Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
E
EAC_Tamarin_Analysis
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Package registry
Container registry
Operate
Terraform modules
Analyze
Contributor analytics
Repository analytics
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Müller, Jonas
EAC_Tamarin_Analysis
Commits
a10c424d
Commit
a10c424d
authored
Jun 19, 2024
by
Müller, Jonas
Browse files
Options
Downloads
Patches
Plain Diff
Update SigPQEAC results
parent
2e2142c3
No related branches found
No related tags found
No related merge requests found
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
results/45992234.err.ALL_SigPQEAC_TAMARIN
+8
-2
8 additions, 2 deletions
results/45992234.err.ALL_SigPQEAC_TAMARIN
results/45992234.out.ALL_SigPQEAC_TAMARIN
+597
-645
597 additions, 645 deletions
results/45992234.out.ALL_SigPQEAC_TAMARIN
with
605 additions
and
647 deletions
results/4599
1790
.err.ALL_SigPQEAC_TAMARIN
→
results/4599
2234
.err.ALL_SigPQEAC_TAMARIN
+
8
−
2
View file @
a10c424d
...
...
@@ -24,5 +24,11 @@
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
WARNING: you should run this program as super-user.
WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
[Saturating Sources] Step 1/5
[Saturating Sources] Step 2/5
/var/spool/slurmd/job45992234/slurm_script: line 29: output/hw/45992234.cpu: No such file or directory
/var/spool/slurmd/job45992234/slurm_script: line 30: output/hw/45992234.processor: No such file or directory
This diff is collapsed.
Click to expand it.
results/4599
1790
.out.ALL_SigPQEAC_TAMARIN
→
results/4599
2234
.out.ALL_SigPQEAC_TAMARIN
+
597
−
645
View file @
a10c424d
maude tool: 'maude'
checking version: 3.3.1. OK.
checking installation: OK.
theory
Fast
SigPQEAC begin
theory SigPQEAC begin
// Function signature and definition of the equational theory E
...
...
@@ -78,288 +78,253 @@ rule (modulo E) TA_INIT_T:
/* has exactly the trivial AC variant */
rule (modulo E) TA_CHALLENGE_C:
[
In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
!Cert( $C, certC, 'chip' )
]
[ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
--[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
[
Out( <~id_c, ~r1,
certC, ~r2, '2', 'c'> ), Out( ~iid
),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1
, ~r2
)
Out( <~id_c, ~r1,
'2', 'c'>
),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
]
/*
rule (modulo AC) TA_CHALLENGE_C:
[
In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
!Cert( $C, certC, 'chip' )
]
[ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
--[ Eq( z, true ), Started( ) ]->
[
Out( <~id_c, ~r1,
certC, ~r2, '2', 'c'> ), Out( ~iid
),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1
, ~r2
)
Out( <~id_c, ~r1,
'2', 'c'>
),
TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
]
variants (modulo AC)
1. certT = certT.1
5
z = verify(cert_sig(certT.1
5
),
<cert_pk(certT.1
5
), cert_id(certT.1
5
), 'terminal'>, pk(ca_sk))
1. certT = certT.1
2
z = verify(cert_sig(certT.1
2
),
<cert_pk(certT.1
2
), cert_id(certT.1
2
), 'terminal'>, pk(ca_sk))
2. certT = cert(x.1
6
, sign(<x.1
6
, x.1
7
, 'terminal'>, ca_sk), x.1
7
)
2. certT = cert(x.1
3
, sign(<x.1
3
, x.1
4
, 'terminal'>, ca_sk), x.1
4
)
z = true
3. certT = cert(x.1
7
, x.1
8
, x.1
9
)
z = verify(x.1
8
, <x.1
7
, x.1
9
, 'terminal'>, pk(ca_sk))
3. certT = cert(x.1
4
, x.1
5
, x.1
6
)
z = verify(x.1
5
, <x.1
4
, x.1
6
, 'terminal'>, pk(ca_sk))
*/
rule (modulo E) TA_RESPONSE_T:
[
In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' )
]
-->
[
Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ),
TAResponseT( <$T, iid>, id_c )
]
/* has exactly the trivial AC variant */
rule (modulo E) TA_COMPLETE_C:
[ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
--[
Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ),
CompletedTA( $C, iid, cert_id(certT) )
]->
[ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
/*
rule (modulo AC) TA_COMPLETE_C:
[ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
--[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
[ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
variants (modulo AC)
1. certT = certT.16
id_c = id_c.17
r1 = r1.19
s = s.20
z = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16))
z.1 = cert_id(certT.16)
2. certT = cert(x.37, x.38, z.28)
id_c = id_c.21
r1 = r1.23
s = s.24
z = verify(s.24, <'TA', id_c.21, r1.23>, x.37)
z.1 = z.28
3. certT = cert(pk(x.37), x.38, z.28)
id_c = id_c.21
r1 = r1.23
s = sign(<'TA', id_c.21, r1.23>, x.37)
z = true
z.1 = z.28
*/
rule (modulo E) CA_INIT_C:
[
Fr( ~r2 ), TACompleteC( <$C, iid>, certT, id_c, r1 ),
!Cert( $C, certC, 'chip' )
]
-->
[
Out( <certC, ~r2, '4', 'c'> ), Out( iid ),
CAInitC( <$C, iid>, certT, id_c, r1, ~r2 )
]
/* has exactly the trivial AC variant */
rule (modulo E) CA_INIT_T:
[
In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
]
--[ Eq( verify_cert(certC, 'chip'), true ) ]->
[
Out( <encaps(~k, cert_pk(certC)),
sign(<'TA', id_c, r1>, ~skT),
sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '
3
',
Out( <encaps(~k, cert_pk(certC)),
sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '
5
',
't'>
),
CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
]
/*
rule (modulo AC)
T
A_
RESPONSE
_T:
rule (modulo AC)
C
A_
INIT
_T:
[
In( <
id_c, r1,
certC, r2, '
2
', 'c'> ),
TAInit
T( <$T, iid> ),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
, Fr( ~k )
In( <certC, r2, '
4
', 'c'> ),
Fr( ~k ), TAResponse
T( <$T, iid>
, id_c
),
!Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
]
--[ Eq( z.1, true ) ]->
[
Out( <encaps(~k, z),
sign(<'TA', id_c, r1>, ~skT),
sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '
3
', 't'>
Out( <encaps(~k, z),
sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '
5
', 't'>
),
CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
]
variants (modulo AC)
1. certC = certC.
20
z = cert_pk(certC.
20
)
z.1 = verify(cert_sig(certC.
20
),
<cert_pk(certC.
20
), cert_id(certC.
20
), 'chip'>, pk(ca_sk))
1. certC = certC.
18
z = cert_pk(certC.
18
)
z.1 = verify(cert_sig(certC.
18
),
<cert_pk(certC.
18
), cert_id(certC.
18
), 'chip'>, pk(ca_sk))
2. certC = cert(z.
57
, sign(<z.
57
, x.
100
, 'chip'>, ca_sk), x.
100
)
z = z.
57
2. certC = cert(z.
44
, sign(<z.
44
, x.
75
, 'chip'>, ca_sk), x.
75
)
z = z.
44
z.1 = true
3. certC = cert(z.5
8
, x.
101
, x.
102
)
z = z.5
8
z.1 = verify(x.
101
, <z.5
8
, x.
102
, 'chip'>, pk(ca_sk))
3. certC = cert(z.
4
5, x.
76
, x.
77
)
z = z.
4
5
z.1 = verify(x.
76
, <z.
4
5, x.
77
, 'chip'>, pk(ca_sk))
*/
rule (modulo E)
T
A_
COMPLETE
_C:
rule (modulo E)
C
A_
FINISH
_C:
[
In( <cip, s1, s2, '3', 't'> ),
TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
!Cert( $C, certC, 'chip' )
In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
!Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
]
--[
Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
CompletedTA( $C, iid, cert_id(certT) ),
Eq( verify(s, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
<certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
)
]->
[
Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '
4
', 'c'>
Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '
6
', 'c'>
),
TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
CAFinishC( $C, cert_id(certT),
kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
)
]
/*
rule (modulo AC)
T
A_
COMPLETE
_C:
rule (modulo AC)
C
A_
FINISH
_C:
[
In( <cip, s1, s2, '3', 't'> ),
TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
!Cert( $C, certC, 'chip' )
In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
!Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
]
--[
Eq( z.
1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3
),
Eq( z.
2, true
),
Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
<certT, certC, r2, cip>, $C, 'chip', z.
3
<certT, certC, r2, cip>, $C, 'chip', z.
1
)
]->
[
Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '
4
', 'c'> ),
TAComplete
C(
<
$C,
iid>, certT, id_c, r1, r2
)
Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '
6
', 'c'> ),
CAFinish
C( $C,
z.1, kdf(<'KEY', certT, certC, r2, cip>, z)
)
]
variants (modulo AC)
1. ~skC = ~skC.32
certC = certC.33
certT = certT.34
cip = cip.35
id_c = id_c.36
r1 = r1.38
r2 = r2.39
s1 = s1.40
s2 = s2.41
z = decaps(cip.35, ~skC.32)
z.1 = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34))
z.2 = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>,
cert_pk(certT.34))
z.3 = cert_id(certT.34)
2. ~skC = ~skC.37
certC = certC.38
certT = certT.39
cip = encaps(z.51, pk(~skC.37))
id_c = id_c.41
r1 = r1.43
r2 = r2.44
s1 = s1.45
s2 = s2.46
z = z.51
z.1 = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39))
z.2 = verify(s2.46,
<'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>,
cert_pk(certT.39))
z.3 = cert_id(certT.39)
3. ~skC = ~skC.150
certC = certC.151
certT = cert(x.296, x.297, z.169)
cip = cip.153
id_c = id_c.154
r1 = r1.156
r2 = r2.157
s1 = s1.158
s2 = s2.159
z = decaps(cip.153, ~skC.150)
z.1 = verify(s1.158, <'TA', id_c.154, r1.156>, x.296)
z.2 = verify(s2.159,
<'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296)
z.3 = z.169
4. ~skC = ~skC.150
certC = certC.151
certT = cert(pk(x.296), x.297, z.169)
cip = cip.153
id_c = id_c.154
r1 = r1.156
r2 = r2.157
s1 = sign(<'TA', id_c.154, r1.156>, x.296)
s2 = s2.159
z = decaps(cip.153, ~skC.150)
z.1 = true
z.2 = verify(s2.159,
<'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>,
pk(x.296))
z.3 = z.169
5. ~skC = ~skC.151
certC = certC.152
certT = cert(pk(x.298), x.299, z.170)
cip = cip.154
id_c = id_c.155
r1 = r1.157
r2 = r2.158
s1 = s1.159
s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
cip.154>,
x.298)
z = decaps(cip.154, ~skC.151)
z.1 = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298))
z.2 = true
z.3 = z.170
6. ~skC = ~skC.151
certC = certC.152
certT = cert(pk(x.298), x.299, z.170)
cip = cip.154
id_c = id_c.155
r1 = r1.157
r2 = r2.158
s1 = sign(<'TA', id_c.155, r1.157>, x.298)
s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158,
cip.154>,
x.298)
z = decaps(cip.154, ~skC.151)
z.1 = true
z.2 = true
z.3 = z.170
7. ~skC = ~skC.152
certC = certC.153
certT = cert(x.300, x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = s1.160
s2 = s2.161
z = z.166
z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, x.300)
z.2 = verify(s2.161,
<'CA', cert(x.300, x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z.3 = z.171
8. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = s1.160
s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z = z.166
z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300))
1. ~skC = ~skC.30
certC = certC.31
certT = certT.32
cip = cip.33
r2 = r2.37
s = s.38
z = decaps(cip.33, ~skC.30)
z.1 = cert_id(certT.32)
z.2 = verify(s.38, <'CA', certT.32, certC.31, r2.37, cip.33>,
cert_pk(certT.32))
2. ~skC = ~skC.35
certC = certC.36
certT = certT.37
cip = encaps(z.48, pk(~skC.35))
r2 = r2.42
s = s.43
z = z.48
z.1 = cert_id(certT.37)
z.2 = verify(s.43,
<'CA', certT.37, certC.36, r2.42, encaps(z.48, pk(~skC.35))>,
cert_pk(certT.37))
3. ~skC = ~skC.137
certC = certC.138
certT = cert(x.270, x.271, z.153)
cip = cip.140
r2 = r2.144
s = s.145
z = decaps(cip.140, ~skC.137)
z.1 = z.153
z.2 = verify(s.145,
<'CA', cert(x.270, x.271, z.153), certC.138, r2.144, cip.140>, x.270)
4. ~skC = ~skC.138
certC = certC.139
certT = cert(pk(x.272), x.273, z.154)
cip = cip.141
r2 = r2.145
s = sign(<'CA', cert(pk(x.272), x.273, z.154), certC.139, r2.145,
cip.141>,
x.272)
z = decaps(cip.141, ~skC.138)
z.1 = z.154
z.2 = true
z.3 = z.171
9. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = sign(<'TA', id_c.156, r1.158>, x.300)
s2 = s2.161
z = z.166
z.1 = true
z.2 = verify(s2.161,
<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
pk(x.300))
z.3 = z.171
10. ~skC = ~skC.152
certC = certC.153
certT = cert(pk(x.300), x.301, z.171)
cip = encaps(z.166, pk(~skC.152))
id_c = id_c.156
r1 = r1.158
r2 = r2.159
s1 = sign(<'TA', id_c.156, r1.158>, x.300)
s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159,
encaps(z.166, pk(~skC.152))>,
x.300)
z = z.166
z.1 = true
5. ~skC = ~skC.139
certC = certC.140
certT = cert(x.274, x.275, z.155)
cip = encaps(z.152, pk(~skC.139))
r2 = r2.146
s = s.147
z = z.152
z.1 = z.155
z.2 = verify(s.147,
<'CA', cert(x.274, x.275, z.155), certC.140, r2.146,
encaps(z.152, pk(~skC.139))>,
x.274)
6. ~skC = ~skC.139
certC = certC.140
certT = cert(pk(x.274), x.275, z.155)
cip = encaps(z.152, pk(~skC.139))
r2 = r2.146
s = sign(<'CA', cert(pk(x.274), x.275, z.155), certC.140, r2.146,
encaps(z.152, pk(~skC.139))>,
x.274)
z = z.152
z.1 = z.155
z.2 = true
z.3 = z.171
*/
rule (modulo E) CA_FINISH_T:
[
In( <kCNF_
C
, '
4
', 'c'> ),
In( <kCNF_
c
, '
6
', 'c'> ),
CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
!Cert( $T, certT, 'terminal' )
]
--[
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_
C
),
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_
c
),
Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
<certT, certC, r2, cip>, $T, 'terminal', cert_id(certC)
),
...
...
@@ -375,12 +340,12 @@ rule (modulo E) CA_FINISH_T:
/*
rule (modulo AC) CA_FINISH_T:
[
In( <kCNF_
C
, '
4
', 'c'> ),
In( <kCNF_
c
, '
6
', 'c'> ),
CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
!Cert( $T, certT, 'terminal' )
]
--[
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_
C
),
Eq( kdf(<'CNF', certT, certC, r2, cip>, k), kCNF_
c
),
Completed( kdf(<'KEY', certT, certC, r2, cip>, k),
<certT, certC, r2, cip>, $T, 'terminal', z
),
...
...
@@ -2240,10 +2205,9 @@ guarded formula characterizing all satisfying traces:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -2260,43 +2224,50 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.5 )
) @ #vk.3 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.11 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.34 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.30 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.33 )
solve( !KU( ~r2 ) @ #vk.28 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.34 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.3
4
)
solve( !KU( ~r1 ) @ #vk.3
5
)
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.
20
)
) @ #vk.
19
)
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.2
4
)
case
T
A_
COMPLETE
_C
) @ #vk.2
3
)
case
C
A_
FINISH
_C
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.3
3
)
case CA_
Sign_ltk
solve( !KU(
encaps(~k, pk(~ltk)
) ) @ #vk.
21
)
) @ #vk.3
1
)
case CA_
INIT_C
solve( !KU(
sign(<'TA', ~id_c.2, ~r1.2>, x
) ) @ #vk.
38
)
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z)
) @ #vk.40 )
case CA_Sign_ltk
solve( !KU( ~id_c.2 ) @ #vk.42 )
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.43 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.24 )
case CA_INIT_T
SOLVED // trace found
qed
qed
...
...
@@ -2315,6 +2286,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
lemma two_session_exist:
exists-trace
...
...
@@ -2338,10 +2312,9 @@ guarded formula characterizing all satisfying traces:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -2358,17 +2331,16 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
r2.1
case CA_FINISH_C
solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1
) ▶₁ #i2 )
case
T
A_
CHALLENGE
_C
case
C
A_
INIT
_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
...
...
@@ -2388,51 +2360,46 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
<z, cip>
) ▶₁ #j2 )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j2 )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.
5
)
case
T
A_
RESPONSE
_T
solve( !KU( sign(<'TA', ~id_c
.1
, ~r1
.1
>, ~
ltk.1
) ) @ #vk.
40
)
) @ #vk.
3
)
case
C
A_
INIT
_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~
skT
) ) @ #vk.
15
)
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1),
sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~ltk.1),
sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C),
~r2.1, encaps(~k.1, pk(~skC))>,
~ltk.1)
) @ #vk.43 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c.1, ~r1.1>, ~ltk.1) ) @ #vk.45 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.54 )
case CA_Sign_ltk
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.60 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.47 )
case TA_CHALLENGE_C
solve( !KU( ~r2.1 ) @ #vk.55 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.56 )
solve( !KU( ~r2 ) @ #vk.41 )
case CA_INIT_C
solve( !KU( ~r2.1 ) @ #vk.51 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.54 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.5
7
)
solve( !KU( ~r1 ) @ #vk.5
5
)
case TA_CHALLENGE_C
solve( !KU( ~id_c.1 ) @ #vk.5
9
)
solve( !KU( ~id_c.1 ) @ #vk.5
6
)
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.
60
)
solve( !KU( ~r1.1 ) @ #vk.
57
)
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT),
sign(<pk(~skT), $T, 'terminal'>, ca_sk),
$T)
) @ #vk.39 )
sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.32 )
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT),
...
...
@@ -2440,26 +2407,36 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
ca_sk),
$T),
cert(pk(~ltk),
sign(<pk(~ltk), $C, 'chip'>,
ca_sk),
sign(<pk(~ltk), $C, 'chip'>, ca_sk),
$C),
~r2, encaps(~k, pk(~ltk))>,
~k)
) @ #vk.
42
)
case
T
A_
COMPLETE
_C
) @ #vk.
36
)
case
C
A_
FINISH
_C
solve( !KU( cert(pk(~ltk),
sign(<pk(~ltk), $C, 'chip'>, ca_sk),
$C)
) @ #vk.52 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.37 )
sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.47 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.60 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.3),
sign(<pk(~skT.3), z, 'terminal'>,
ca_sk),
z)
) @ #vk.62 )
case CA_Sign_ltk
solve( !KU( ~id_c.4 ) @ #vk.64 )
case TA_CHALLENGE_C
solve( !KU( ~r1.3 ) @ #vk.65 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.36 )
case CA_INIT_T
solve( !KU( cert(pk(~ltk.1),
sign(<pk(~ltk.1), $T,
'terminal'
>,
sign(<pk(~ltk.1), $T,
'terminal'
>,
ca_sk),
$T)
) @ #vk.
55
)
) @ #vk.
61
)
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~ltk.1),
...
...
@@ -2468,23 +2445,41 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
ca_sk),
$T),
cert(pk(~skC),
sign(<pk(~skC), $C,
'chip'
>,
sign(<pk(~skC), $C,
'chip'
>,
ca_sk),
$C),
~r2.1, encaps(~k.1, pk(~skC))>,
~r2.1,
encaps(~k.1, pk(~skC))>,
~k.1)
) @ #vk.
5
6 )
case
T
A_
COMPLETE
_C
) @ #vk.6
2
)
case
C
A_
FINISH
_C
solve( !KU( cert(pk(~skC),
sign(<pk(~skC), $C, 'chip'>,
sign(<pk(~skC), $C,
'chip'>,
ca_sk),
$C)
) @ #vk.59 )
case CA_Sign_ltk
solve( !KU( encaps(~k.1, pk(~skC))
) @ #vk.57 )
) @ #vk.63 )
case CA_INIT_C
solve( !KU( sign(<'TA', ~id_c.5, ~r1.5>,
x)
) @ #vk.68 )
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.4),
sign(<pk(~skT.4), z,
'terminal'>,
ca_sk),
z)
) @ #vk.70 )
case CA_Sign_ltk
solve( !KU( ~id_c.5 ) @ #vk.72 )
case TA_CHALLENGE_C
solve( !KU( ~r1.4 ) @ #vk.73 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k.1,
pk(~skC))
) @ #vk.71 )
case CA_INIT_T
SOLVED // trace found
qed
qed
...
...
@@ -2520,6 +2515,12 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
qed
qed
qed
lemma weak_agreement_C:
all-traces
...
...
@@ -2539,7 +2540,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
...
...
@@ -2547,11 +2548,11 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
C, 'chip', T.1
) @ #i )
case
T
A_
COMPLETE
_C
solve(
TAChallenge
C( <$C, iid>,
case
C
A_
FINISH
_C
solve(
CAInit
C( <$C, iid>,
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
) ▶₁ #i )
case
T
A_
CHALLENGE
_C
case
C
A_
INIT
_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
...
...
@@ -2583,7 +2584,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
...
...
@@ -2595,48 +2596,48 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case
T
A_
COMPLETE
_C
case
C
A_
FINISH
_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.
18
)
case
T
A_
RESPONSE
_T
solve( !KU( ~k ) @ #vk.
20
)
case
C
A_
INIT
_T
solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
) @ #vk.1
3
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
) @ #vk.1
2
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.2
5
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.2
7
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.
29
)
by solve( !KU( ca_sk ) @ #vk.
31
)
qed
qed
qed
...
...
@@ -2664,7 +2665,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
...
...
@@ -2672,11 +2673,11 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
C, 'chip', T.1
) @ #i )
case
T
A_
COMPLETE
_C
solve(
TAChallenge
C( <$C, iid>,
case
C
A_
FINISH
_C
solve(
CAInit
C( <$C, iid>,
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
) ▶₁ #i )
case
T
A_
CHALLENGE
_C
case
C
A_
INIT
_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
...
...
@@ -2687,24 +2688,24 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
by contradiction /* from formulas */
next
case split_case_2
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.21 )
) @ #vk.20 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.28 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.
4
)
) @ #vk.
5
)
case c_kdf
solve( !KU( ~k ) @ #vk.40 )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.42 )
case Corrupt_ltk
by contradiction /* from formulas */
...
...
@@ -2713,14 +2714,14 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
qed
next
case c_sign
solve( !KU( ~
ltk.1
) @ #vk.
40
)
solve( !KU( ~
skT
) @ #vk.
33
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.
29
)
solve( !KU( ~ltk.1 ) @ #vk.
36
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -2751,7 +2752,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
...
...
@@ -2763,48 +2764,48 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case
T
A_
COMPLETE
_C
case
C
A_
FINISH
_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.
18
)
case
T
A_
RESPONSE
_T
solve( !KU( ~k ) @ #vk.
20
)
case
C
A_
INIT
_T
solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
) @ #vk.1
3
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
) @ #vk.1
2
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.2
5
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.2
7
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.
29
)
by solve( !KU( ca_sk ) @ #vk.
31
)
qed
qed
qed
...
...
@@ -2830,7 +2831,7 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
case CA_Sign_ltk
solve( Completed( k.1,
...
...
@@ -2838,60 +2839,60 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
A, role, B
) @ #i )
case CA_FINISH_C
by contradiction /* from formulas */
next
case CA_FINISH_T
solve( CAInitT( <$T.1, iid>, id_c,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( kdf(<'CNF',
cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T),
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
~k)
) @ #vk.1 )
case
T
A_
COMPLETE
_C
case
C
A_
FINISH
_C
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.
18
)
case
T
A_
RESPONSE
_T
solve( !KU( ~k ) @ #vk.
20
)
case
C
A_
INIT
_T
solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
) @ #vk.1
3
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
) @ #vk.1
2
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
3
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_cert
solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.2
5
)
case CA_
Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.2
7
)
case CA_
INIT_C
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case
TA_CHALLENGE_C
solve( !KU( ~ltk.1 ) @ #vk.2
4
)
case
CA_Sign_ltk
solve( !KU( ~ltk.1 ) @ #vk.2
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
next
case c_sign
by solve( !KU( ca_sk ) @ #vk.
29
)
by solve( !KU( ca_sk ) @ #vk.
31
)
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
by contradiction /* from formulas */
qed
qed
qed
...
...
@@ -2916,9 +2917,34 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( (#i < #j) ∥ (#j < #i) )
case case_1
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
z),
sid2, $C, 'chip', B
) @ #j )
case CA_FINISH_C
solve( CAInitC( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case CA_INIT_C
by contradiction /* cyclic */
qed
qed
qed
qed
qed
next
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
...
...
@@ -2931,17 +2957,19 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
by contradiction /* cyclic */
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -2952,24 +2980,21 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
z),
sid2, $C, 'chip', B
) @ #j )
case
T
A_
COMPLETE
_C
solve(
TAChallenge
C( <$C, iid.1>,
case
C
A_
FINISH
_C
solve(
CAInit
C( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case
T
A_
CHALLENGE
_C
case
C
A_
INIT
_C
by contradiction /* cyclic */
qed
qed
qed
qed
qed
qed
next
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
...
...
@@ -2982,17 +3007,20 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
by contradiction /* cyclic */
qed
qed
qed
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -3003,25 +3031,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) )
z),
sid2, $C, 'chip', B
) @ #j )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid.1>,
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
) ▶₁ #j )
case TA_CHALLENGE_C
by contradiction /* cyclic */
qed
qed
qed
case CA_FINISH_C
by contradiction /* from formulas */
qed
qed
qed
qed
next
case case_2
solve( Completed( k, sid, A, role, B ) @ #i )
case CA_FINISH_T
solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
...
...
@@ -3035,27 +3054,6 @@ next
qed
qed
qed
next
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( Completed( kdf(<'KEY',
cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
z),
sid2, $C, 'chip', B
) @ #j )
case TA_COMPLETE_C
by contradiction /* from formulas */
qed
qed
qed
qed
qed
qed
...
...
@@ -3075,10 +3073,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -3092,7 +3089,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
...
...
@@ -3102,24 +3099,24 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case split_case_2
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.5 )
) @ #vk.3 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.11 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.1
4
)
) @ #vk.1
6
)
case c_kdf
solve( !KU( ~k ) @ #vk.40 )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.42 )
case Corrupt_ltk
by contradiction /* from formulas */
...
...
@@ -3128,18 +3125,18 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~
ltk.1
) @ #vk.
40
)
solve( !KU( ~
skT
) @ #vk.
33
)
case Corrupt_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~
ltk.1
), sign(<pk(~
ltk.1
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~
skT
), sign(<pk(~
skT
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.1
9
)
) @ #vk.1
7
)
case c_kdf
solve( !KU( ~k ) @ #vk.4
3
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
5
)
solve( !KU( ~k ) @ #vk.4
2
)
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
4
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3149,25 +3146,20 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.
29
)
solve( !KU( ~ltk.1 ) @ #vk.
36
)
case Corrupt_ltk
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.14 )
case TA_RESPONSE_T
solve( !KU( kdf(<'CNF',
cert(pk(~
skT
), sign(<pk(~
skT
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~
ltk.1
), sign(<pk(~
ltk.1
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.1
5
)
) @ #vk.
2
1 )
case c_kdf
solve( !KU( ~k ) @ #vk.3
8
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
0
)
solve( !KU( ~k ) @ #vk.
4
3 )
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3180,11 +3172,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.1
7
)
) @ #vk.
2
1 )
case c_kdf
solve( !KU( ~k ) @ #vk.4
0
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
2
)
solve( !KU( ~k ) @ #vk.4
4
)
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3221,10 +3213,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -3241,32 +3232,32 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
) @ #vk.4 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.12 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.
3
)
) @ #vk.
4
)
case Reveal_session
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.41 )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.43 )
case Corrupt_ltk
by contradiction /* from formulas */
...
...
@@ -3275,10 +3266,10 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~
ltk.1
) @ #vk.4
1
)
solve( !KU( ~
skT
) @ #vk.
3
4 )
case Corrupt_ltk
solve( !KU( kdf(<'KEY',
cert(pk(~
ltk.1
), sign(<pk(~
ltk.1
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~
skT
), sign(<pk(~
skT
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
...
...
@@ -3287,9 +3278,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.4
4
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
6
)
solve( !KU( ~k ) @ #vk.4
3
)
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
5
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3299,17 +3290,12 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
next
case c_sign
solve( !KU( ~ltk.1 ) @ #vk.3
0
)
solve( !KU( ~ltk.1 ) @ #vk.3
7
)
case Corrupt_ltk
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.7 )
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.15 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~
skT
), sign(<pk(~
skT
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~
ltk.1
), sign(<pk(~
ltk.1
), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
...
...
@@ -3318,9 +3304,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.
39
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
1
)
solve( !KU( ~k ) @ #vk.
44
)
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
6
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3338,9 +3324,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
by contradiction /* from formulas */
next
case c_kdf
solve( !KU( ~k ) @ #vk.4
1
)
case
T
A_
RESPONSE
_T
solve( !KU( ~ltk ) @ #vk.4
3
)
solve( !KU( ~k ) @ #vk.4
5
)
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.4
7
)
case Corrupt_ltk
by contradiction /* from formulas */
qed
...
...
@@ -3370,54 +3356,11 @@ guarded formula characterizing all counter-examples:
(∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
*/
simplify
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
case CA_Sign_ltk
solve( splitEqs(0) )
case split_case_1
solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
~skT)
) @ #vk.5 )
case TA_RESPONSE_T
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 )
case CA_Sign_ltk
solve( !KU( ~iid ) @ #vk.12 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.17 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.19 )
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i )
case TA_CHALLENGE_C
solve( !KU( ~r2 ) @ #vk.32 )
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.19 )
case CA_Sign_ltk
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.32 )
case CA_Sign_ltk
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 )
case TA_RESPONSE_T
SOLVED // trace found
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
qed
solve( !KU( ~iid ) @ #vk.6 )
case CA_INIT_C
by contradiction /* cyclic */
qed
qed
...
...
@@ -3536,10 +3479,9 @@ guarded formula characterizing all counter-examples:
*/
simplify
solve( Completed( k, sid, C, 'chip', T ) @ #i )
case TA_COMPLETE_C
solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
) ▶₁ #i )
case TA_CHALLENGE_C
case CA_FINISH_C
solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
case CA_INIT_C
solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
case Generate_chip_key_pair
solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
...
...
@@ -3556,55 +3498,62 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
solve( CAInitT( <$T, iid.1>, id_c.1,
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
) ▶₁ #j )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
'terminal'
) ▶₂ #j )
case CA_Sign_ltk
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.4 )
case TA_RESPONSE_T
solve( !KU( sign(<'CA',
cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~ltk.1)
) @ #vk.6 )
) @ #vk.4 )
case CA_INIT_T
solve( !KU( sign(<'TA', ~id_c, ~r1>, ~skT) ) @ #vk.12 )
case TA_RESPONSE_T
solve( !KU( kdf(<'KEY',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2,
encaps(~k, pk(~ltk))>,
~k)
) @ #vk.
3
)
) @ #vk.
4
)
case c_kdf
solve( !KU( ~k ) @ #vk.41 )
case
T
A_
RESPONSE
_T
case
C
A_
INIT
_T
solve( !KU( ~ltk ) @ #vk.43 )
case Corrupt_ltk
solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.41 )
case CA_Sign_ltk
solve( !KU( ~r2 ) @ #vk.38 )
case TA_CHALLENGE_C
solve( !KU( ~id_c ) @ #vk.40 )
solve( !KU( ~r2 ) @ #vk.36 )
case CA_INIT_C
solve( !KU( ~id_c ) @ #vk.41 )
case TA_CHALLENGE_C
solve( !KU( ~r1 ) @ #vk.4
1
)
solve( !KU( ~r1 ) @ #vk.4
2
)
case TA_CHALLENGE_C
solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
) @ #vk.2
7
)
) @ #vk.2
6
)
case CA_Sign_ltk
solve( !KU( kdf(<'CNF',
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk),
$T),
cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T),
cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C),
~r2, encaps(~k, pk(~ltk))>,
~k)
) @ #vk.3
1
)
case
T
A_
COMPLETE
_C
) @ #vk.3
0
)
case
C
A_
FINISH
_C
solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
) @ #vk.
40
)
case CA_
Sign_ltk
solve( !KU(
encaps(~k, pk(~ltk)
) ) @ #vk.
28
)
) @ #vk.
38
)
case CA_
INIT_C
solve( !KU(
sign(<'TA', ~id_c.2, ~r1.2>, x
) ) @ #vk.
46
)
case TA_RESPONSE_T
solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk),
z)
) @ #vk.48 )
case CA_Sign_ltk
solve( !KU( ~id_c.2 ) @ #vk.50 )
case TA_CHALLENGE_C
solve( !KU( ~r1.1 ) @ #vk.51 )
case TA_CHALLENGE_C
solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.31 )
case CA_INIT_T
SOLVED // trace found
qed
qed
...
...
@@ -3626,6 +3575,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
qed
qed
qed
qed
qed
qed
...
...
@@ -3674,10 +3626,10 @@ summary of summaries:
analyzed: tmp.spthy
processing time:
754.39
s
processing time:
98.76
s
session_exist (exists-trace): verified (
19
steps)
two_session_exist (exists-trace): verified (
36
steps)
session_exist (exists-trace): verified (
22
steps)
two_session_exist (exists-trace): verified (
42
steps)
weak_agreement_C (all-traces): verified (8 steps)
weak_agreement_T (all-traces): verified (19 steps)
agreement_C (all-traces): verified (19 steps)
...
...
@@ -3686,9 +3638,9 @@ analyzed: tmp.spthy
session_uniqueness (all-traces): verified (37 steps)
consistency (all-traces): verified (31 steps)
key_secrecy (all-traces): verified (33 steps)
chip_hiding (all-traces):
fals
ified
- found trace (16
steps)
chip_hiding (all-traces):
ver
ified
(4
steps)
nonRepudiation_terminal (exists-trace): verified (13 steps)
nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
pfs (all-traces): falsified - found trace (2
2
steps)
pfs (all-traces): falsified - found trace (2
5
steps)
==============================================================================
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment