Skip to content
Snippets Groups Projects
Commit a10c424d authored by Müller, Jonas's avatar Müller, Jonas
Browse files

Update SigPQEAC results

parent 2e2142c3
No related branches found
No related tags found
No related merge requests found
......@@ -24,5 +24,11 @@
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
WARNING: you should run this program as super-user.
WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
/var/spool/slurmd/job45992234/slurm_script: line 29: output/hw/45992234.cpu: No such file or directory
/var/spool/slurmd/job45992234/slurm_script: line 30: output/hw/45992234.processor: No such file or directory
maude tool: 'maude'
checking version: 3.3.1. OK.
checking installation: OK.
theory FastSigPQEAC begin
theory SigPQEAC begin
// Function signature and definition of the equational theory E
......@@ -78,288 +78,253 @@ rule (modulo E) TA_INIT_T:
/* has exactly the trivial AC variant */
rule (modulo E) TA_CHALLENGE_C:
[
In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
!Cert( $C, certC, 'chip' )
]
[ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
--[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
[
Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
Out( <~id_c, ~r1, '2', 'c'> ),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
]
/*
rule (modulo AC) TA_CHALLENGE_C:
[
In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
!Cert( $C, certC, 'chip' )
]
[ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
--[ Eq( z, true ), Started( ) ]->
[
Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
Out( <~id_c, ~r1, '2', 'c'> ),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
]
variants (modulo AC)
1. certT = certT.15
z = verify(cert_sig(certT.15),
<cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk))
1. certT = certT.12
z = verify(cert_sig(certT.12),
<cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk))
2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17)
2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14)
z = true
3. certT = cert(x.17, x.18, x.19)
z = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk))
3. certT = cert(x.14, x.15, x.16)
z = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk))
*/
rule (modulo E) TA_RESPONSE_T:
[
In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' )
]
-->
[
Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ),
TAResponseT( <$T, iid>, id_c )
]
/* has exactly the trivial AC variant */
rule (modulo E) TA_COMPLETE_C:
[ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
--[
Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ),
CompletedTA( $C, iid, cert_id(certT) )
]->
[ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
/*
rule (modulo AC) TA_COMPLETE_C:
[ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
--[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
[ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
variants (modulo AC)
1. certT = certT.16
id_c = id_c.17
r1 = r1.19
s = s.20
z = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16))
z.1 = cert_id(certT.16)
2. certT = cert(x.37, x.38, z.28)
id_c = id_c.21
r1 = r1.23
s = s.24
z = verify(s.24, <'TA', id_c.21, r1.23>, x.37)
z.1 = z.28
3. certT = cert(pk(x.37), x.38, z.28)
id_c = id_c.21
r1 = r1.23
s = sign(<'TA', id_c.21, r1.23>, x.37)
z = true
z.1 = z.28
*/
rule (modulo E) CA_INIT_C:
[
Fr( ~r2 ), TACompleteC( <$C, iid>, certT, id_c, r1 ),
!Cert( $C, certC, 'chip' )
]
-->
[
Out( <certC, ~r2, '4', 'c'> ), Out( iid ),
CAInitC( <$C, iid>, certT, id_c, r1, ~r2 )
]
/* has exactly the trivial AC variant */
rule (modulo E) CA_INIT_T:
[
In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
]
--[ Eq( verify_cert(certC, 'chip'), true ) ]->
[
Out( <encaps(~k, cert_pk(certC)), sign(<'TA', id_c, r1>, ~skT),
sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '3',
Out( <encaps(~k, cert_pk(certC)),
sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '5',
't'>
),
CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
]
/*
rule (modulo AC) TA_RESPONSE_T:
rule (modulo AC) CA_INIT_T:
[
In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
]
--[ Eq( z.1, true ) ]->
[
Out( <encaps(~k, z), sign(<'TA', id_c, r1>, ~skT),
sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '3', 't'>
Out( <encaps(~k, z),
sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '5', 't'>
),
CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
]
variants (modulo AC)
1. certC = certC.20
z = cert_pk(certC.20)
z.1 = verify(cert_sig(certC.20),
<cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
1. certC = certC.18
z = cert_pk(certC.18)
z.1 = verify(cert_sig(certC.18),
<cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk))
2. certC = cert(z.57, sign(<z.57, x.100, 'chip'>, ca_sk), x.100)
z = z.57
2. certC = cert(z.44, sign(<z.44, x.75, 'chip'>, ca_sk), x.75)
z = z.44
z.1 = true
3. certC = cert(z.58, x.101, x.102)
z = z.58
z.1 = verify(x.101, <z.58, x.102, 'chip'>, pk(ca_sk))
3. certC = cert(z.45, x.76, x.77)
z = z.45
z.1 = verify(x.76, <z.45, x.77, 'chip'>, pk(ca_sk))
*/
rule (modulo E) TA_COMPLETE_C:
rule (modulo E) CA_FINISH_C:
[
In( <cip, s1, s2, '3', 't'> ),
TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
!Cert( $C, certC, 'chip' )
In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
!Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
]
--[
Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
CompletedTA( $C, iid, cert_id(certT) ),
Eq( verify(s, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
<certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
)
]->
[
Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'>
),
TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
CAFinishC( $C, cert_id(certT),
kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
)
]
/*
rule (modulo AC) TA_COMPLETE_C:
rule (modulo AC) CA_FINISH_C:
[
In( <cip, s1, s2, '3', 't'> ),
TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
!Cert( $C, certC, 'chip' )
In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
!Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
]
--[
Eq( z.1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3 ),
Eq( z.2, true ),
Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
<certT, certC, r2, cip>, $C, 'chip', z.3
<certT, certC, r2, cip>, $C, 'chip', z.1
)
]->
[
Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ),
CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) )
]
variants (modulo AC)
1. ~skC = ~skC.32
certC = certC.33
certT = certT.34
cip = cip.35
id_c = id_c.36
r1 = r1.38
r2 = r2.39
s1 = s1.40
s2 = s2.41
z = decaps(cip.35, ~skC.32)
z.1 = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34))
z.2 = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>,
cert_pk(certT.34))
z.3 = cert_id(certT.34)
2. ~skC = ~skC.37
certC = certC.38
certT = certT.39
cip = encaps(z.51, pk(~skC.37))
id_c = id_c.41
r1 = r1.43
r2 = r2.44
s1 = s1.45
s2 = s2.46
z = z.51
z.1 = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39))
z.2 = verify(s2.46,
<'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>,
cert_pk(certT.39))
z.3 = cert_id(certT.39)
3. ~skC = ~skC.150
certC = certC.151
certT = cert(x.296, x.297, z.169)
cip = cip.153
id_c = id_c.154
r1 = r1.156
r2 = r2.157
s1 = s1.158
s2 = s2.159
z = decaps(cip.153, ~skC.150)
z.1 = verify(s1.158, <'TA', id_c.154, r1.156>, x.296)
z.2 = verify(s2.159,
<'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296)
z.3 = z.169
4. ~skC = ~skC.150
certC = certC.151
certT = cert(pk(x.296), x.297, z.169)
cip = cip.153
id_c = id_c.154
r1 = r1.156
r2 = r2.157
s1 = sign(<'TA', id_c.154, r1.156>, x.296)
s2 = s2.159
z = decaps(cip.153, ~skC.150)
z.1 = true
z.2 = verify(s2.159,
<'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>,
pk(x.296))
z.3 = z.169
5. ~skC = ~skC.151
certC = certC.152
certT = cert(pk(x.298), x.299, z.170)
cip = cip.154
id_c = id_c.155
r1 = r1.157
r2 = r2.158
s1 = s1.159
s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
cip.154>,
x.298)
z = decaps(cip.154, ~skC.151)
z.1 = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298))
z.2 = true
z.3 = z.170
6. ~skC = ~skC.151
certC = certC.152
certT = cert(pk(x.298), x.299, z.170)
cip = cip.154
id_c = id_c.155
r1 = r1.157
r2 = r2.158
s1 = sign(<'TA', id_c.155, r1.157>, x.298)
s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
cip.154>,
x.298)
z = decaps(cip.154, ~skC.151)
z.1 = true
z.2 = true
z.3 = z.170
7. ~skC = ~skC.152
certC = certC.153
certT = cert(x.300, x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = s1.160
s2 = s2.161
z = z.166
z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, x.300)
z.2 = verify(s2.161,
<'CA', cert(x.300, x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z.3 = z.171
8. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = s1.160
s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z = z.166
z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300))
1. ~skC = ~skC.30
certC = certC.31
certT = certT.32
cip = cip.33
r2 = r2.37
s = s.38
z = decaps(cip.33, ~skC.30)
z.1 = cert_id(certT.32)
z.2 = verify(s.38, <'CA', certT.32, certC.31, r2.37, cip.33>,
cert_pk(certT.32))
2. ~skC = ~skC.35
certC = certC.36
certT = certT.37
cip = encaps(z.48, pk(~skC.35))
r2 = r2.42
s = s.43
z = z.48
z.1 = cert_id(certT.37)
z.2 = verify(s.43,
<'CA', certT.37, certC.36, r2.42, encaps(z.48, pk(~skC.35))>,
cert_pk(certT.37))
3. ~skC = ~skC.137
certC = certC.138
certT = cert(x.270, x.271, z.153)
cip = cip.140
r2 = r2.144
s = s.145
z = decaps(cip.140, ~skC.137)
z.1 = z.153
z.2 = verify(s.145,
<'CA', cert(x.270, x.271, z.153), certC.138, r2.144, cip.140>, x.270)
4. ~skC = ~skC.138
certC = certC.139
certT = cert(pk(x.272), x.273, z.154)
cip = cip.141
r2 = r2.145
s = sign(<'CA', cert(pk(x.272), x.273, z.154), certC.139, r2.145,
cip.141>,
x.272)
z = decaps(cip.141, ~skC.138)
z.1 = z.154
z.2 = true
z.3 = z.171
9. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = sign(<'TA', id_c.156, r1.158>, x.300)
s2 = s2.161
z = z.166
z.1 = true
z.2 = verify(s2.161,
<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
pk(x.300))
z.3 = z.171
10. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = sign(<'TA', id_c.156, r1.158>, x.300)
s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z = z.166
z.1 = true
5. ~skC = ~skC.139
certC = certC.140
certT = cert(x.274, x.275, z.155)
cip = encaps(z.152, pk(~skC.139))
r2 = r2.146
s = s.147
z = z.152
z.1 = z.155
z.2 = verify(s.147,
<'CA', cert(x.274, x.275, z.155), certC.140, r2.146,
encaps(z.152, pk(~skC.139))>,
x.274)
6. ~skC = ~skC.139
certC = certC.140
certT = cert(pk(x.274), x.275, z.155)
cip = encaps(z.152, pk(~skC.139))
r2 = r2.146
s = sign(<'CA', cert(pk(x.274), x.275, z.155), certC.140, r2.146,
encaps(z.152, pk(~skC.139))>,
x.274)
z = z.152
z.1 = z.155
z.2 = true
z.3 = z.171
*/
rule (modulo E) CA_FINISH_T:
[
In( <kCNF_C, '4', 'c'> ),
In( <kCNF_c, '6', 'c'> ),
CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
!Cert( $T, certT, 'terminal' )
]
--[
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_c ),
Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
<certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
),
......@@ -375,12 +340,12 @@ rule (modulo E) CA_FINISH_T:
/*
rule (modulo AC) CA_FINISH_T:
[
In( <kCNF_C, '4', 'c'> ),
In( <kCNF_c, '6', 'c'> ),
CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
!Cert( $T, certT, 'terminal' )
]
--[
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_C ),
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_c ),
Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
<certT, certC, r2, cip>, $T, 'terminal', z
),
......@@ -2240,10 +2205,9 @@ guarded formula characterizing all satisfying traces:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -2260,43 +2224,50 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.5 )
) @ #vk.3 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.11 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.34 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.30 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.33 )
solve( !KU( ~r2 ) @ #vk.28 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.34 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.34 )
solve( !KU( ~r1 ) @ #vk.35 )
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.20 )
) @ #vk.19 )
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.24 )
case TA_COMPLETE_C
) @ #vk.23 )
case CA_FINISH_C
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.33 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.21 )
) @ #vk.31 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.38 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z)
) @ #vk.40 )
case CA_Sign_ltk
solve( !KU( ~id_c.2 ) @ #vk.42 )
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.43 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.24 )
case CA_INIT_T
SOLVED // trace found
qed
qed
......@@ -2315,6 +2286,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
lemma two_session_exist:
exists-trace
......@@ -2338,10 +2312,9 @@ guarded formula characterizing all satisfying traces:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -2358,17 +2331,16 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
r2.1
case CA_FINISH_C
solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1
) ▶₁ #i2 )
case TA_CHALLENGE_C
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
......@@ -2388,51 +2360,46 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
<z, cip>
) ▶₁ #j2 )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j2 )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.5 )
case TA_RESPONSE_T
solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.40 )
) @ #vk.3 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.15 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1),
sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
~r2.1, encaps(~k.1, pk(~skC))>,
~ltk.1)
) @ #vk.43 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.45 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.54 )
case CA_Sign_ltk
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.60 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.47 )
case TA_CHALLENGE_C
solve( !KU( ~r2.1 ) @ #vk.55 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.56 )
solve( !KU( ~r2 ) @ #vk.41 )
case CA_INIT_C
solve( !KU( ~r2.1 ) @ #vk.51 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.54 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.57 )
solve( !KU( ~r1 ) @ #vk.55 )
case TA_CHALLENGE_C
solve( !KU( ~id_c.1 ) @ #vk.59 )
solve( !KU( ~id_c.1 ) @ #vk.56 )
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.60 )
solve( !KU( ~r1.1 ) @ #vk.57 )
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT),
sign(<pk(~skT), $T, 'terminal'>, ca_sk),
$T)
) @ #vk.39 )
sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.32 )
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT),
......@@ -2440,26 +2407,36 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
ca_sk),
$T),
cert(pk(~ltk),
sign(<pk(~ltk), $C, 'chip'>,
ca_sk),
sign(<pk(~ltk), $C, 'chip'>, ca_sk),
$C),
~r2, encaps(~k, pk(~ltk))>,
~k)
) @ #vk.42 )
case TA_COMPLETE_C
) @ #vk.36 )
case CA_FINISH_C
solve( !KU( cert(pk(~ltk),
sign(<pk(~ltk), $C, 'chip'>, ca_sk),
$C)
) @ #vk.52 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.37 )
sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.47 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.60 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.3),
sign(<pk(~skT.3), z, 'terminal'>,
ca_sk),
z)
) @ #vk.62 )
case CA_Sign_ltk
solve( !KU( ~id_c.4 ) @ #vk.64 )
case TA_CHALLENGE_C
solve( !KU( ~r1.3 ) @ #vk.65 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.36 )
case CA_INIT_T
solve( !KU( cert(pk(~ltk.1),
sign(<pk(~ltk.1), $T, 'terminal'
>,
sign(<pk(~ltk.1), $T,
'terminal'>,
ca_sk),
$T)
) @ #vk.55 )
) @ #vk.61 )
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~ltk.1),
......@@ -2468,23 +2445,41 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
ca_sk),
$T),
cert(pk(~skC),
sign(<pk(~skC), $C, 'chip'
>,
sign(<pk(~skC), $C,
'chip'>,
ca_sk),
$C),
~r2.1, encaps(~k.1, pk(~skC))>,
~r2.1,
encaps(~k.1, pk(~skC))>,
~k.1)
) @ #vk.56 )
case TA_COMPLETE_C
) @ #vk.62 )
case CA_FINISH_C
solve( !KU( cert(pk(~skC),
sign(<pk(~skC), $C, 'chip'>,
sign(<pk(~skC), $C,
'chip'>,
ca_sk),
$C)
) @ #vk.59 )
case CA_Sign_ltk
solve( !KU( encaps(~k.1, pk(~skC))
) @ #vk.57 )
) @ #vk.63 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.5, ~r1.5>,
x)
) @ #vk.68 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.4),
sign(<pk(~skT.4), z,
'terminal'>,
ca_sk),
z)
) @ #vk.70 )
case CA_Sign_ltk
solve( !KU( ~id_c.5 ) @ #vk.72 )
case TA_CHALLENGE_C
solve( !KU( ~r1.4 ) @ #vk.73 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k.1,
pk(~skC))
) @ #vk.71 )
case CA_INIT_T
SOLVED // trace found
qed
qed
......@@ -2520,6 +2515,12 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
qed
qed
qed
lemma weak_agreement_C:
all-traces
......@@ -2539,7 +2540,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
......@@ -2547,11 +2548,11 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
C, 'chip', T.1
) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>,
case CA_FINISH_C
solve( CAInitC( <$C, iid>,
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
......@@ -2583,7 +2584,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
......@@ -2595,48 +2596,48 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case TA_COMPLETE_C
case CA_FINISH_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.18 )
case TA_RESPONSE_T
solve( !KU( ~k ) @ #vk.20 )
case CA_INIT_T
solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
) @ #vk.13 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.23 )
) @ #vk.12 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.23 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.24 )
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.27 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.24 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.29 )
by solve( !KU( ca_sk ) @ #vk.31 )
qed
qed
qed
......@@ -2664,7 +2665,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
......@@ -2672,11 +2673,11 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
C, 'chip', T.1
) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>,
case CA_FINISH_C
solve( CAInitC( <$C, iid>,
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
......@@ -2687,24 +2688,24 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
by contradiction /* from formulas */
next
case split_case_2
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.21 )
) @ #vk.20 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.28 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.4 )
) @ #vk.5 )
case c_kdf
solve( !KU( ~k ) @ #vk.40 )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.42 )
case Corrupt_ltk
by contradiction /* from formulas */
......@@ -2713,14 +2714,14 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.40 )
solve( !KU( ~skT ) @ #vk.33 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.29 )
solve( !KU( ~ltk.1 ) @ #vk.36 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -2751,7 +2752,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
......@@ -2763,48 +2764,48 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case TA_COMPLETE_C
case CA_FINISH_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.18 )
case TA_RESPONSE_T
solve( !KU( ~k ) @ #vk.20 )
case CA_INIT_T
solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
) @ #vk.13 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.23 )
) @ #vk.12 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.23 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.25 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.24 )
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.27 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.24 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.29 )
by solve( !KU( ca_sk ) @ #vk.31 )
qed
qed
qed
......@@ -2830,7 +2831,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
......@@ -2838,60 +2839,60 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
A, role, B
) @ #i )
case CA_FINISH_C
by contradiction /* from formulas */
next
case CA_FINISH_T
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case TA_COMPLETE_C
case CA_FINISH_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.18 )
case TA_RESPONSE_T
solve( !KU( ~k ) @ #vk.20 )
case CA_INIT_T
solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
) @ #vk.13 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.23 )
) @ #vk.12 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.23 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.25 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.24 )
solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.27 )
case CA_INIT_C
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.24 )
case CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.26 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.29 )
by solve( !KU( ca_sk ) @ #vk.31 )
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
by contradiction /* from formulas */
qed
qed
qed
......@@ -2916,9 +2917,34 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( (#i < #j) ∥ (#j < #i) )
case case_1
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
z),
sid2, $C, 'chip', B
) @ #j )
case CA_FINISH_C
solve( CAInitC( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case CA_INIT_C
by contradiction /* cyclic */
qed
qed
qed
qed
qed
next
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
......@@ -2931,17 +2957,19 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
by contradiction /* cyclic */
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -2952,24 +2980,21 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
z),
sid2, $C, 'chip', B
) @ #j )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid.1>,
case CA_FINISH_C
solve( CAInitC( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case TA_CHALLENGE_C
case CA_INIT_C
by contradiction /* cyclic */
qed
qed
qed
qed
qed
qed
next
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
......@@ -2982,17 +3007,20 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
by contradiction /* cyclic */
qed
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -3003,25 +3031,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
z),
sid2, $C, 'chip', B
) @ #j )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case TA_CHALLENGE_C
by contradiction /* cyclic */
qed
qed
qed
case CA_FINISH_C
by contradiction /* from formulas */
qed
qed
qed
qed
next
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
......@@ -3035,27 +3054,6 @@ next
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
z),
sid2, $C, 'chip', B
) @ #j )
case TA_COMPLETE_C
by contradiction /* from formulas */
qed
qed
qed
qed
qed
qed
......@@ -3075,10 +3073,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -3092,7 +3089,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
......@@ -3102,24 +3099,24 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case split_case_2
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.5 )
) @ #vk.3 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.11 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.14 )
) @ #vk.16 )
case c_kdf
solve( !KU( ~k ) @ #vk.40 )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.42 )
case Corrupt_ltk
by contradiction /* from formulas */
......@@ -3128,18 +3125,18 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.40 )
solve( !KU( ~skT ) @ #vk.33 )
case Corrupt_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.19 )
) @ #vk.17 )
case c_kdf
solve( !KU( ~k ) @ #vk.43 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.45 )
solve( !KU( ~k ) @ #vk.42 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.44 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3149,25 +3146,20 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.29 )
solve( !KU( ~ltk.1 ) @ #vk.36 )
case Corrupt_ltk
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.14 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.15 )
) @ #vk.21 )
case c_kdf
solve( !KU( ~k ) @ #vk.38 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.40 )
solve( !KU( ~k ) @ #vk.43 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.45 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3180,11 +3172,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.17 )
) @ #vk.21 )
case c_kdf
solve( !KU( ~k ) @ #vk.40 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.42 )
solve( !KU( ~k ) @ #vk.44 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.46 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3221,10 +3213,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -3241,32 +3232,32 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
) @ #vk.4 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.12 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.3 )
) @ #vk.4 )
case Reveal_session
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.41 )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.43 )
case Corrupt_ltk
by contradiction /* from formulas */
......@@ -3275,10 +3266,10 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.41 )
solve( !KU( ~skT ) @ #vk.34 )
case Corrupt_ltk
solve( !KU( kdf(<'KEY',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
......@@ -3287,9 +3278,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.44 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.46 )
solve( !KU( ~k ) @ #vk.43 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.45 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3299,17 +3290,12 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.30 )
solve( !KU( ~ltk.1 ) @ #vk.37 )
case Corrupt_ltk
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.7 )
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.15 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
......@@ -3318,9 +3304,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.39 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.41 )
solve( !KU( ~k ) @ #vk.44 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.46 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3338,9 +3324,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.41 )
case TA_RESPONSE_T
solve( !KU( ~ltk ) @ #vk.43 )
solve( !KU( ~k ) @ #vk.45 )
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.47 )
case Corrupt_ltk
by contradiction /* from formulas */
qed
......@@ -3370,54 +3356,11 @@ guarded formula characterizing all counter-examples:
(∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
*/
simplify
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( splitEqs(0) )
case split_case_1
solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
~skT)
) @ #vk.5 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 )
case CA_Sign_ltk
solve( !KU( ~iid ) @ #vk.12 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.17 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.19 )
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i )
case TA_CHALLENGE_C
solve( !KU( ~r2 ) @ #vk.32 )
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.19 )
case CA_Sign_ltk
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.32 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 )
case TA_RESPONSE_T
SOLVED // trace found
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
solve( !KU( ~iid ) @ #vk.6 )
case CA_INIT_C
by contradiction /* cyclic */
qed
qed
......@@ -3536,10 +3479,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
......@@ -3556,55 +3498,62 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case TA_RESPONSE_T
case CA_INIT_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
) @ #vk.4 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.12 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.3 )
) @ #vk.4 )
case c_kdf
solve( !KU( ~k ) @ #vk.41 )
case TA_RESPONSE_T
case CA_INIT_T
solve( !KU( ~ltk ) @ #vk.43 )
case Corrupt_ltk
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.41 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.38 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.40 )
solve( !KU( ~r2 ) @ #vk.36 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.41 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.41 )
solve( !KU( ~r1 ) @ #vk.42 )
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.27 )
) @ #vk.26 )
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
~r2, encaps(~k, pk(~ltk))>,
~k)
) @ #vk.31 )
case TA_COMPLETE_C
) @ #vk.30 )
case CA_FINISH_C
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.40 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.28 )
) @ #vk.38 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.46 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk),
z)
) @ #vk.48 )
case CA_Sign_ltk
solve( !KU( ~id_c.2 ) @ #vk.50 )
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.51 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.31 )
case CA_INIT_T
SOLVED // trace found
qed
qed
......@@ -3626,6 +3575,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
......@@ -3674,10 +3626,10 @@ summary of summaries:
analyzed: tmp.spthy
processing time: 754.39s
processing time: 98.76s
session_exist (exists-trace): verified (19 steps)
two_session_exist (exists-trace): verified (36 steps)
session_exist (exists-trace): verified (22 steps)
two_session_exist (exists-trace): verified (42 steps)
weak_agreement_C (all-traces): verified (8 steps)
weak_agreement_T (all-traces): verified (19 steps)
agreement_C (all-traces): verified (19 steps)
......@@ -3686,9 +3638,9 @@ analyzed: tmp.spthy
session_uniqueness (all-traces): verified (37 steps)
consistency (all-traces): verified (31 steps)
key_secrecy (all-traces): verified (33 steps)
chip_hiding (all-traces): falsified - found trace (16 steps)
chip_hiding (all-traces): verified (4 steps)
nonRepudiation_terminal (exists-trace): verified (13 steps)
nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
pfs (all-traces): falsified - found trace (22 steps)
pfs (all-traces): falsified - found trace (25 steps)
==============================================================================
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment