk, z>, ca_sk) ) @ #vk.47 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.51 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.49 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.60 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.48 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.50 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.53 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( !KU( cert('g'^~ltk, sign(<'g'^~ltk, z>, ca_sk), z) ) @ #vk.18 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.49 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.46 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.59 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~ltk, z>, ca_sk) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.52 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.62 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.43 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.47 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.52 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- solve( !KU( cert('g'^~ltk, sign(<'g'^~ltk, z>, ca_sk), z) ) @ #vk.23 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.52 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.50 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.49 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.62 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.45 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~ltk, z>, ca_sk) ) @ #vk.51 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.55 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.64 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.50 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.65 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.68 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.46 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.54 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.52 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, ~skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.3 )
- case CA_FINISH_C
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.17 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.17 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.49 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.52 )
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.16 )
- case CA_INIT_C
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.26 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.41 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.41 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.46 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.46 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.25 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.26 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.26 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.26 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.26 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.25 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.27 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.25 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.27 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.26 )
- case CA_INIT_C
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.29 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.28 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.29 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.29 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.31 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.28 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.28 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.29 )
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma session_uniqueness:
- all-traces
- "∀ A B k sid sid2 role #i #j.
- ((Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)) ⇒
- (#i = #j)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ A B k sid sid2 role #i #j.
- (Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)
- ∧
- ¬(#i = #j)"
-*/
-simplify
-solve( (#i < #j) ∥ (#j < #i) )
- case case_1
- solve( Completed( k, sid, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
- ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
- case CA_INIT_C
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
- B
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.46 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.54 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.62 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.67 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.66 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.74 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.52 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.57 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.65 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.67 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.66 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.68 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.69 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.72 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.74 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.63 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.56 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.59 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.67 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.69 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.72 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.68 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.70 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.79 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.57 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.62 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.68 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.58 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.62 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.70 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.72 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.75 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.76 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.78 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.80 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.71 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.73 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.76 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.77 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.79 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.81 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.21 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.35 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.34 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.37 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.35 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.38 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.59 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.40 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.41 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.38 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-next
- case case_2
- solve( Completed( k, sid, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
- ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
- case CA_INIT_C
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
- B
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.46 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.54 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.62 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.67 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.66 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.52 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.57 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.65 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.67 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.66 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.68 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.69 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.72 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.56 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.59 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.67 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.69 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.72 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.68 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.70 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.57 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.62 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.58 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.62 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.70 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.72 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.75 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.76 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.71 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.73 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.76 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.77 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.21 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.35 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.34 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.37 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.35 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.38 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.59 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.40 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.41 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.38 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma consistency:
- all-traces
- "∀ C T k k2 sid #i #j.
- ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)) ∧
- (¬(∃ #k.1. Corrupted( C ) @ #k.1))) ∧
- (¬(∃ #k.1. Corrupted( T ) @ #k.1))) ⇒
- (k = k2)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T k k2 sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)
- ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥) ∧
- (¬(k = k2))"
-*/
-simplify
-solve( Completed( k, sid, C, 'chip', T ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i )
- case Generate_static_dh
- solve( Completed( k2, <pkTe, 'g'^~ltk, ~id_c, ~r2>, T, 'terminal', $C
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe, ~id_c, cert('g'^~ltk, x.1, $C)
- ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.14 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T>, ca_sk), $T) ) @ #vk.17 )
- case CA_Sign_ltk
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.23 )
- case CA_FINISH_C
- by contradiction /* from formulas */
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.43 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.23 )
- case CA_FINISH_C
- by contradiction /* from formulas */
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.43 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), $T>, ca_sk) ) @ #vk.44 )
- case CA_Sign_ltk
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.24 )
- case CA_FINISH_C
- by contradiction /* from formulas */
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.46 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), ~r2), 'g'^~skTe) ) @ #vk.24 )
- case CA_FINISH_C
- by contradiction /* from formulas */
- next
- case c_mac
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), ~r2) ) @ #vk.46 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), $T>, ca_sk), $T) ) @ #vk.18 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), $T>, ca_sk) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma key_secrecy [reuse]:
- all-traces
- "∀ C T role k sid #j.
- (((((Completed( k, sid, C, role, T ) @ #j) ∧
- (¬(∃ #m. Corrupted( T ) @ #m))) ∧
- (¬(∃ #m. Corrupted( C ) @ #m))) ∧
- (¬(∃ iid #m. Revealed( <T, iid> ) @ #m))) ∧
- (¬(∃ iid #m. Revealed( <C, iid> ) @ #m))) ⇒
- (¬(∃ #m. K( k ) @ #m))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T role k sid #j.
- (Completed( k, sid, C, role, T ) @ #j)
- ∧
- (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
- (∀ iid #m. (Revealed( <T, iid> ) @ #m) ⇒ ⊥) ∧
- (∀ iid #m. (Revealed( <C, iid> ) @ #m) ⇒ ⊥) ∧
- (∃ #m. (K( k ) @ #m))"
-*/
-simplify
-solve( Completed( k, sid, C, role, T ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #j )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #j )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #j )
- case Generate_static_dh
- solve( !KU( kdf_enc(z, ~r2) ) @ #vk.15 )
- case c_kdf_enc
- solve( !KU( kdf_mac(z, ~r2) ) @ #vk.16 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c, ~r1, pkTe>, x) ) @ #vk.17 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.23 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.37 )
- case Reveal_session
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.40 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.26 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.60 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.26 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.34 )
- case Reveal_session
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.22 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.50 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.53 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.34 )
- case Reveal_session
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.22 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.50 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.53 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.34 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.36 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.21 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.27 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.27 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.31 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.34 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( !KU( kdf_enc('g'^(~skC*~skTe), ~r2) ) @ #vk.14 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.17 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.40 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.50 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.47 )
- case Reveal_dh
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, T.1>, ca_sk), T.1)
- ) @ #vk.25 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, T.1>, ca_sk) ) @ #vk.49 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.52 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.49 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.50 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.47 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.52 )
- case Reveal_dh
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, T.1>, ca_sk), T.1)
- ) @ #vk.25 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, T.1>, ca_sk) ) @ #vk.54 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.52 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.52 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.52 )
- case Reveal_dh
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, T.1>, ca_sk), T.1)
- ) @ #vk.25 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, T.1>, ca_sk) ) @ #vk.54 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, T.1>, ca_sk), T.1) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( kdf_enc('g'^(~ltk*~skTe), r2) ) @ #vk.17 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.19 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.28 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.43 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.43 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_enc('g'^(~ltk*~skTe), r2) ) @ #vk.17 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.19 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.27 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.28 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.28 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.30 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_enc(pk(~ltk)^~skTe, r2) ) @ #vk.17 )
- case c_kdf_enc
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.19 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.27 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_enc(pk(~ltk)^~skTe, r2) ) @ #vk.17 )
- case c_kdf_enc
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.19 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.27 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, T.1>, ca_sk) ) @ #vk.28 )
- case CA_INIT_C
- solve( !KU( kdf_enc('g'^(~ltk*~skTe), r2) ) @ #vk.19 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.31 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.46 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.50 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.50 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.46 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_enc('g'^(~ltk*~skTe), r2) ) @ #vk.19 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.30 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.31 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.31 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.31 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.31 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.33 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_enc(pk(~ltk)^~skTe, r2) ) @ #vk.19 )
- case c_kdf_enc
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.20 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.30 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.31 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_enc(pk(~ltk)^~skTe, r2) ) @ #vk.19 )
- case c_kdf_enc
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.20 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.30 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.31 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.31 )
- qed
- qed
- qed
- qed
-qed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-/* All wellformedness checks were successful. */
-
-/*
-Generated from:
-Tamarin version 1.8.0
-Maude version 3.3.1
-Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
-Compiled at: 2024-01-16 15:38:46.116852601 UTC
-*/
-
-end
-
-==============================================================================
-summary of summaries:
-
-analyzed: BasicEAC.spthy
-
- processing time: 64.87s
-
- aliveness (all-traces): verified (379 steps)
- session_uniqueness (all-traces): verified (824 steps)
- consistency (all-traces): verified (82 steps)
- key_secrecy (all-traces): verified (206 steps)
-
-==============================================================================
diff --git a/results/Basic/session_exist.out.45215033 b/results/Basic/session_exist.out.45215033
deleted file mode 100644
index 1f46cf1cc4c50d37a2f21d1484447bba1c8b129d..0000000000000000000000000000000000000000
--- a/results/Basic/session_exist.out.45215033
+++ /dev/null
@@ -1,963 +0,0 @@
-Execute session_exist
-maude tool: 'maude'
- checking version: 3.3.1. OK.
- checking installation: OK.
-theory BasicEAC begin
-
-// Function signature and definition of the equational theory E
-
-builtins: diffie-hellman
-functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
- cert_sig/1, fst/1, kdf_enc/2, kdf_mac/2, mac/2, pair/2, pk/1, sign/2,
- snd/1, true/0, verify/3
-equations:
- cert_id(cert(pk, s, id)) = id,
- cert_pk(cert(pk, s, id)) = pk,
- cert_sig(cert(pk, s, id)) = s,
- fst(<x.1, x.2>) = x.1,
- snd(<x.1, x.2>) = x.2,
- verify(sign(x.1, x.2), x.1, pk(x.2)) = true
-
-
-
-
-
-
-
-
-
-macros:
- verify_cert( cert ) = verify(cert_sig(cert),pair(cert_pk(cert),cert_id(cert)),pk(ca_sk))
-
-rule (modulo E) Generate_static_ltk:
- [ Fr( ~ltk ) ]
- -->
- [ !Pk( $A, pk(~ltk) ), !Ltk( $A, ~ltk ), Out( pk(~ltk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_dh:
- [ Fr( ~ltk ) ]
- -->
- [ !PkDH( $A, 'g'^~ltk ), !LtkDH( $A, ~ltk ), Out( 'g'^~ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_ltk:
- [ !Pk( A, pk ) ]
- --[ Certified( A ) ]->
- [
- !Cert( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_dh:
- [ !PkDH( A, pk ) ]
- --[ Certified( A ) ]->
- [
- !CertDH( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk:
- [ !Ltk( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk2:
- [ !LtkDH( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_session:
- [ !SessionReveal( uid, k ) ] --[ Revealed( uid ) ]-> [ Out( k ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_INIT_T:
- [ !Cert( $T, certT ), Fr( ~skTe ), Fr( ~iid ) ]
- -->
- [
- Out( <certT, 'g'^~skTe, 'TA_INIT', '1', 't'> ),
- TAInitT( <$T, ~iid>, ~skTe )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( verify_cert(certT), true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
-
- /*
- rule (modulo AC) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( z, true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
- variants (modulo AC)
- 1. certT = certT.15
- z = verify(cert_sig(certT.15),
- <cert_pk(certT.15), cert_id(certT.15)>, pk(ca_sk))
-
- 2. certT = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- z = true
-
- 3. certT = cert(x.17, x.18, x.19)
- z = verify(x.18, <x.17, x.19>, pk(ca_sk))
- */
-
-rule (modulo E) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
-
- /*
- rule (modulo AC) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, z>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
- variants (modulo AC)
- 1. skTe = skTe.12
- z = 'g'^skTe.12
-
- 2. skTe = one
- z = 'g'
- */
-
-rule (modulo E) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-
- /*
- rule (modulo AC) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( z, true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
- variants (modulo AC)
- 1. certT = certT.18
- id_c = id_c.19
- pkTe = pkTe.21
- r1 = r1.22
- s = s.23
- z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
-
- 2. certT = cert(x.60, x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = s.37
- z = verify(s.37, <id_c.33, r1.36, pkTe.35>, x.60)
-
- 3. certT = cert(pk(x.60), x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = sign(<id_c.33, r1.36, pkTe.35>, x.60)
- z = true
- */
-
-rule (modulo E) CA_INIT_C:
- [
- !CertDH( $C, certC ), Fr( ~r2 ),
- TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- -->
- [
- Out( <certC, 'CA_INIT', '4', 'c'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( verify_cert(certC), true ) ]->
- [
- Out( <'g'^skTe, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
-
- /*
- rule (modulo AC) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( z.1, true ) ]->
- [
- Out( <z, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- variants (modulo AC)
- 1. certC = certC.15
- skTe = one
- z = 'g'
- z.1 = verify(cert_sig(certC.15),
- <cert_pk(certC.15), cert_id(certC.15)>, pk(ca_sk))
-
- 2. certC = certC.18
- skTe = skTe.21
- z = 'g'^skTe.21
- z.1 = verify(cert_sig(certC.18),
- <cert_pk(certC.18), cert_id(certC.18)>, pk(ca_sk))
-
- 3. certC = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- skTe = one
- z = 'g'
- z.1 = true
-
- 4. certC = cert(x.17, x.18, x.19)
- skTe = one
- z = 'g'
- z.1 = verify(x.18, <x.17, x.19>, pk(ca_sk))
-
- 5. certC = cert(x.115, sign(<x.115, x.116>, ca_sk), x.116)
- skTe = skTe.61
- z = 'g'^skTe.61
- z.1 = true
-
- 6. certC = cert(x.116, x.117, x.118)
- skTe = skTe.62
- z = 'g'^skTe.62
- z.1 = verify(x.117, <x.116, x.118>, pk(ca_sk))
- */
-
-rule (modulo E) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
- <pkTe, pkC, id_c, r2>, $C, 'chip', cert_id(certT)
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(pkTe^~skC, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, <pkTe, pkC, id_c, r2>, $C,
- 'chip', z.1
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(z, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, z.1, kdf_enc(z, r2) ), Out( iid )
- ]
- variants (modulo AC)
- 1. ~skC = ~skC.25
- certT = certT.26
- pkTe = pkTe.30
- z = pkTe.30^~skC.25
- z.1 = cert_id(certT.26)
-
- 2. ~skC = ~skC.32
- certT = certT.33
- pkTe = z.44^inv(~skC.32)
- z = z.44
- z.1 = cert_id(certT.33)
-
- 3. ~skC = ~skC.129
- certT = certT.130
- pkTe = x.254^x.255
- z = x.254^(~skC.129*x.255)
- z.1 = cert_id(certT.130)
-
- 4. ~skC = ~skC.129
- certT = cert(x.254, x.255, z.145)
- pkTe = pkTe.134
- z = pkTe.134^~skC.129
- z.1 = z.145
-
- 5. ~skC = ~skC.130
- certT = cert(x.256, x.257, z.146)
- pkTe = z.142^inv(~skC.130)
- z = z.142
- z.1 = z.146
-
- 6. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^inv((~skC.134*x.265))
- z = x.264^inv(x.265)
- z.1 = cert_id(certT.135)
-
- 7. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^(x.265*inv(~skC.134))
- z = x.264^x.265
- z.1 = cert_id(certT.135)
-
- 8. ~skC = ~skC.135
- certT = certT.136
- pkTe = x.265^(x.266*inv((~skC.135*x.267)))
- z = x.265^(x.266*inv(x.267))
- z.1 = cert_id(certT.136)
-
- 9. ~skC = ~skC.135
- certT = cert(x.260, x.261, z.151)
- pkTe = x.266^x.267
- z = x.266^(~skC.135*x.267)
- z.1 = z.151
-
- 10. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^inv((~skC.136*x.269))
- z = x.268^inv(x.269)
- z.1 = z.152
-
- 11. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^(x.269*inv(~skC.136))
- z = x.268^x.269
- z.1 = z.152
-
- 12. ~skC = ~skC.137
- certT = cert(x.263, x.264, z.153)
- pkTe = x.269^(x.270*inv((~skC.137*x.271)))
- z = x.269^(x.270*inv(x.271))
- z.1 = z.153
-
- 13. certT = certT.20
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = cert_id(certT.20)
-
- 14. certT = cert(x.46, x.47, z.33)
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = z.33
- */
-
-rule (modulo E) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(cert_pk(certC)^skTe, r2), 'g'^skTe), tag ),
- Completed( <kdf_enc(cert_pk(certC)^skTe, r2),
- kdf_mac(cert_pk(certC)^skTe, r2)>,
- <'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal', cert_id(certC)
- )
- ]->
- [
- CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
- !SessionReveal( <$T, iid>, skTe ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(z.1, r2), z.2), tag ),
- Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>, <z.2, z.3, id_c, r2>,
- $T, 'terminal', z
- )
- ]->
- [
- CAFinishT( z, $T, kdf_enc(z.1, r2) ), !SessionReveal( <$T, iid>, skTe ),
- Out( iid )
- ]
- variants (modulo AC)
- 1. certC = certC.16
- skTe = one
- z = cert_id(certC.16)
- z.1 = cert_pk(certC.16)
- z.2 = 'g'
- z.3 = cert_pk(certC.16)
-
- 2. certC = certC.20
- skTe = skTe.24
- z = cert_id(certC.20)
- z.1 = cert_pk(certC.20)^skTe.24
- z.2 = 'g'^skTe.24
- z.3 = cert_pk(certC.20)
-
- 3. certC = cert(z.33, x.52, z.32)
- skTe = one
- z = z.32
- z.1 = z.33
- z.2 = 'g'
- z.3 = z.33
-
- 4. certC = cert(z.55, x.87, z.52)
- skTe = skTe.47
- z = z.52
- z.1 = z.55^skTe.47
- z.2 = 'g'^skTe.47
- z.3 = z.55
-
- 5. certC = cert(DH_neutral, x.85, z.51)
- skTe = skTe.46
- z = z.51
- z.1 = DH_neutral
- z.2 = 'g'^skTe.46
- z.3 = DH_neutral
-
- 6. certC = cert(z.34^x.53, x.54, z.33)
- skTe = inv(x.53)
- z = z.33
- z.1 = z.34
- z.2 = 'g'^inv(x.53)
- z.3 = z.34^x.53
-
- 7. certC = cert(z.35^(x.54*inv(x.55)), x.56, z.34)
- skTe = (x.55*inv(x.54))
- z = z.34
- z.1 = z.35
- z.2 = 'g'^(x.55*inv(x.54))
- z.3 = z.35^(x.54*inv(x.55))
-
- 8. certC = cert(x.53^(x.54*x.55), x.56, z.34)
- skTe = inv(x.54)
- z = z.34
- z.1 = x.53^x.55
- z.2 = 'g'^inv(x.54)
- z.3 = x.53^(x.54*x.55)
-
- 9. certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.35)
- skTe = (x.57*inv(x.56))
- z = z.35
- z.1 = x.54^x.55
- z.2 = 'g'^(x.57*inv(x.56))
- z.3 = x.54^(x.55*x.56*inv(x.57))
-
- 10. certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.35)
- skTe = (x.57*inv(x.55))
- z = z.35
- z.1 = x.54^inv(x.56)
- z.2 = 'g'^(x.57*inv(x.55))
- z.3 = x.54^(x.55*inv((x.56*x.57)))
-
- 11. certC = cert(z.54^inv(skTe.48), x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = z.54
- z.2 = 'g'^skTe.48
- z.3 = z.54^inv(skTe.48)
-
- 12. certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.36)
- skTe = (x.59*inv(x.57))
- z = z.36
- z.1 = x.55^(x.56*inv(x.58))
- z.2 = 'g'^(x.59*inv(x.57))
- z.3 = x.55^(x.56*x.57*inv((x.58*x.59)))
-
- 13. certC = cert(x.57^x.58, x.59, z.38)
- skTe = inv((x.58*x.64))
- z = z.38
- z.1 = x.57^inv(x.64)
- z.2 = 'g'^inv((x.58*x.64))
- z.3 = x.57^x.58
-
- 14. certC = cert(x.57^x.58, x.59, z.38)
- skTe = (x.64*inv(x.58))
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.64*inv(x.58))
- z.3 = x.57^x.58
-
- 15. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = inv(x.64)
- z = z.38
- z.1 = x.57^inv((x.58*x.64))
- z.2 = 'g'^inv(x.64)
- z.3 = x.57^inv(x.58)
-
- 16. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = (x.58*x.64)
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.58*x.64)
- z.3 = x.57^inv(x.58)
-
- 17. certC = cert(x.58^x.59, x.60, z.39)
- skTe = (x.65*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^(x.65*inv(x.66))
- z.2 = 'g'^(x.65*inv((x.59*x.66)))
- z.3 = x.58^x.59
-
- 18. certC = cert(x.58^inv(x.59), x.60, z.39)
- skTe = (x.65*inv(x.66))
- z = z.39
- z.1 = x.58^(x.65*inv((x.59*x.66)))
- z.2 = 'g'^(x.65*inv(x.66))
- z.3 = x.58^inv(x.59)
-
- 19. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*x.66)
- z = z.39
- z.1 = x.58^(x.66*inv(x.60))
- z.2 = 'g'^(x.59*x.66)
- z.3 = x.58^inv((x.59*x.60))
-
- 20. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*inv(x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^(x.59*inv(x.66))
- z.3 = x.58^inv((x.59*x.60))
-
- 21. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^(x.60*inv(x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*x.60)
-
- 22. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = (x.66*inv(x.59))
- z = z.39
- z.1 = x.58^(x.60*x.66)
- z.2 = 'g'^(x.66*inv(x.59))
- z.3 = x.58^(x.59*x.60)
-
- 23. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv(x.66)
- z = z.39
- z.1 = x.58^(x.59*inv((x.60*x.66)))
- z.2 = 'g'^inv(x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 24. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*inv(x.60))
-
- 25. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66)
- z = z.39
- z.1 = x.58^(x.59*x.66)
- z.2 = 'g'^(x.60*x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 26. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66*inv(x.59))
- z = z.39
- z.1 = x.58^x.66
- z.2 = 'g'^(x.60*x.66*inv(x.59))
- z.3 = x.58^(x.59*inv(x.60))
-
- 27. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^inv(x.66)
- z.2 = 'g'^(x.60*inv((x.59*x.66)))
- z.3 = x.58^(x.59*inv(x.60))
-
- 28. certC = cert(x.59^inv((x.60*x.61)), x.62, z.40)
- skTe = (x.60*x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.60*x.67*inv(x.68))
- z.3 = x.59^inv((x.60*x.61))
-
- 29. certC = cert(x.59^(x.60*x.61), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*x.67*inv(x.68))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61)
-
- 30. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = inv((x.61*x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^inv((x.61*x.68))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 31. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.61*x.68)
- z.2 = 'g'^(x.62*x.68*inv(x.60))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 32. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*inv(x.68))
- z.2 = 'g'^(x.62*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 33. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.61*x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv(x.68))
- z.2 = 'g'^(x.61*x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 34. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv(x.68))
- z.3 = x.59^(x.60*inv(x.61))
-
- 35. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 36. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68)
- z = z.40
- z.1 = x.59^(x.60*x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68)
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 37. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68*inv(x.60))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 38. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^(x.61*inv(x.68))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 39. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^inv((x.62*x.68))
- z.2 = 'g'^(x.61*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 40. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.63*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv(x.70))
- z.2 = 'g'^(x.63*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 41. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 42. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*x.70*inv(x.61))
- z = z.41
- z.1 = x.60^(x.62*x.70*inv(x.64))
- z.2 = 'g'^(x.63*x.70*inv(x.61))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 43. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*inv((x.64*x.70)))
- z.2 = 'g'^(x.63*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 44. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv(x.70))
- z = z.41
- z.1 = x.60^(x.61*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv(x.70))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 45. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 46. certC = cert(x.61^(x.62*x.63*inv((x.64*x.65))), x.66, z.42)
- skTe = (x.64*x.71*inv((x.62*x.72)))
- z = z.42
- z.1 = x.61^(x.63*x.71*inv((x.65*x.72)))
- z.2 = 'g'^(x.64*x.71*inv((x.62*x.72)))
- z.3 = x.61^(x.62*x.63*inv((x.64*x.65)))
-
- 47. certC = cert(x.87^x.88, x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = x.87^(skTe.48*x.88)
- z.2 = 'g'^skTe.48
- z.3 = x.87^x.88
-
- 48. certC = cert(x.88^inv((skTe.49*x.89)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^inv(x.89)
- z.2 = 'g'^skTe.49
- z.3 = x.88^inv((skTe.49*x.89))
-
- 49. certC = cert(x.88^(x.89*inv(skTe.49)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^x.89
- z.2 = 'g'^skTe.49
- z.3 = x.88^(x.89*inv(skTe.49))
-
- 50. certC = cert(x.89^(x.90*inv((skTe.50*x.91))), x.93, z.55)
- skTe = skTe.50
- z = z.55
- z.1 = x.89^(x.90*inv(x.91))
- z.2 = 'g'^skTe.50
- z.3 = x.89^(x.90*inv((skTe.50*x.91)))
- */
-
-restriction Equality:
- "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
- // safety formula
-
-lemma session_exist:
- exists-trace
- "∃ C T k sid #i #j.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
- (#i < #j)"
-/*
-guarded formula characterizing all satisfying traces:
-"∃ C T k sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)
- ∧
- #i < #j"
-*/
-simplify
-solve( Completed( k, sid, C, 'chip', T ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
- <pkTe, 'g'^~ltk, ~id_c, ~r2>, T, 'terminal', $C
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe, ~id_c, cert('g'^~ltk, x.1, $C)
- ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.14 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T>, ca_sk), $T) ) @ #vk.17 )
- case CA_Sign_ltk
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, $C>, ca_sk), $C) ) @ #vk.35 )
- case CA_Sign_dh
- solve( !KU( ~r2 ) @ #vk.22 )
- case CA_FINISH_C
- solve( !KU( ~id_c ) @ #vk.39 )
- case TA_CHALLENGE_C
- solve( !KU( ~r1 ) @ #vk.40 )
- case TA_CHALLENGE_C
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe) ) @ #vk.28 )
- case CA_FINISH_C
- solve( !KU( 'g'^~skTe ) @ #vk.14 )
- case TA_INIT_T
- SOLVED // trace found
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma two_session_exist:
- exists-trace
- "∃ C T k k2 sid sid2 #i #j #i2 #j2.
- ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
- (#i < #j)) ∧
- (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
- (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
- (#i2 < #j2)) ∧
- (¬(k = k2))"
-/*
-guarded formula characterizing all satisfying traces:
-"∃ C T k k2 sid sid2 #i #j #i2 #j2.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
- (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
- (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
- ∧
- (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
-*/
-by sorry
-
-lemma session_uniqueness:
- all-traces
- "∀ A B k sid sid2 role #i #j.
- ((Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)) ⇒
- (#i = #j)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ A B k sid sid2 role #i #j.
- (Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)
- ∧
- ¬(#i = #j)"
-*/
-by sorry
-
-lemma consistency:
- all-traces
- "∀ C T k k2 sid #i #j.
- ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)) ∧
- (¬(∃ #k.1. Corrupted( C ) @ #k.1))) ∧
- (¬(∃ #k.1. Corrupted( T ) @ #k.1))) ⇒
- (k = k2)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T k k2 sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)
- ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥) ∧
- (¬(k = k2))"
-*/
-by sorry
-
-lemma key_secrecy [reuse]:
- all-traces
- "∀ C T role k sid #j.
- ((((Completed( k, sid, C, role, T ) @ #j) ∧
- (¬(∃ #m. Corrupted( T ) @ #m))) ∧
- (¬(∃ #m. Corrupted( C ) @ #m))) ∧
- (¬(∃ #m. Revealed( T ) @ #m))) ⇒
- (¬(∃ #m. K( k ) @ #m))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T role k sid #j.
- (Completed( k, sid, C, role, T ) @ #j)
- ∧
- (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Revealed( T ) @ #m) ⇒ ⊥) ∧
- (∃ #m. (K( k ) @ #m))"
-*/
-by sorry
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-/* All wellformedness checks were successful. */
-
-/*
-Generated from:
-Tamarin version 1.8.0
-Maude version 3.3.1
-Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
-Compiled at: 2024-01-16 15:38:46.116852601 UTC
-*/
-
-end
-
-==============================================================================
-summary of summaries:
-
-analyzed: BasicEAC.spthy
-
- processing time: 12.35s
-
- session_exist (exists-trace): verified (16 steps)
- two_session_exist (exists-trace): analysis incomplete (1 steps)
- session_uniqueness (all-traces): analysis incomplete (1 steps)
- consistency (all-traces): analysis incomplete (1 steps)
- key_secrecy (all-traces): analysis incomplete (1 steps)
-
-==============================================================================
diff --git a/results/Basic/two_session_exist.out.45214997 b/results/Basic/two_session_exist.out.45214997
deleted file mode 100644
index 67b64707e2ad6984e747ec7baea9010fc5a99423..0000000000000000000000000000000000000000
--- a/results/Basic/two_session_exist.out.45214997
+++ /dev/null
@@ -1,1014 +0,0 @@
-Execute two_session_exist
-maude tool: 'maude'
- checking version: 3.3.1. OK.
- checking installation: OK.
-theory BasicEAC begin
-
-// Function signature and definition of the equational theory E
-
-builtins: diffie-hellman
-functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
- cert_sig/1, fst/1, kdf_enc/2, kdf_mac/2, mac/2, pair/2, pk/1, sign/2,
- snd/1, true/0, verify/3
-equations:
- cert_id(cert(pk, s, id)) = id,
- cert_pk(cert(pk, s, id)) = pk,
- cert_sig(cert(pk, s, id)) = s,
- fst(<x.1, x.2>) = x.1,
- snd(<x.1, x.2>) = x.2,
- verify(sign(x.1, x.2), x.1, pk(x.2)) = true
-
-
-
-
-
-
-
-
-
-macros:
- verify_cert( cert ) = verify(cert_sig(cert),pair(cert_pk(cert),cert_id(cert)),pk(ca_sk))
-
-rule (modulo E) Generate_static_ltk:
- [ Fr( ~ltk ) ]
- -->
- [ !Pk( $A, pk(~ltk) ), !Ltk( $A, ~ltk ), Out( pk(~ltk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_dh:
- [ Fr( ~ltk ) ]
- -->
- [ !PkDH( $A, 'g'^~ltk ), !LtkDH( $A, ~ltk ), Out( 'g'^~ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_ltk:
- [ !Pk( A, pk ) ]
- --[ Certified( A ) ]->
- [
- !Cert( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_dh:
- [ !PkDH( A, pk ) ]
- --[ Certified( A ) ]->
- [
- !CertDH( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk:
- [ !Ltk( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk2:
- [ !LtkDH( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_session:
- [ !SessionReveal( uid, k ) ] --[ Revealed( uid ) ]-> [ Out( k ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_INIT_T:
- [ !Cert( $T, certT ), Fr( ~skTe ), Fr( ~iid ) ]
- -->
- [
- Out( <certT, 'g'^~skTe, 'TA_INIT', '1', 't'> ),
- TAInitT( <$T, ~iid>, ~skTe )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( verify_cert(certT), true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
-
- /*
- rule (modulo AC) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( z, true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
- variants (modulo AC)
- 1. certT = certT.15
- z = verify(cert_sig(certT.15),
- <cert_pk(certT.15), cert_id(certT.15)>, pk(ca_sk))
-
- 2. certT = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- z = true
-
- 3. certT = cert(x.17, x.18, x.19)
- z = verify(x.18, <x.17, x.19>, pk(ca_sk))
- */
-
-rule (modulo E) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
-
- /*
- rule (modulo AC) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, z>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
- variants (modulo AC)
- 1. skTe = skTe.12
- z = 'g'^skTe.12
-
- 2. skTe = one
- z = 'g'
- */
-
-rule (modulo E) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-
- /*
- rule (modulo AC) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( z, true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
- variants (modulo AC)
- 1. certT = certT.18
- id_c = id_c.19
- pkTe = pkTe.21
- r1 = r1.22
- s = s.23
- z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
-
- 2. certT = cert(x.60, x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = s.37
- z = verify(s.37, <id_c.33, r1.36, pkTe.35>, x.60)
-
- 3. certT = cert(pk(x.60), x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = sign(<id_c.33, r1.36, pkTe.35>, x.60)
- z = true
- */
-
-rule (modulo E) CA_INIT_C:
- [
- !CertDH( $C, certC ), Fr( ~r2 ),
- TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- -->
- [
- Out( <certC, 'CA_INIT', '4', 'c'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( verify_cert(certC), true ) ]->
- [
- Out( <'g'^skTe, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
-
- /*
- rule (modulo AC) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( z.1, true ) ]->
- [
- Out( <z, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- variants (modulo AC)
- 1. certC = certC.15
- skTe = one
- z = 'g'
- z.1 = verify(cert_sig(certC.15),
- <cert_pk(certC.15), cert_id(certC.15)>, pk(ca_sk))
-
- 2. certC = certC.18
- skTe = skTe.21
- z = 'g'^skTe.21
- z.1 = verify(cert_sig(certC.18),
- <cert_pk(certC.18), cert_id(certC.18)>, pk(ca_sk))
-
- 3. certC = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- skTe = one
- z = 'g'
- z.1 = true
-
- 4. certC = cert(x.17, x.18, x.19)
- skTe = one
- z = 'g'
- z.1 = verify(x.18, <x.17, x.19>, pk(ca_sk))
-
- 5. certC = cert(x.115, sign(<x.115, x.116>, ca_sk), x.116)
- skTe = skTe.61
- z = 'g'^skTe.61
- z.1 = true
-
- 6. certC = cert(x.116, x.117, x.118)
- skTe = skTe.62
- z = 'g'^skTe.62
- z.1 = verify(x.117, <x.116, x.118>, pk(ca_sk))
- */
-
-rule (modulo E) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
- <pkTe, pkC, id_c, r2>, $C, 'chip', cert_id(certT)
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(pkTe^~skC, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC ),
- !PkDH( $C, pkC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, <pkTe, pkC, id_c, r2>, $C,
- 'chip', z.1
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(z, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, z.1, kdf_enc(z, r2) ), Out( iid )
- ]
- variants (modulo AC)
- 1. ~skC = ~skC.25
- certT = certT.26
- pkTe = pkTe.30
- z = pkTe.30^~skC.25
- z.1 = cert_id(certT.26)
-
- 2. ~skC = ~skC.32
- certT = certT.33
- pkTe = z.44^inv(~skC.32)
- z = z.44
- z.1 = cert_id(certT.33)
-
- 3. ~skC = ~skC.129
- certT = certT.130
- pkTe = x.254^x.255
- z = x.254^(~skC.129*x.255)
- z.1 = cert_id(certT.130)
-
- 4. ~skC = ~skC.129
- certT = cert(x.254, x.255, z.145)
- pkTe = pkTe.134
- z = pkTe.134^~skC.129
- z.1 = z.145
-
- 5. ~skC = ~skC.130
- certT = cert(x.256, x.257, z.146)
- pkTe = z.142^inv(~skC.130)
- z = z.142
- z.1 = z.146
-
- 6. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^inv((~skC.134*x.265))
- z = x.264^inv(x.265)
- z.1 = cert_id(certT.135)
-
- 7. ~skC = ~skC.134
- certT = certT.135
- pkTe = x.264^(x.265*inv(~skC.134))
- z = x.264^x.265
- z.1 = cert_id(certT.135)
-
- 8. ~skC = ~skC.135
- certT = certT.136
- pkTe = x.265^(x.266*inv((~skC.135*x.267)))
- z = x.265^(x.266*inv(x.267))
- z.1 = cert_id(certT.136)
-
- 9. ~skC = ~skC.135
- certT = cert(x.260, x.261, z.151)
- pkTe = x.266^x.267
- z = x.266^(~skC.135*x.267)
- z.1 = z.151
-
- 10. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^inv((~skC.136*x.269))
- z = x.268^inv(x.269)
- z.1 = z.152
-
- 11. ~skC = ~skC.136
- certT = cert(x.262, x.263, z.152)
- pkTe = x.268^(x.269*inv(~skC.136))
- z = x.268^x.269
- z.1 = z.152
-
- 12. ~skC = ~skC.137
- certT = cert(x.263, x.264, z.153)
- pkTe = x.269^(x.270*inv((~skC.137*x.271)))
- z = x.269^(x.270*inv(x.271))
- z.1 = z.153
-
- 13. certT = certT.20
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = cert_id(certT.20)
-
- 14. certT = cert(x.46, x.47, z.33)
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = z.33
- */
-
-rule (modulo E) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(cert_pk(certC)^skTe, r2), 'g'^skTe), tag ),
- Completed( <kdf_enc(cert_pk(certC)^skTe, r2),
- kdf_mac(cert_pk(certC)^skTe, r2)>,
- <'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal', cert_id(certC)
- )
- ]->
- [
- CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
- !SessionReveal( <$T, iid>, skTe ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(z.1, r2), z.2), tag ),
- Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>, <z.2, z.3, id_c, r2>,
- $T, 'terminal', z
- )
- ]->
- [
- CAFinishT( z, $T, kdf_enc(z.1, r2) ), !SessionReveal( <$T, iid>, skTe ),
- Out( iid )
- ]
- variants (modulo AC)
- 1. certC = certC.16
- skTe = one
- z = cert_id(certC.16)
- z.1 = cert_pk(certC.16)
- z.2 = 'g'
- z.3 = cert_pk(certC.16)
-
- 2. certC = certC.20
- skTe = skTe.24
- z = cert_id(certC.20)
- z.1 = cert_pk(certC.20)^skTe.24
- z.2 = 'g'^skTe.24
- z.3 = cert_pk(certC.20)
-
- 3. certC = cert(z.33, x.52, z.32)
- skTe = one
- z = z.32
- z.1 = z.33
- z.2 = 'g'
- z.3 = z.33
-
- 4. certC = cert(z.55, x.87, z.52)
- skTe = skTe.47
- z = z.52
- z.1 = z.55^skTe.47
- z.2 = 'g'^skTe.47
- z.3 = z.55
-
- 5. certC = cert(DH_neutral, x.85, z.51)
- skTe = skTe.46
- z = z.51
- z.1 = DH_neutral
- z.2 = 'g'^skTe.46
- z.3 = DH_neutral
-
- 6. certC = cert(z.34^x.53, x.54, z.33)
- skTe = inv(x.53)
- z = z.33
- z.1 = z.34
- z.2 = 'g'^inv(x.53)
- z.3 = z.34^x.53
-
- 7. certC = cert(z.35^(x.54*inv(x.55)), x.56, z.34)
- skTe = (x.55*inv(x.54))
- z = z.34
- z.1 = z.35
- z.2 = 'g'^(x.55*inv(x.54))
- z.3 = z.35^(x.54*inv(x.55))
-
- 8. certC = cert(x.53^(x.54*x.55), x.56, z.34)
- skTe = inv(x.54)
- z = z.34
- z.1 = x.53^x.55
- z.2 = 'g'^inv(x.54)
- z.3 = x.53^(x.54*x.55)
-
- 9. certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.35)
- skTe = (x.57*inv(x.56))
- z = z.35
- z.1 = x.54^x.55
- z.2 = 'g'^(x.57*inv(x.56))
- z.3 = x.54^(x.55*x.56*inv(x.57))
-
- 10. certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.35)
- skTe = (x.57*inv(x.55))
- z = z.35
- z.1 = x.54^inv(x.56)
- z.2 = 'g'^(x.57*inv(x.55))
- z.3 = x.54^(x.55*inv((x.56*x.57)))
-
- 11. certC = cert(z.54^inv(skTe.48), x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = z.54
- z.2 = 'g'^skTe.48
- z.3 = z.54^inv(skTe.48)
-
- 12. certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.36)
- skTe = (x.59*inv(x.57))
- z = z.36
- z.1 = x.55^(x.56*inv(x.58))
- z.2 = 'g'^(x.59*inv(x.57))
- z.3 = x.55^(x.56*x.57*inv((x.58*x.59)))
-
- 13. certC = cert(x.57^x.58, x.59, z.38)
- skTe = inv((x.58*x.64))
- z = z.38
- z.1 = x.57^inv(x.64)
- z.2 = 'g'^inv((x.58*x.64))
- z.3 = x.57^x.58
-
- 14. certC = cert(x.57^x.58, x.59, z.38)
- skTe = (x.64*inv(x.58))
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.64*inv(x.58))
- z.3 = x.57^x.58
-
- 15. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = inv(x.64)
- z = z.38
- z.1 = x.57^inv((x.58*x.64))
- z.2 = 'g'^inv(x.64)
- z.3 = x.57^inv(x.58)
-
- 16. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = (x.58*x.64)
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.58*x.64)
- z.3 = x.57^inv(x.58)
-
- 17. certC = cert(x.58^x.59, x.60, z.39)
- skTe = (x.65*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^(x.65*inv(x.66))
- z.2 = 'g'^(x.65*inv((x.59*x.66)))
- z.3 = x.58^x.59
-
- 18. certC = cert(x.58^inv(x.59), x.60, z.39)
- skTe = (x.65*inv(x.66))
- z = z.39
- z.1 = x.58^(x.65*inv((x.59*x.66)))
- z.2 = 'g'^(x.65*inv(x.66))
- z.3 = x.58^inv(x.59)
-
- 19. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*x.66)
- z = z.39
- z.1 = x.58^(x.66*inv(x.60))
- z.2 = 'g'^(x.59*x.66)
- z.3 = x.58^inv((x.59*x.60))
-
- 20. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*inv(x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^(x.59*inv(x.66))
- z.3 = x.58^inv((x.59*x.60))
-
- 21. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^(x.60*inv(x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*x.60)
-
- 22. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = (x.66*inv(x.59))
- z = z.39
- z.1 = x.58^(x.60*x.66)
- z.2 = 'g'^(x.66*inv(x.59))
- z.3 = x.58^(x.59*x.60)
-
- 23. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv(x.66)
- z = z.39
- z.1 = x.58^(x.59*inv((x.60*x.66)))
- z.2 = 'g'^inv(x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 24. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*inv(x.60))
-
- 25. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66)
- z = z.39
- z.1 = x.58^(x.59*x.66)
- z.2 = 'g'^(x.60*x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 26. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66*inv(x.59))
- z = z.39
- z.1 = x.58^x.66
- z.2 = 'g'^(x.60*x.66*inv(x.59))
- z.3 = x.58^(x.59*inv(x.60))
-
- 27. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^inv(x.66)
- z.2 = 'g'^(x.60*inv((x.59*x.66)))
- z.3 = x.58^(x.59*inv(x.60))
-
- 28. certC = cert(x.59^inv((x.60*x.61)), x.62, z.40)
- skTe = (x.60*x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.60*x.67*inv(x.68))
- z.3 = x.59^inv((x.60*x.61))
-
- 29. certC = cert(x.59^(x.60*x.61), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*x.67*inv(x.68))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61)
-
- 30. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = inv((x.61*x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^inv((x.61*x.68))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 31. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.61*x.68)
- z.2 = 'g'^(x.62*x.68*inv(x.60))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 32. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*inv(x.68))
- z.2 = 'g'^(x.62*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 33. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.61*x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv(x.68))
- z.2 = 'g'^(x.61*x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 34. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv(x.68))
- z.3 = x.59^(x.60*inv(x.61))
-
- 35. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 36. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68)
- z = z.40
- z.1 = x.59^(x.60*x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68)
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 37. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68*inv(x.60))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 38. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^(x.61*inv(x.68))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 39. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^inv((x.62*x.68))
- z.2 = 'g'^(x.61*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 40. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.63*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv(x.70))
- z.2 = 'g'^(x.63*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 41. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 42. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*x.70*inv(x.61))
- z = z.41
- z.1 = x.60^(x.62*x.70*inv(x.64))
- z.2 = 'g'^(x.63*x.70*inv(x.61))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 43. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*inv((x.64*x.70)))
- z.2 = 'g'^(x.63*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 44. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv(x.70))
- z = z.41
- z.1 = x.60^(x.61*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv(x.70))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 45. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 46. certC = cert(x.61^(x.62*x.63*inv((x.64*x.65))), x.66, z.42)
- skTe = (x.64*x.71*inv((x.62*x.72)))
- z = z.42
- z.1 = x.61^(x.63*x.71*inv((x.65*x.72)))
- z.2 = 'g'^(x.64*x.71*inv((x.62*x.72)))
- z.3 = x.61^(x.62*x.63*inv((x.64*x.65)))
-
- 47. certC = cert(x.87^x.88, x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = x.87^(skTe.48*x.88)
- z.2 = 'g'^skTe.48
- z.3 = x.87^x.88
-
- 48. certC = cert(x.88^inv((skTe.49*x.89)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^inv(x.89)
- z.2 = 'g'^skTe.49
- z.3 = x.88^inv((skTe.49*x.89))
-
- 49. certC = cert(x.88^(x.89*inv(skTe.49)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^x.89
- z.2 = 'g'^skTe.49
- z.3 = x.88^(x.89*inv(skTe.49))
-
- 50. certC = cert(x.89^(x.90*inv((skTe.50*x.91))), x.93, z.55)
- skTe = skTe.50
- z = z.55
- z.1 = x.89^(x.90*inv(x.91))
- z.2 = 'g'^skTe.50
- z.3 = x.89^(x.90*inv((skTe.50*x.91)))
- */
-
-restriction Equality:
- "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
- // safety formula
-
-lemma session_exist:
- exists-trace
- "∃ C T k sid #i #j.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
- (#i < #j)"
-/*
-guarded formula characterizing all satisfying traces:
-"∃ C T k sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)
- ∧
- #i < #j"
-*/
-by sorry
-
-lemma two_session_exist:
- exists-trace
- "∃ C T k k2 sid sid2 #i #j #i2 #j2.
- ((((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
- (#i < #j)) ∧
- (Completed( k2, sid2, C, 'chip', T ) @ #i2)) ∧
- (Completed( k2, sid2, T, 'terminal', C ) @ #j2)) ∧
- (#i2 < #j2)) ∧
- (¬(k = k2))"
-/*
-guarded formula characterizing all satisfying traces:
-"∃ C T k k2 sid sid2 #i #j #i2 #j2.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j) ∧
- (Completed( k2, sid2, C, 'chip', T ) @ #i2) ∧
- (Completed( k2, sid2, T, 'terminal', C ) @ #j2)
- ∧
- (#i < #j) ∧ (#i2 < #j2) ∧ (¬(k = k2))"
-*/
-simplify
-solve( Completed( k, sid, C, 'chip', T ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
- <pkTe, 'g'^~ltk, ~id_c, ~r2>, T, 'terminal', $C
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe, ~id_c, cert('g'^~ltk, x.1, $C)
- ) ▶₁ #j )
- case CA_INIT_T
- solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, cert(x.1, x.2, $T), pkTe, id_c.1, r1.1, r2.1
- ) ▶₁ #i2 )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC.1 ) ▶₂ #i2 )
- case Generate_static_dh
- solve( !PkDH( $C, pkC ) ▶₃ #i2 )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2.1), kdf_mac(z, ~r2.1)>,
- <pkTe, 'g'^~ltk, ~id_c.1, ~r2.1>, $T, 'terminal', $C
- ) @ #j2 )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.3>, skTe.1, ~id_c.1, cert('g'^~ltk, x.2, $C)
- ) ▶₁ #j2 )
- case CA_INIT_T
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.18 )
- case TA_RESPONSE_T
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe.1>, x) ) @ #vk.53 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T>, ca_sk), $T) ) @ #vk.22 )
- case CA_Sign_ltk
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, $C>, ca_sk), $C) ) @ #vk.46 )
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT.1), sign(<pk(~skT.1), $T>, ca_sk), $T)
- ) @ #vk.54 )
- case CA_Sign_ltk
- solve( !KU( cert('g'^~skC.1, sign(<'g'^~skC.1, $C>, ca_sk), $C)
- ) @ #vk.57 )
- case CA_Sign_dh
- solve( !KU( ~r2 ) @ #vk.30 )
- case CA_FINISH_C
- solve( !KU( ~id_c ) @ #vk.51 )
- case TA_CHALLENGE_C
- solve( !KU( ~r2.1 ) @ #vk.56 )
- case CA_FINISH_C
- solve( !KU( ~id_c.1 ) @ #vk.58 )
- case TA_CHALLENGE_C
- solve( !KU( ~r1 ) @ #vk.54 )
- case TA_CHALLENGE_C
- solve( !KU( ~r1.1 ) @ #vk.59 )
- case TA_CHALLENGE_C
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe)
- ) @ #vk.42 )
- case CA_FINISH_C
- solve( !KU( 'g'^~skTe ) @ #vk.26 )
- case TA_INIT_T
- solve( !KU( mac(kdf_mac('g'^(~skC.1*~skTe.1), ~r2.1),
- 'g'^~skTe.1)
- ) @ #vk.59 )
- case CA_FINISH_C
- solve( !KU( 'g'^~skTe.1 ) @ #vk.59 )
- case TA_INIT_T
- SOLVED // trace found
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma session_uniqueness:
- all-traces
- "∀ A B k sid sid2 role #i #j.
- ((Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)) ⇒
- (#i = #j)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ A B k sid sid2 role #i #j.
- (Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)
- ∧
- ¬(#i = #j)"
-*/
-by sorry
-
-lemma consistency:
- all-traces
- "∀ C T k k2 sid #i #j.
- ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)) ∧
- (¬(∃ #k.1. Corrupted( C ) @ #k.1))) ∧
- (¬(∃ #k.1. Corrupted( T ) @ #k.1))) ⇒
- (k = k2)"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T k k2 sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)
- ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥) ∧
- (¬(k = k2))"
-*/
-by sorry
-
-lemma key_secrecy [reuse]:
- all-traces
- "∀ C T role k sid #j.
- ((((Completed( k, sid, C, role, T ) @ #j) ∧
- (¬(∃ #m. Corrupted( T ) @ #m))) ∧
- (¬(∃ #m. Corrupted( C ) @ #m))) ∧
- (¬(∃ #m. Revealed( T ) @ #m))) ⇒
- (¬(∃ #m. K( k ) @ #m))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T role k sid #j.
- (Completed( k, sid, C, role, T ) @ #j)
- ∧
- (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Revealed( T ) @ #m) ⇒ ⊥) ∧
- (∃ #m. (K( k ) @ #m))"
-*/
-by sorry
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-/* All wellformedness checks were successful. */
-
-/*
-Generated from:
-Tamarin version 1.8.0
-Maude version 3.3.1
-Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
-Compiled at: 2024-01-16 15:38:46.116852601 UTC
-*/
-
-end
-
-==============================================================================
-summary of summaries:
-
-analyzed: BasicEAC.spthy
-
- processing time: 1585.12s
-
- session_exist (exists-trace): analysis incomplete (1 steps)
- two_session_exist (exists-trace): verified (30 steps)
- session_uniqueness (all-traces): analysis incomplete (1 steps)
- consistency (all-traces): analysis incomplete (1 steps)
- key_secrecy (all-traces): analysis incomplete (1 steps)
-
-==============================================================================
diff --git a/results/cpu.45369362 b/results/cpu.45369362
deleted file mode 100644
index dfe137bca96ce750fa4d6cb480d33a24d8086aa9..0000000000000000000000000000000000000000
--- a/results/cpu.45369362
+++ /dev/null
@@ -1,104 +0,0 @@
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
-model name : Intel(R) Xeon(R) Platinum 8470Q
diff --git a/results/eac_tamarin.out.45369362 b/results/eac_tamarin.out.45369362
deleted file mode 100644
index a19df44e0dc9711abf86cb05e89c4387a056b2e0..0000000000000000000000000000000000000000
--- a/results/eac_tamarin.out.45369362
+++ /dev/null
@@ -1,6750 +0,0 @@
-maude tool: 'maude'
- checking version: 3.3.1. OK.
- checking installation: OK.
-theory BasicEAC begin
-
-// Function signature and definition of the equational theory E
-
-builtins: diffie-hellman
-functions: ca_sk/0[private,destructor], cert/3, cert_id/1, cert_pk/1,
- cert_sig/1, fst/1, kdf_enc/2, kdf_mac/2, mac/2, pair/2, pk/1, sign/2,
- snd/1, true/0, verify/3
-equations:
- cert_id(cert(pk, s, id)) = id,
- cert_pk(cert(pk, s, id)) = pk,
- cert_sig(cert(pk, s, id)) = s,
- fst(<x.1, x.2>) = x.1,
- snd(<x.1, x.2>) = x.2,
- verify(sign(x.1, x.2), x.1, pk(x.2)) = true
-
-
-
-
-
-
-
-
-
-macros:
- verify_cert( cert ) = verify(cert_sig(cert),pair(cert_pk(cert),cert_id(cert)),pk(ca_sk))
-
-rule (modulo E) Publish_ca_pk:
- [ ] --> [ Out( pk(ca_sk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_ltk:
- [ Fr( ~ltk ) ]
- -->
- [ !Pk( $A, pk(~ltk) ), !Ltk( $A, ~ltk ), Out( pk(~ltk) ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Generate_static_dh:
- [ Fr( ~ltk ) ]
- -->
- [ !PkDH( $A, 'g'^~ltk ), !LtkDH( $A, ~ltk ), Out( 'g'^~ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_ltk:
- [ !Pk( A, pk ) ]
- -->
- [
- !Cert( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_Sign_dh:
- [ !PkDH( A, pk ) ]
- -->
- [
- !CertDH( A, cert(pk, sign(<pk, A>, ca_sk), A) ),
- Out( cert(pk, sign(<pk, A>, ca_sk), A) )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_ltk:
- [ !Ltk( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_dh:
- [ !LtkDH( $A, ltk ) ] --[ Corrupted( $A ) ]-> [ Out( ltk ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) Reveal_session:
- [ !SessionReveal( uid, k ) ] --[ Revealed( uid ) ]-> [ Out( k ) ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_INIT_T:
- [ !Cert( $T, certT ), Fr( ~skTe ), Fr( ~iid ) ]
- -->
- [
- Out( <certT, 'g'^~skTe, 'TA_INIT', '1', 't'> ),
- TAInitT( <$T, ~iid>, ~skTe )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( verify_cert(certT), true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
-
- /*
- rule (modulo AC) TA_CHALLENGE_C:
- [
- In( <certT, pkTe, 'TA_INIT', '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ),
- Fr( ~iid )
- ]
- --[ Eq( z, true ) ]->
- [
- Out( <~id_c, ~r1, 'TA_CHALLENGE', '2', 'c'> ),
- TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
- ]
- variants (modulo AC)
- 1. certT = certT.15
- z = verify(cert_sig(certT.15),
- <cert_pk(certT.15), cert_id(certT.15)>, pk(ca_sk))
-
- 2. certT = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- z = true
-
- 3. certT = cert(x.17, x.18, x.19)
- z = verify(x.18, <x.17, x.19>, pk(ca_sk))
- */
-
-rule (modulo E) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
-
- /*
- rule (modulo AC) TA_RESPONSE_T:
- [
- In( <id_c, r1, 'TA_CHALLENGE', '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
- !Ltk( $T, ~skT )
- ]
- -->
- [
- Out( <sign(<id_c, r1, z>, ~skT), 'TA_RESPONSE', '3', 't'> ),
- TAResponseT( <$T, iid>, skTe, id_c )
- ]
- variants (modulo AC)
- 1. skTe = skTe.12
- z = 'g'^skTe.12
-
- 2. skTe = one
- z = 'g'
- */
-
-rule (modulo E) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-
- /*
- rule (modulo AC) TA_COMPLETE_C:
- [
- In( <s, 'TA_RESPONSE', '3', 't'> ),
- TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- --[ Eq( z, true ) ]->
- [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
- variants (modulo AC)
- 1. certT = certT.18
- id_c = id_c.19
- pkTe = pkTe.21
- r1 = r1.22
- s = s.23
- z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
-
- 2. certT = cert(x.60, x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = s.37
- z = verify(s.37, <id_c.33, r1.36, pkTe.35>, x.60)
-
- 3. certT = cert(pk(x.60), x.61, x.62)
- id_c = id_c.33
- pkTe = pkTe.35
- r1 = r1.36
- s = sign(<id_c.33, r1.36, pkTe.35>, x.60)
- z = true
- */
-
-rule (modulo E) CA_INIT_C:
- [
- !CertDH( $C, certC ), Fr( ~r2 ),
- TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
- ]
- -->
- [
- Out( <certC, 'CA_INIT', '4', 'c'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
- ]
-
- /* has exactly the trivial AC variant */
-
-rule (modulo E) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( verify_cert(certC), true ) ]->
- [
- Out( <'g'^skTe, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
-
- /*
- rule (modulo AC) CA_INIT_T:
- [
- In( <certC, 'CA_INIT', '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c )
- ]
- --[ Eq( z.1, true ) ]->
- [
- Out( <z, 'CA_COMMIT', '5', 't'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- variants (modulo AC)
- 1. certC = certC.15
- skTe = one
- z = 'g'
- z.1 = verify(cert_sig(certC.15),
- <cert_pk(certC.15), cert_id(certC.15)>, pk(ca_sk))
-
- 2. certC = certC.18
- skTe = skTe.21
- z = 'g'^skTe.21
- z.1 = verify(cert_sig(certC.18),
- <cert_pk(certC.18), cert_id(certC.18)>, pk(ca_sk))
-
- 3. certC = cert(x.16, sign(<x.16, x.17>, ca_sk), x.17)
- skTe = one
- z = 'g'
- z.1 = true
-
- 4. certC = cert(x.17, x.18, x.19)
- skTe = one
- z = 'g'
- z.1 = verify(x.18, <x.17, x.19>, pk(ca_sk))
-
- 5. certC = cert(x.115, sign(<x.115, x.116>, ca_sk), x.116)
- skTe = skTe.61
- z = 'g'^skTe.61
- z.1 = true
-
- 6. certC = cert(x.116, x.117, x.118)
- skTe = skTe.62
- z = 'g'^skTe.62
- z.1 = verify(x.117, <x.116, x.118>, pk(ca_sk))
- */
-
-rule (modulo E) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
- <pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', cert_id(certT)
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(pkTe^~skC, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_C:
- [
- In( <pkTe_t, 'CA_COMMIT', '5', 't'> ),
- CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), !LtkDH( $C, ~skC )
- ]
- --[
- Eq( pkTe_t, pkTe ),
- Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, <pkTe, 'g'^~skC, id_c, r2>,
- $C, 'chip', z.1
- )
- ]->
- [
- Out( <r2, mac(kdf_mac(z, r2), pkTe), 'CA_RESPONSE', '6', 'c'> ),
- CAFinishC( $C, z.1, kdf_enc(z, r2) ), Out( iid )
- ]
- variants (modulo AC)
- 1. ~skC = ~skC.23
- certT = certT.24
- pkTe = pkTe.27
- z = pkTe.27^~skC.23
- z.1 = cert_id(certT.24)
-
- 2. ~skC = ~skC.30
- certT = certT.31
- pkTe = z.41^inv(~skC.30)
- z = z.41
- z.1 = cert_id(certT.31)
-
- 3. ~skC = ~skC.216
- certT = certT.217
- pkTe = x.428^x.429
- z = x.428^(~skC.216*x.429)
- z.1 = cert_id(certT.217)
-
- 4. ~skC = ~skC.216
- certT = cert(x.428, x.429, z.231)
- pkTe = pkTe.220
- z = pkTe.220^~skC.216
- z.1 = z.231
-
- 5. ~skC = ~skC.217
- certT = cert(x.430, x.431, z.232)
- pkTe = z.228^inv(~skC.217)
- z = z.228
- z.1 = z.232
-
- 6. ~skC = ~skC.220
- certT = certT.221
- pkTe = x.436^inv((~skC.220*x.437))
- z = x.436^inv(x.437)
- z.1 = cert_id(certT.221)
-
- 7. ~skC = ~skC.220
- certT = certT.221
- pkTe = x.436^(x.437*inv(~skC.220))
- z = x.436^x.437
- z.1 = cert_id(certT.221)
-
- 8. ~skC = ~skC.221
- certT = certT.222
- pkTe = x.437^(x.438*inv((~skC.221*x.439)))
- z = x.437^(x.438*inv(x.439))
- z.1 = cert_id(certT.222)
-
- 9. ~skC = ~skC.221
- certT = cert(x.433, x.434, z.236)
- pkTe = x.438^x.439
- z = x.438^(~skC.221*x.439)
- z.1 = z.236
-
- 10. ~skC = ~skC.222
- certT = cert(x.435, x.436, z.237)
- pkTe = x.440^inv((~skC.222*x.441))
- z = x.440^inv(x.441)
- z.1 = z.237
-
- 11. ~skC = ~skC.222
- certT = cert(x.435, x.436, z.237)
- pkTe = x.440^(x.441*inv(~skC.222))
- z = x.440^x.441
- z.1 = z.237
-
- 12. ~skC = ~skC.223
- certT = cert(x.436, x.437, z.238)
- pkTe = x.441^(x.442*inv((~skC.223*x.443)))
- z = x.441^(x.442*inv(x.443))
- z.1 = z.238
-
- 13. certT = certT.19
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = cert_id(certT.19)
-
- 14. certT = cert(x.233, x.234, z.126)
- pkTe = DH_neutral
- z = DH_neutral
- z.1 = z.126
- */
-
-rule (modulo E) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(cert_pk(certC)^skTe, r2), 'g'^skTe), tag ),
- Completed( <kdf_enc(cert_pk(certC)^skTe, r2),
- kdf_mac(cert_pk(certC)^skTe, r2)>,
- <'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal', cert_id(certC)
- ),
- Finished( <'g'^skTe, cert_pk(certC), id_c, r2> )
- ]->
- [
- CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
- !SessionReveal( <$T, iid>, skTe ), Out( iid )
- ]
-
- /*
- rule (modulo AC) CA_FINISH_T:
- [
- In( <r2, tag, 'CA_RESPONSE', '6', 'c'> ),
- CAInitT( <$T, iid>, skTe, id_c, certC )
- ]
- --[
- Eq( mac(kdf_mac(z.1, r2), z.2), tag ),
- Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>, <z.2, z.3, id_c, r2>,
- $T, 'terminal', z
- ),
- Finished( <z.2, z.3, id_c, r2> )
- ]->
- [
- CAFinishT( z, $T, kdf_enc(z.1, r2) ), !SessionReveal( <$T, iid>, skTe ),
- Out( iid )
- ]
- variants (modulo AC)
- 1. certC = certC.16
- skTe = one
- z = cert_id(certC.16)
- z.1 = cert_pk(certC.16)
- z.2 = 'g'
- z.3 = cert_pk(certC.16)
-
- 2. certC = certC.20
- skTe = skTe.24
- z = cert_id(certC.20)
- z.1 = cert_pk(certC.20)^skTe.24
- z.2 = 'g'^skTe.24
- z.3 = cert_pk(certC.20)
-
- 3. certC = cert(z.33, x.52, z.32)
- skTe = one
- z = z.32
- z.1 = z.33
- z.2 = 'g'
- z.3 = z.33
-
- 4. certC = cert(z.55, x.87, z.52)
- skTe = skTe.47
- z = z.52
- z.1 = z.55^skTe.47
- z.2 = 'g'^skTe.47
- z.3 = z.55
-
- 5. certC = cert(DH_neutral, x.85, z.51)
- skTe = skTe.46
- z = z.51
- z.1 = DH_neutral
- z.2 = 'g'^skTe.46
- z.3 = DH_neutral
-
- 6. certC = cert(z.34^x.53, x.54, z.33)
- skTe = inv(x.53)
- z = z.33
- z.1 = z.34
- z.2 = 'g'^inv(x.53)
- z.3 = z.34^x.53
-
- 7. certC = cert(z.35^(x.54*inv(x.55)), x.56, z.34)
- skTe = (x.55*inv(x.54))
- z = z.34
- z.1 = z.35
- z.2 = 'g'^(x.55*inv(x.54))
- z.3 = z.35^(x.54*inv(x.55))
-
- 8. certC = cert(x.53^(x.54*x.55), x.56, z.34)
- skTe = inv(x.54)
- z = z.34
- z.1 = x.53^x.55
- z.2 = 'g'^inv(x.54)
- z.3 = x.53^(x.54*x.55)
-
- 9. certC = cert(x.54^(x.55*x.56*inv(x.57)), x.58, z.35)
- skTe = (x.57*inv(x.56))
- z = z.35
- z.1 = x.54^x.55
- z.2 = 'g'^(x.57*inv(x.56))
- z.3 = x.54^(x.55*x.56*inv(x.57))
-
- 10. certC = cert(x.54^(x.55*inv((x.56*x.57))), x.58, z.35)
- skTe = (x.57*inv(x.55))
- z = z.35
- z.1 = x.54^inv(x.56)
- z.2 = 'g'^(x.57*inv(x.55))
- z.3 = x.54^(x.55*inv((x.56*x.57)))
-
- 11. certC = cert(z.54^inv(skTe.48), x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = z.54
- z.2 = 'g'^skTe.48
- z.3 = z.54^inv(skTe.48)
-
- 12. certC = cert(x.55^(x.56*x.57*inv((x.58*x.59))), x.60, z.36)
- skTe = (x.59*inv(x.57))
- z = z.36
- z.1 = x.55^(x.56*inv(x.58))
- z.2 = 'g'^(x.59*inv(x.57))
- z.3 = x.55^(x.56*x.57*inv((x.58*x.59)))
-
- 13. certC = cert(x.57^x.58, x.59, z.38)
- skTe = inv((x.58*x.64))
- z = z.38
- z.1 = x.57^inv(x.64)
- z.2 = 'g'^inv((x.58*x.64))
- z.3 = x.57^x.58
-
- 14. certC = cert(x.57^x.58, x.59, z.38)
- skTe = (x.64*inv(x.58))
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.64*inv(x.58))
- z.3 = x.57^x.58
-
- 15. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = inv(x.64)
- z = z.38
- z.1 = x.57^inv((x.58*x.64))
- z.2 = 'g'^inv(x.64)
- z.3 = x.57^inv(x.58)
-
- 16. certC = cert(x.57^inv(x.58), x.59, z.38)
- skTe = (x.58*x.64)
- z = z.38
- z.1 = x.57^x.64
- z.2 = 'g'^(x.58*x.64)
- z.3 = x.57^inv(x.58)
-
- 17. certC = cert(x.58^x.59, x.60, z.39)
- skTe = (x.65*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^(x.65*inv(x.66))
- z.2 = 'g'^(x.65*inv((x.59*x.66)))
- z.3 = x.58^x.59
-
- 18. certC = cert(x.58^inv(x.59), x.60, z.39)
- skTe = (x.65*inv(x.66))
- z = z.39
- z.1 = x.58^(x.65*inv((x.59*x.66)))
- z.2 = 'g'^(x.65*inv(x.66))
- z.3 = x.58^inv(x.59)
-
- 19. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*x.66)
- z = z.39
- z.1 = x.58^(x.66*inv(x.60))
- z.2 = 'g'^(x.59*x.66)
- z.3 = x.58^inv((x.59*x.60))
-
- 20. certC = cert(x.58^inv((x.59*x.60)), x.61, z.39)
- skTe = (x.59*inv(x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^(x.59*inv(x.66))
- z.3 = x.58^inv((x.59*x.60))
-
- 21. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^(x.60*inv(x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*x.60)
-
- 22. certC = cert(x.58^(x.59*x.60), x.61, z.39)
- skTe = (x.66*inv(x.59))
- z = z.39
- z.1 = x.58^(x.60*x.66)
- z.2 = 'g'^(x.66*inv(x.59))
- z.3 = x.58^(x.59*x.60)
-
- 23. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv(x.66)
- z = z.39
- z.1 = x.58^(x.59*inv((x.60*x.66)))
- z.2 = 'g'^inv(x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 24. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = inv((x.59*x.66))
- z = z.39
- z.1 = x.58^inv((x.60*x.66))
- z.2 = 'g'^inv((x.59*x.66))
- z.3 = x.58^(x.59*inv(x.60))
-
- 25. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66)
- z = z.39
- z.1 = x.58^(x.59*x.66)
- z.2 = 'g'^(x.60*x.66)
- z.3 = x.58^(x.59*inv(x.60))
-
- 26. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*x.66*inv(x.59))
- z = z.39
- z.1 = x.58^x.66
- z.2 = 'g'^(x.60*x.66*inv(x.59))
- z.3 = x.58^(x.59*inv(x.60))
-
- 27. certC = cert(x.58^(x.59*inv(x.60)), x.61, z.39)
- skTe = (x.60*inv((x.59*x.66)))
- z = z.39
- z.1 = x.58^inv(x.66)
- z.2 = 'g'^(x.60*inv((x.59*x.66)))
- z.3 = x.58^(x.59*inv(x.60))
-
- 28. certC = cert(x.59^inv((x.60*x.61)), x.62, z.40)
- skTe = (x.60*x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.60*x.67*inv(x.68))
- z.3 = x.59^inv((x.60*x.61))
-
- 29. certC = cert(x.59^(x.60*x.61), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*x.67*inv(x.68))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61)
-
- 30. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = inv((x.61*x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^inv((x.61*x.68))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 31. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.61*x.68)
- z.2 = 'g'^(x.62*x.68*inv(x.60))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 32. certC = cert(x.59^(x.60*x.61*inv(x.62)), x.63, z.40)
- skTe = (x.62*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.61*inv(x.68))
- z.2 = 'g'^(x.62*inv((x.60*x.68)))
- z.3 = x.59^(x.60*x.61*inv(x.62))
-
- 33. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.61*x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv(x.68))
- z.2 = 'g'^(x.61*x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 34. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv(x.68))
- z.3 = x.59^(x.60*inv(x.61))
-
- 35. certC = cert(x.59^(x.60*inv(x.61)), x.62, z.40)
- skTe = (x.67*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^(x.67*inv((x.61*x.68)))
- z.2 = 'g'^(x.67*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv(x.61))
-
- 36. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68)
- z = z.40
- z.1 = x.59^(x.60*x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68)
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 37. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*x.68*inv(x.60))
- z = z.40
- z.1 = x.59^(x.68*inv(x.62))
- z.2 = 'g'^(x.61*x.68*inv(x.60))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 38. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv(x.68))
- z = z.40
- z.1 = x.59^(x.60*inv((x.62*x.68)))
- z.2 = 'g'^(x.61*inv(x.68))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 39. certC = cert(x.59^(x.60*inv((x.61*x.62))), x.63, z.40)
- skTe = (x.61*inv((x.60*x.68)))
- z = z.40
- z.1 = x.59^inv((x.62*x.68))
- z.2 = 'g'^(x.61*inv((x.60*x.68)))
- z.3 = x.59^(x.60*inv((x.61*x.62)))
-
- 40. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.63*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv(x.70))
- z.2 = 'g'^(x.63*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 41. certC = cert(x.60^(x.61*x.62*inv(x.63)), x.64, z.41)
- skTe = (x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv(x.63))
-
- 42. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*x.70*inv(x.61))
- z = z.41
- z.1 = x.60^(x.62*x.70*inv(x.64))
- z.2 = 'g'^(x.63*x.70*inv(x.61))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 43. certC = cert(x.60^(x.61*x.62*inv((x.63*x.64))), x.65, z.41)
- skTe = (x.63*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.62*inv((x.64*x.70)))
- z.2 = 'g'^(x.63*inv((x.61*x.70)))
- z.3 = x.60^(x.61*x.62*inv((x.63*x.64)))
-
- 44. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv(x.70))
- z = z.41
- z.1 = x.60^(x.61*x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv(x.70))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 45. certC = cert(x.60^(x.61*inv((x.62*x.63))), x.64, z.41)
- skTe = (x.62*x.69*inv((x.61*x.70)))
- z = z.41
- z.1 = x.60^(x.69*inv((x.63*x.70)))
- z.2 = 'g'^(x.62*x.69*inv((x.61*x.70)))
- z.3 = x.60^(x.61*inv((x.62*x.63)))
-
- 46. certC = cert(x.61^(x.62*x.63*inv((x.64*x.65))), x.66, z.42)
- skTe = (x.64*x.71*inv((x.62*x.72)))
- z = z.42
- z.1 = x.61^(x.63*x.71*inv((x.65*x.72)))
- z.2 = 'g'^(x.64*x.71*inv((x.62*x.72)))
- z.3 = x.61^(x.62*x.63*inv((x.64*x.65)))
-
- 47. certC = cert(x.87^x.88, x.89, z.53)
- skTe = skTe.48
- z = z.53
- z.1 = x.87^(skTe.48*x.88)
- z.2 = 'g'^skTe.48
- z.3 = x.87^x.88
-
- 48. certC = cert(x.88^inv((skTe.49*x.89)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^inv(x.89)
- z.2 = 'g'^skTe.49
- z.3 = x.88^inv((skTe.49*x.89))
-
- 49. certC = cert(x.88^(x.89*inv(skTe.49)), x.91, z.54)
- skTe = skTe.49
- z = z.54
- z.1 = x.88^x.89
- z.2 = 'g'^skTe.49
- z.3 = x.88^(x.89*inv(skTe.49))
-
- 50. certC = cert(x.89^(x.90*inv((skTe.50*x.91))), x.93, z.55)
- skTe = skTe.50
- z = z.55
- z.1 = x.89^(x.90*inv(x.91))
- z.2 = 'g'^skTe.50
- z.3 = x.89^(x.90*inv((skTe.50*x.91)))
- */
-
-restriction Equality:
- "∀ x y #i. (Eq( x, y ) @ #i) ⇒ (x = y)"
- // safety formula
-
-lemma weak_agreement_C:
- all-traces
- "∀ k sid C T #i #t.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
- (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
- (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
- (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, C, 'chip', T.1 ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, 'g'^~skTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.45 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.54 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.55 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.58 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.40 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.48 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.46 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.57 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.41 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.49 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.46 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.59 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.52 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.62 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.43 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma weak_agreement_T:
- all-traces
- "∀ k sid C T #i #t.
- ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
- (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
- (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
- (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
- (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, T.1, 'terminal', C
- ) @ #i )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, ~skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.3 )
- case CA_FINISH_C
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.37 )
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C>, ca_sk), C) ) @ #vk.17 )
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), z>, ca_sk), z) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- solve( !KU( ~r2 ) @ #vk.10 )
- case CA_FINISH_C
- solve( !KU( ~id_c.1 ) @ #vk.46 )
- case TA_CHALLENGE_C
- solve( !KU( ~r1 ) @ #vk.47 )
- case TA_CHALLENGE_C
- solve( !KU( 'g'^~skTe ) @ #vk.32 )
- case CA_INIT_T
- SOLVED // trace found
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma agreement_C:
- all-traces
- "∀ k sid C T #i #t.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
- (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
- (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
- (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, C, 'chip', T.1 ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, 'g'^~skTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.45 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.54 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.55 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.58 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.40 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.48 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.46 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.57 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), T>, ca_sk), T) ) @ #vk.41 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), T>, ca_sk) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.49 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.46 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.59 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.52 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.62 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), T>, ca_sk), T) ) @ #vk.43 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), T>, ca_sk) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma agreement_T:
- all-traces
- "∀ k sid C T #i #t.
- ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
- (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
- (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
- (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
- (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, T.1, 'terminal', C
- ) @ #i )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, ~skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.3 )
- case CA_FINISH_C
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.37 )
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C>, ca_sk), C) ) @ #vk.17 )
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), z>, ca_sk), z) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- solve( !KU( ~r2 ) @ #vk.10 )
- case CA_FINISH_C
- solve( !KU( ~id_c.1 ) @ #vk.46 )
- case TA_CHALLENGE_C
- solve( !KU( ~r1 ) @ #vk.47 )
- case TA_CHALLENGE_C
- solve( !KU( 'g'^~skTe ) @ #vk.32 )
- case CA_INIT_T
- SOLVED // trace found
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma aliveness:
- all-traces
- "∀ k sid A role B #i #t.
- ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
- ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
- (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
- (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
- (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
- (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
- case CA_INIT_T
- solve( Completed( k, <'g'^~skTe, z.1, id_c, r2>, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, 'g'^~skTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.45 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.54 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.57 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.55 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.58 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.40 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.44 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.48 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.46 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.57 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.45 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(~skT), sign(<pk(~skT), B>, ca_sk), B) ) @ #vk.41 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<pk(~skT), B>, ca_sk) ) @ #vk.47 )
- case CA_Sign_ltk
- by contradiction /* from formulas */
- next
- case TA_INIT_T
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.50 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, z>, ca_sk), z) ) @ #vk.17 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.49 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.58 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.46 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.59 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.42 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, z>, ca_sk) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.1, ~r1.2, pkTe>, x.1) ) @ #vk.52 )
- case TA_RESPONSE_T
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.48 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.52 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.61 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.53 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.64 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.47 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.62 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( cert(pk(x), sign(<pk(x), B>, ca_sk), B) ) @ #vk.43 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_cert
- solve( !KU( sign(<pk(x), B>, ca_sk) ) @ #vk.51 )
- case CA_Sign_ltk
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_ltk
- by contradiction /* from formulas */
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.54 )
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.51 )
- qed
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, ~skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.3 )
- case CA_FINISH_C
- solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.37 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.17 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.44 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.47 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.17 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.49 )
- case CA_INIT_C
- by contradiction /* from formulas */
- next
- case CA_Sign_dh
- by contradiction /* from formulas */
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.52 )
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.16 )
- case CA_INIT_C
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.26 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.41 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.45 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.45 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.41 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.46 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.46 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.46 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.25 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.26 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.26 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.26 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.26 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.28 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.25 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.27 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.23 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.25 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.27 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.26 )
- case CA_INIT_C
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.29 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.48 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.48 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.50 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.49 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.51 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.28 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.29 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.29 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.31 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.28 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.24 )
- case c_kdf_mac
- solve( !KU( pk(~ltk)^~skTe ) @ #vk.28 )
- case c_exp
- solve( !KU( ~skTe ) @ #vk.29 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.29 )
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma session_uniqueness:
- all-traces
- "∀ A B k sid sid2 role #i #j.
- ((Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)) ⇒
- ((#i = #j) ∧ (sid = sid2))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ A B k sid sid2 role #i #j.
- (Completed( k, sid, A, role, B ) @ #i) ∧
- (Completed( k, sid2, A, role, B ) @ #j)
- ∧
- ((¬(#i = #j)) ∨ (¬(sid = sid2)))"
-*/
-simplify
-solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
- case case_1
- solve( (#i < #j) ∥ (#j < #i) )
- case case_1
- solve( Completed( k, sid, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
- ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
- case CA_INIT_C
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
- B
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.46 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.54 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.62 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.67 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.66 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.74 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.52 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.57 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.65 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.67 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.66 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.68 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.69 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.72 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.74 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.63 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.56 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.59 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.67 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.69 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.72 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.68 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.70 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.79 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.57 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.62 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.68 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.58 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.62 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.70 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.72 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.75 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.76 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.78 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.80 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.71 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.73 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.76 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.77 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.79 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.81 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.21 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.35 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.34 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.37 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.35 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.38 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.59 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.40 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.41 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.38 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case case_2
- solve( Completed( k, sid, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
- ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
- case CA_INIT_C
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
- B
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.46 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.54 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.62 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.67 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.66 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.52 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.57 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.65 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.67 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.66 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.68 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.69 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.72 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.56 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.59 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.67 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.69 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.72 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.68 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.70 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.57 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.62 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.58 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.62 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.70 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.72 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.75 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.76 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.71 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.73 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.76 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.77 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.21 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.35 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.34 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.37 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.35 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.38 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.59 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.40 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.41 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* cyclic */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.38 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-next
- case case_2
- solve( Completed( k, sid, A, role, B ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
- ) @ #j )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
- case CA_INIT_C
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- next
- case CA_FINISH_T
- solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
- case CA_INIT_T
- solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
- B
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( mac(kdf_mac(z, r2), 'g'^~skTe) ) @ #vk.4 )
- case CA_FINISH_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( sign(<~id_c.2, ~r1.2, 'g'^~skTe>, x) ) @ #vk.46 )
- case TA_RESPONSE_T
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.54 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.62 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.65 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.67 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.67 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.66 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.71 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.74 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.52 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.57 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.65 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.67 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.68 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.68 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.70 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.72 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.66 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.68 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.69 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.69 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.71 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.73 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.72 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.74 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.63 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.56 )
- qed
- qed
- next
- case c_sign
- solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B>, ca_sk), B) ) @ #vk.22 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.59 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.67 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.69 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.70 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.70 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.72 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.75 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.72 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.68 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.70 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.71 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.71 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.73 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.76 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.79 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.57 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.62 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.65 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.62 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.68 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<'g'^~skC, B>, ca_sk) ) @ #vk.58 )
- case CA_INIT_C
- solve( !KU( sign(<~id_c.3, ~r1.3, pkTe>, x.1) ) @ #vk.62 )
- case TA_RESPONSE_T
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.70 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.72 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.73 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.40 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.73 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.75 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.77 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.75 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.76 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.41 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.78 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.80 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.71 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.73 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.74 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.74 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.76 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.78 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.76 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.77 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.39 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.79 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.81 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( mac(kdf_mac('g'^(~skC*~skTe), ~r2), 'g'^~skTe.1) ) @ #vk.31 )
- case c_mac
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
- case c_kdf_mac
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
- case CA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.63 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.63 )
- case Reveal_dh
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.65 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.67 )
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.65 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.66 )
- case Reveal_session
- solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
- sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.68 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.70 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_mac
- solve( !KU( cert(z.1, sign(<z.1, B>, ca_sk), B) ) @ #vk.21 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.35 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.54 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.36 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.37 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.57 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.60 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.56 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.50 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.55 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.55 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.34 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.35 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.58 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.61 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.34 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.35 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.35 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.32 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.33 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.38 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.41 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.37 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.32 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.29 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.30 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.37 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.40 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_cert
- solve( !KU( sign(<z.1, B>, ca_sk) ) @ #vk.35 )
- case CA_INIT_C
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.38 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.57 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.57 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.37 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.38 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.60 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.62 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.59 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.60 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.53 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.58 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.58 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.35 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk), $C)
- ) @ #vk.36 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C>, ca_sk) ) @ #vk.61 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.63 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.60 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.61 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
- case CA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.38 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~ltk ) @ #vk.38 )
- case Reveal_dh
- solve( !KU( mac(kdf_mac('g'^(~ltk*~skTe), r2), 'g'^~skTe.1) ) @ #vk.33 )
- case c_mac
- solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
- sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.34 )
- case c_cert
- solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.41 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.43 )
- qed
- qed
- qed
- qed
- next
- case c_exp
- solve( !KU( ~ltk ) @ #vk.40 )
- case Reveal_dh
- solve( !KU( ~skTe ) @ #vk.41 )
- case Reveal_session
- by contradiction /* cyclic */
- qed
- qed
- qed
- qed
- qed
- next
- case CA_Sign_ltk
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk), $A)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $A>, ca_sk) ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case TA_INIT_T
- solve( splitEqs(1) )
- case split_case_1
- by contradiction /* from formulas */
- next
- case split_case_2
- solve( !KU( kdf_mac(pk(~ltk)^~skTe, r2) ) @ #vk.33 )
- case c_kdf_mac
- solve( !KU( mac(kdf_mac(pk(~ltk)^~skTe, r2), 'g'^~skTe.1) ) @ #vk.30 )
- case c_mac
- solve( !KU( cert(pk(~ltk)^(~skTe*inv(~skTe.1)),
- sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk), $T.1)
- ) @ #vk.31 )
- case c_cert
- solve( !KU( sign(<pk(~ltk)^(~skTe*inv(~skTe.1)), $T.1>, ca_sk)
- ) @ #vk.40 )
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.42 )
- qed
- qed
- qed
- qed
- qed
- next
- case c_sign
- by solve( !KU( ca_sk ) @ #vk.38 )
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-lemma consistency:
- all-traces
- "∀ C T k k2 sid #i #j.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
- ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T k k2 sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k2, sid, T, 'terminal', C ) @ #j)
- ∧
- (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
-*/
-simplify
-solve( Completed( k, sid, C, 'chip', T ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( Completed( k2, <pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe, ~id_c, cert('g'^~skC, x.1, $C)
- ) ▶₁ #j )
- case CA_INIT_T
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
-qed
-
-lemma key_secrecy:
- all-traces
- "∀ C T k sid #i #j.
- ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
- (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ iid #m. Revealed( <T, iid> ) @ #m)) ∨
- (∃ #m. Corrupted( C ) @ #m))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T k sid #i #j.
- (Completed( k, sid, C, 'chip', T ) @ #i) ∧
- (Completed( k, sid, T, 'terminal', C ) @ #j)
- ∧
- (∃ #m. (K( k ) @ #m)) ∧
- (∀ iid #m. (Revealed( <T, iid> ) @ #m) ⇒ ⊥) ∧
- (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
-*/
-simplify
-solve( Completed( k, sid, C, 'chip', T ) @ #i )
- case CA_FINISH_C
- solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
- case CA_INIT_C
- solve( !LtkDH( $C, ~skC ) ▶₂ #i )
- case Generate_static_dh
- solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
- <pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C
- ) @ #j )
- case CA_FINISH_T
- solve( CAInitT( <$T, iid.1>, skTe, ~id_c, cert('g'^~skC, x.1, $C)
- ) ▶₁ #j )
- case CA_INIT_T
- solve( !KU( kdf_enc('g'^(~skC*~skTe), ~r2) ) @ #vk.15 )
- case c_kdf_enc
- solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.16 )
- case c_kdf_mac
- solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, x) ) @ #vk.17 )
- case TA_RESPONSE_T
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.50 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.47 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.47 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.49 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- next
- case c_sign
- solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.48 )
- case CA_INIT_C
- solve( !KU( ~skTe ) @ #vk.54 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case CA_INIT_T
- by contradiction /* cyclic */
- next
- case CA_Sign_dh
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case Generate_static_dh
- solve( !KU( ~skTe ) @ #vk.51 )
- case Reveal_session
- by contradiction /* from formulas */
- qed
- next
- case TA_INIT_T
- solve( !KU( ~skC ) @ #vk.51 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- next
- case c_exp
- solve( !KU( ~skC ) @ #vk.53 )
- case Reveal_dh
- by contradiction /* from formulas */
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
- qed
-qed
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-/* All wellformedness checks were successful. */
-
-/*
-Generated from:
-Tamarin version 1.8.0
-Maude version 3.3.1
-Git revision: f172d7f00b1485446a1e7a42dc14623c2189cc42, branch: master
-Compiled at: 2024-01-16 15:38:46.116852601 UTC
-*/
-
-end
-
-==============================================================================
-summary of summaries:
-
-analyzed: BasicEAC.spthy
-
- processing time: 46.12s
-
- weak_agreement_C (all-traces): verified (124 steps)
- weak_agreement_T (all-traces): falsified - found trace (14 steps)
- agreement_C (all-traces): verified (124 steps)
- agreement_T (all-traces): falsified - found trace (14 steps)
- aliveness (all-traces): verified (232 steps)
- session_uniqueness (all-traces): verified (1269 steps)
- consistency (all-traces): verified (7 steps)
- key_secrecy (all-traces): verified (33 steps)
-
-==============================================================================
diff --git a/results/processor.45369362 b/results/processor.45369362
deleted file mode 100644
index 03663c845bf67063d17a944190d92d00da32869d..0000000000000000000000000000000000000000
--- a/results/processor.45369362
+++ /dev/null
@@ -1,20 +0,0 @@
- *-cpu:0
- product: Intel(R) Xeon(R) Platinum 8470Q
- vendor: Intel Corp.
- physical id: 2
- bus info: cpu@0
- version: 6.143.8
- size: 3753MHz
- width: 64 bits
- capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp x86-64 constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cat_l2 cdp_l3 invpcid_single intel_ppin cdp_l2 ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb intel_pt avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local split_lock_detect avx_vnni avx512_bf16 wbnoinvd dtherm ida arat pln pts avx512vbmi umip pku ospke waitpkg avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg tme avx512_vpopcntdq la57 rdpid bus_lock_detect cldemote movdiri movdir64b enqcmd fsrm md_clear serialize tsxldtrk pconfig arch_lbr amx_bf16 avx512_fp16 amx_tile amx_int8 flush_l1d arch_capabilities cpufreq
- configuration: microcode=721421489
- *-cpu:1
- product: Intel(R) Xeon(R) Platinum 8470Q
- vendor: Intel Corp.
- physical id: 3
- bus info: cpu@1
- version: 6.143.8
- size: 3764MHz
- width: 64 bits
- capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp x86-64 constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cat_l2 cdp_l3 invpcid_single intel_ppin cdp_l2 ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb intel_pt avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local split_lock_detect avx_vnni avx512_bf16 wbnoinvd dtherm ida arat pln pts avx512vbmi umip pku ospke waitpkg avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg tme avx512_vpopcntdq la57 rdpid bus_lock_detect cldemote movdiri movdir64b enqcmd fsrm md_clear serialize tsxldtrk pconfig arch_lbr amx_bf16 avx512_fp16 amx_tile amx_int8 flush_l1d arch_capabilities cpufreq
- configuration: microcode=721421489