From e7f75533c22b40a5e4f8190fd31a5444e06a6187 Mon Sep 17 00:00:00 2001
From: jm71syxy <jonas.mueller.97@stud.tu-darmstadt.de>
Date: Tue, 2 Jul 2024 15:32:52 +0200
Subject: [PATCH] Remove chip hiding property and add forward secrecy for
 terminal ltk

---
 ClassicEAC.spthy                              |   42 +-
 FastKemPQEAC.spthy                            |   48 +-
 FastSigPQEAC.spthy                            |   48 +-
 KemPQEAC.spthy                                |   58 +-
 README.md                                     |    5 +-
 SigPQEAC.spthy                                |   58 +-
 include/include/attacker.spthy                |   12 +
 .../include/classic_verify_transcript.spthy   |   24 +
 include/include/kem_verify_transcript.spthy   |   75 +
 include/include/lemmas.spthy                  |  151 +
 include/include/setup.spthy                   |   49 +
 include/include/sig_verify_transcript.spthy   |   44 +
 ...QEAC_TAMARIN => 46092847.err.FastSigPQEAC} |    0
 ...QEAC_TAMARIN => 46092847.out.FastSigPQEAC} |  857 ++-
 ...SSIC_EAC_TAMARIN => 46092855.err.SigPQEAC} |    0
 ...SigPQEAC_TAMARIN => 46092855.out.SigPQEAC} |  712 +--
 ...KemPQEAC_TAMARIN => 46092858.err.KemPQEAC} |    0
 ...KemPQEAC_TAMARIN => 46092858.out.KemPQEAC} |  710 +--
 ...QEAC_TAMARIN => 46092862.err.FastKemPQEAC} |    0
 ...QEAC_TAMARIN => 46092862.out.FastKemPQEAC} | 1107 ++--
 ...N => 46092873.err.ForwardSecrecy_SigPQEAC} |    0
 ...N => 46092873.out.ForwardSecrecy_SigPQEAC} |  989 ++--
 ... 46092874.err.ForwardSecrecy_FastSigPQEAC} |    0
 ... 46092874.out.ForwardSecrecy_FastSigPQEAC} | 1326 ++---
 ...N => 46092875.err.ForwardSecrecy_KemPQEAC} |    0
 ...N => 46092875.out.ForwardSecrecy_KemPQEAC} | 1622 +++---
 ... 46092876.err.ForwardSecrecy_FastKemPQEAC} |    0
 ... 46092876.out.ForwardSecrecy_FastKemPQEAC} | 1228 ++--
 ...PQEAC_TAMARIN => 46109591.err.CLASSIC_EAC} |    4 +-
 ...C_EAC_TAMARIN => 46109591.out.CLASSIC_EAC} | 5183 +++++++++++------
 tmp.spthy                                     |  463 --
 31 files changed, 7412 insertions(+), 7403 deletions(-)
 create mode 100644 include/include/attacker.spthy
 create mode 100644 include/include/classic_verify_transcript.spthy
 create mode 100644 include/include/kem_verify_transcript.spthy
 create mode 100644 include/include/lemmas.spthy
 create mode 100644 include/include/setup.spthy
 create mode 100644 include/include/sig_verify_transcript.spthy
 rename results/{45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN => 46092847.err.FastSigPQEAC} (100%)
 rename results/{45991792.out.ALL_FastSigPQEAC_TAMARIN => 46092847.out.FastSigPQEAC} (86%)
 rename results/{45991167.err.ALL_CLASSIC_EAC_TAMARIN => 46092855.err.SigPQEAC} (100%)
 rename results/{45992234.out.ALL_SigPQEAC_TAMARIN => 46092855.out.SigPQEAC} (89%)
 rename results/{45991549.err.PFS_ALL_KemPQEAC_TAMARIN => 46092858.err.KemPQEAC} (100%)
 rename results/{45991793.out.ALL_KemPQEAC_TAMARIN => 46092858.out.KemPQEAC} (92%)
 rename results/{45991792.err.ALL_FastSigPQEAC_TAMARIN => 46092862.err.FastKemPQEAC} (100%)
 rename results/{45991794.out.ALL_FastKemPQEAC_TAMARIN => 46092862.out.FastKemPQEAC} (88%)
 rename results/{45991168.err.PFS_ALL_SigPQEAC_TAMARIN => 46092873.err.ForwardSecrecy_SigPQEAC} (100%)
 rename results/{45991168.out.PFS_ALL_SigPQEAC_TAMARIN => 46092873.out.ForwardSecrecy_SigPQEAC} (90%)
 rename results/{45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN => 46092874.err.ForwardSecrecy_FastSigPQEAC} (100%)
 rename results/{45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN => 46092874.out.ForwardSecrecy_FastSigPQEAC} (87%)
 rename results/{45991793.err.ALL_KemPQEAC_TAMARIN => 46092875.err.ForwardSecrecy_KemPQEAC} (100%)
 rename results/{45991549.out.PFS_ALL_KemPQEAC_TAMARIN => 46092875.out.ForwardSecrecy_KemPQEAC} (79%)
 rename results/{45991794.err.ALL_FastKemPQEAC_TAMARIN => 46092876.err.ForwardSecrecy_FastKemPQEAC} (100%)
 rename results/{45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN => 46092876.out.ForwardSecrecy_FastKemPQEAC} (88%)
 rename results/{45992234.err.ALL_SigPQEAC_TAMARIN => 46109591.err.CLASSIC_EAC} (81%)
 rename results/{45991167.out.ALL_CLASSIC_EAC_TAMARIN => 46109591.out.CLASSIC_EAC} (83%)
 delete mode 100644 tmp.spthy

diff --git a/ClassicEAC.spthy b/ClassicEAC.spthy
index 403fc9b..3c5234a 100644
--- a/ClassicEAC.spthy
+++ b/ClassicEAC.spthy
@@ -31,9 +31,9 @@ let
     pkTe = 'g'^~skTe
     msg1 = <certT, pkTe, '1', 't'>
 in
-    [ !Cert($T, certT, 'terminal'), Fr(~skTe), Fr(~iid) ] // skTe is ephemeral session key, iid is instance id of user $T
+    [ !Cert($T, certT, 'terminal'), Fr(~skTe) ] // skTe is ephemeral session key
   --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>, ~skTe) ] // Publish T's iid as its identity gets revealed through certT
+    [ Out(msg1), TAInitT($T, ~skTe) ]
 
 // We generate a fresh IDc to simulate the previous execution of PACE or BAC
 rule TA_CHALLENGE_C:
@@ -41,9 +41,9 @@ let
     msg1 = <certT, pkTe, '1', 't'>
     msg2 = <~id_c, ~r1, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ]
+    [ In(msg1), Fr(~r1), Fr(~id_c) ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, pkTe, ~id_c, ~r1) ]
+    [ Out(msg2), TAChallengeC($C, certT, pkTe, ~id_c, ~r1) ]
 
 rule TA_RESPONSE_T:
 let
@@ -52,17 +52,17 @@ let
     s = sign(<id_c, r1, pkTe>, ~skT)
     msg3 = <s, '3', 't'>
 in
-    [ In(msg2), TAInitT(<$T, iid>, skTe), !Ltk($T, ~skT, 'terminal') ]
+    [ In(msg2), TAInitT($T, skTe), !Ltk($T, ~skT, 'terminal') ]
   -->
-    [ Out(msg3), TAResponseT(<$T, iid>, skTe, id_c) ]
+    [ Out(msg3), TAResponseT($T, skTe, id_c) ]
 
 rule TA_COMPLETE_C:
 let
     msg3 = <s, '3', 't'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, pkTe, id_c, r1) ]
-  --[ Eq(verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]->
-    [ TACompleteC(<$C, iid>, certT, pkTe, id_c, r1) ]
+    [ In(msg3), TAChallengeC($C, certT, pkTe, id_c, r1) ]
+  --[ Eq(verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true) ]->
+    [ TACompleteC($C, certT, pkTe, id_c, r1) ]
 
 
 
@@ -73,9 +73,9 @@ rule CA_INIT_C:
 let
     msg4 = <certC, ~r2, '4', 'c'>
 in
-    [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC(<$C, iid>, certT, pkTe, id_c, r1) ]
+    [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC($C, certT, pkTe, id_c, r1) ]
   -->
-    [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, pkTe, id_c, r1, ~r2) ] // Publish C's iid as its identity gets revealed through certC
+    [ Out(msg4), CAInitC($C, certT, pkTe, id_c, r1, ~r2) ]
 
 
 rule CA_INIT_T:
@@ -84,9 +84,9 @@ let
     msg4 = <certC, r2, '4', 'c'>
     msg5 = <pkTe, '5', 't'>
 in
-    [ In(msg4), TAResponseT(<$T, iid>, skTe, id_c) ]
+    [ In(msg4), TAResponseT($T, skTe, id_c) ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, skTe, id_c, certC) ]
+    [ Out(msg5), CAInitT($T, skTe, id_c, certC) ]
 
 
 rule CA_FINISH_C:
@@ -95,13 +95,13 @@ let
     k = pkTe^~skC
     kMac = kdf_mac(k, r2)
     kEnc = kdf_enc(k, r2)
+    sid = <certT, certC, pkTe, 'g'^~skC, id_c, r2>
     tag = mac(pkTe, kMac)
     msg6 = <r2, tag, '6', 'c'>
-    sid = <certT, certC, pkTe, 'g'^~skC, id_c, r2>
 in
-    [ In(msg5), CAInitC(<$C, iid>, certT, pkTe, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(pkTe_t, pkTe), Completed(<kEnc, kMac>, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kEnc) ]
+    [ In(msg5), CAInitC($C, certT, pkTe, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+  --[ Eq(pkTe_t, pkTe), Completed(kEnc, sid, $C, 'chip', cert_id(certT)) ]->
+    [ Out(msg6) ]
 
 
 rule CA_FINISH_T:
@@ -112,12 +112,12 @@ let
     k = pkC^skTe
     kMac = kdf_mac(k, r2)
     kEnc = kdf_enc(k, r2)
-    tag_T = mac(pkTe, kMac)
     sid = <certT, certC, pkTe, pkC, id_c, r2>
+    tag_T = mac(pkTe, kMac)
 in
-    [ In(msg6), CAInitT(<$T, iid>, skTe, id_c, certC), !Cert($T, certT, 'terminal') ]
-  --[ Eq(tag, tag_T), Completed(<kEnc, kMac>, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kEnc), !SessionReveal(sid, <kEnc, kMac>) ]
+    [ In(msg6), CAInitT($T, skTe, id_c, certC), !Cert($T, certT, 'terminal') ]
+  --[ Eq(tag, tag_T), Completed(kEnc, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
+    [ !SessionReveal(sid, kEnc) ]
 
 
 insert(include/classic_verify_transcript.spthy)
diff --git a/FastKemPQEAC.spthy b/FastKemPQEAC.spthy
index 53c36b0..8a36b95 100644
--- a/FastKemPQEAC.spthy
+++ b/FastKemPQEAC.spthy
@@ -30,11 +30,11 @@ rule TA_INIT_T:
 let
     msg1 = <certT, '1', 't'>
 in
-    [ !Cert($T, certT, 'terminal'), Fr(~iid) ]
+    [ !Cert($T, certT, 'terminal') ]
   --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ]
+    [ Out(msg1), TAInitT($T) ]
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_CHALLENGE_C:
 let
     msg1 = <certT, '1', 't'>
@@ -45,9 +45,9 @@ let
     cCA = senc(<certC, ~r2, pk(~skCe)>, kTENC)
     msg2 = <~id_c, ~r1, cTA, cCA, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~skCe), Fr(~iid), !Cert($C, certC, 'chip') ]
+    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~skCe), !Cert($C, certC, 'chip') ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), Out(senc(~iid, kTENC)), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe, kTMAC, kTCNF) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2, ~skCe, kTMAC, kTCNF) ]
 #else
 rule TA_CHALLENGE_C:
 let
@@ -59,12 +59,12 @@ let
     cCA = senc(<certC, ~r2>, kTENC)
     msg2 = <~id_c, ~r1, cTA, cCA, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~iid), !Cert($C, certC, 'chip') ]
+    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), !Cert($C, certC, 'chip') ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), Out(senc(~iid, kTENC)), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2, kTMAC, kTCNF) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2, kTMAC, kTCNF) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_RESPONSE_T:
 let
     msg2 = <id_c, r1, cTA, cCA, '2', 'c'>
@@ -83,9 +83,9 @@ let
     s = mac(<'CA', sid>, kTMAC)
     msg3 = <kTCNF, cip, s, cipe, '3', 't'>
 in
-    [ In(msg2), Fr(~k), Fr(~ke), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
+    [ In(msg2), Fr(~k), Fr(~ke), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg3), TAResponseT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
+    [ Out(msg3), TAResponseT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
 #else
 rule TA_RESPONSE_T:
 let
@@ -103,12 +103,12 @@ let
     s = mac(<'CA', sid>, kTMAC)
     msg3 = <kTCNF, cip, s, '3', 't'>
 in
-    [ In(msg2), Fr(~k), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
+    [ In(msg2), Fr(~k), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg3), TAResponseT(<$T, iid>, id_c, certC, r2, <~k, cip>) ]
+    [ Out(msg3), TAResponseT($T, id_c, certC, r2, <~k, cip>) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_COMPLETE_C:
 let
     msg3 = <kTCNF_T, cip, s, cipe, '3', 't'>
@@ -119,9 +119,9 @@ let
     kKEY = kdf(<'KEY', sid>, <k, ke>)
     msg4 = <kCNF, '4', 'c'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg4), TACompleteC(<$C, iid>, kKEY) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+  --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
+    [ Out(msg4) ]
 #else
 rule TA_COMPLETE_C:
 let
@@ -132,12 +132,12 @@ let
     kKEY = kdf(<'KEY', sid>, k)
     msg4 = <kCNF, '4', 'c'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg4), TACompleteC(<$C, iid>, kKEY) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+  --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
+    [ Out(msg4) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_T:
 let
     msg4 = <kCNF_C, '4', 'c'>
@@ -145,9 +145,9 @@ let
     kCNF = kdf(<'CNF', sid>, <k, ke>)
     kKEY = kdf(<'KEY', sid>, <k, ke>)
 in
-    [ In(msg4), TAResponseT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), TAResponseT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #else
 rule CA_FINISH_T:
 let
@@ -156,9 +156,9 @@ let
     kCNF = kdf(<'CNF', sid>, k)
     kKEY = kdf(<'KEY', sid>, k)
 in
-    [ In(msg4), TAResponseT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), TAResponseT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #endif
 
 
diff --git a/FastSigPQEAC.spthy b/FastSigPQEAC.spthy
index 5b4f4cd..92141ec 100644
--- a/FastSigPQEAC.spthy
+++ b/FastSigPQEAC.spthy
@@ -29,31 +29,31 @@ rule TA_INIT_T:
 let
     msg1 = <certT, '1', 't'>
 in
-    [ !Cert($T, certT, 'terminal'), Fr(~iid) ]
+    [ !Cert($T, certT, 'terminal') ]
   --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ]
+    [ Out(msg1), TAInitT($T) ]
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_CHALLENGE_C:
 let
     msg1 = <certT, '1', 't'>
     msg2 = <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid), Fr(~skCe), Fr(~r2), !Cert($C, certC, 'chip') ]
+    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~skCe), Fr(~r2), !Cert($C, certC, 'chip') ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), Out(~iid), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~skCe, ~r2) ]
 #else
 rule TA_CHALLENGE_C:
 let
     msg1 = <certT, '1', 't'>
     msg2 = <~id_c, ~r1, certC, ~r2, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid), Fr(~r2), !Cert($C, certC, 'chip') ]
+    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~r2), !Cert($C, certC, 'chip') ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), Out(~iid), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_RESPONSE_T:
 let
     msg2 = <id_c, r1, certC, r2, pkCe, '2', 'c'>
@@ -65,9 +65,9 @@ let
     s2 = sign(<'CA', sid>, ~skT)
     msg3 = <cip, cipe, s1, s2, '3', 't'>
 in
-    [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ]
+    [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg3), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
+    [ Out(msg3), CAInitT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
 #else
 rule TA_RESPONSE_T:
 let
@@ -79,12 +79,12 @@ let
     s2 = sign(<'CA', sid>, ~skT)
     msg3 = <cip, s1, s2, '3', 't'>
 in
-    [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k) ]
+    [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k) ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg3), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ]
+    [ Out(msg3), CAInitT($T, id_c, certC, r2, <~k, cip>) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule TA_COMPLETE_C:
 let
     msg3 = <cip, cipe, s1, s2, '3', 't'>
@@ -95,9 +95,9 @@ let
     kKEY = kdf(<'KEY', sid>, <k, ke>)
     msg4 = <kCNF, '4', 'c'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, skCe, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg4), TACompleteC(<$C, iid>, certT, id_c, r1, skCe, r2) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1, skCe, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+  --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
+    [ Out(msg4) ]
 #else
 rule TA_COMPLETE_C:
 let
@@ -108,12 +108,12 @@ let
     kKEY = kdf(<'KEY', sid>, k)
     msg4 = <kCNF, '4', 'c'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg4), TACompleteC(<$C, iid>, certT, id_c, r1, r2) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+  --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
+    [ Out(msg4) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_T:
 let
     msg4 = <kCNF_C, '4', 'c'>
@@ -121,9 +121,9 @@ let
     kCNF = kdf(<'CNF', sid>, <k, ke>)
     kKEY = kdf(<'KEY', sid>, <k, ke>)
 in
-    [ In(msg4), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), CAInitT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #else
 rule CA_FINISH_T:
 let
@@ -132,9 +132,9 @@ let
     kCNF = kdf(<'CNF', sid>, k)
     kKEY = kdf(<'KEY', sid>, k)
 in
-    [ In(msg4), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), CAInitT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #endif
 
 
diff --git a/KemPQEAC.spthy b/KemPQEAC.spthy
index deec497..d245cbc 100644
--- a/KemPQEAC.spthy
+++ b/KemPQEAC.spthy
@@ -30,9 +30,9 @@ rule TA_INIT_T:
 let
     msg1 = <certT, '1', 't'>
 in
-    [ !Cert($T, certT, 'terminal'), Fr(~iid) ]
+    [ !Cert($T, certT, 'terminal') ]
   --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ]
+    [ Out(msg1), TAInitT($T) ]
 
 // We generate a fresh IDc to simulate the previous execution of PACE or BAC
 rule TA_CHALLENGE_C:
@@ -41,9 +41,9 @@ let
     cTA = encaps(~kTA, cert_pk(certT))
     msg2 = <~id_c, ~r1, cTA, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~iid) ]
+    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA) ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, <~kTA, cTA>) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, <~kTA, cTA>) ]
 
 rule TA_RESPONSE_T:
 let
@@ -54,9 +54,9 @@ let
     kTCNF = kdf(<'TCNF', r1>, kTA)
     msg3 = <kTCNF, '3', 't'>
 in
-    [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ]
+    [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal') ]
   -->
-    [ Out(msg3), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC) ]
+    [ Out(msg3), TAResponseT($T, id_c, kTMAC, kTENC) ]
 
 rule TA_COMPLETE_C:
 let
@@ -65,37 +65,37 @@ let
     kTENC = kdf(<'TENC', r1>, kTA)
     kTCNF = kdf(<'TCNF', r1>, kTA)
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, <kTA, cTA>) ]
-  --[ Eq(kTCNF_T, kTCNF), CompletedTA($C, iid, cert_id(certT)) ]->
-    [ TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1, <kTA, cTA>) ]
+  --[ Eq(kTCNF_T, kTCNF) ]->
+    [ TACompleteC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ]
 
 
 
 /* Chip Authentication */
 // State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_INIT_C:
 let
     cCA = senc(<certC, ~r2, pk(~skCe)>, kTENC)
     msg4 = <cCA, '4', 'c'>
 in
-    [ !Cert($C, certC, 'chip'), Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ]
+    [ !Cert($C, certC, 'chip'), Fr(~r2), Fr(~skCe) ]
   -->
-    [ Out(msg4), Out(senc(iid, kTENC)), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe) ]
+    [ Out(msg4), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe) ]
 #else
 rule CA_INIT_C:
 let
     cCA = senc(<certC, ~r2>, kTENC)
     msg4 = <cCA, '4', 'c'>
 in
-    [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ]
+    [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ]
   -->
-    [ Out(msg4), Out(senc(iid, kTENC)), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2) ]
+    [ Out(msg4), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2) ]
 #endif
 
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_INIT_T:
 let
     msg4 = <cCA, '4', 'c'>
@@ -110,9 +110,9 @@ let
     s = mac(<'CA', sid>, kTMAC)
     msg5 = <cip, s, cipe, '5', 't'>
 in
-    [ In(msg4), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ]
+    [ In(msg4), TAResponseT($T, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
+    [ Out(msg5), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
 #else
 rule CA_INIT_T:
 let
@@ -126,13 +126,13 @@ let
     s = mac(<'CA', sid>, kTMAC)
     msg5 = <cip, s, '5', 't'>
 in
-    [ In(msg4), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k) ]
+    [ In(msg4), TAResponseT($T, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k) ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <~k, cip>) ]
+    [ Out(msg5), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <~k, cip>) ]
 #endif
 
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_C:
 let 
     msg5 = <cip, s, cipe, '5', 't'>
@@ -143,9 +143,9 @@ let
     kKEY = kdf(<'KEY', sid>, <k, ke>)
     msg6 = <kCNF, '6', 'c'>
 in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+    [ In(msg5), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
   --[ Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
+    [ Out(msg6) ]
 #else
 rule CA_FINISH_C:
 let 
@@ -156,13 +156,13 @@ let
     kKEY = kdf(<'KEY', sid>, k)
     msg6 = <kCNF, '6', 'c'>
 in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+    [ In(msg5), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
   --[ Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
+    [ Out(msg6) ]
 #endif
 
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_T:
 let
     msg6 = <kCNF_c, '6', 'c'>
@@ -170,9 +170,9 @@ let
     kCNF = kdf(<'CNF', sid>, <k, ke>)
     kKEY = kdf(<'KEY', sid>, <k, ke>)
 in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
+    [ In(msg6), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #else
 rule CA_FINISH_T:
 let
@@ -181,9 +181,9 @@ let
     kCNF = kdf(<'CNF', sid>, k)
     kKEY = kdf(<'KEY', sid>, k)
 in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
+    [ In(msg6), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #endif
 
 
diff --git a/README.md b/README.md
index ccf4468..9fdd203 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,12 @@
 # EAC_Tamarin_Analysis
 This project contains the different versions of EAC from https://ia.cr/2023/352.
-The models are the classic EAC, SigPQEAC and KemPQEAC as well as the forward security and full round trip save modifications.
+The models are the classic EAC, SigPQEAC and KemPQEAC as well as the forward seccrecy and saved round-trip modifications.
 The [python script](InsertLemmas.py) inserts the different sections into the .spthy files and creates the tmp.spthy file. Usage: python InsertLemmas.py file.spthy
 The [include](include/) directory contains the code that will be included to the different models.
 
+## Forward Secrecy modification
+For each post-quantum model (SigPQEAC, FastSigPQEAC, KemPQEAC and FastKemPQEAC) exists a modification which is forward secrecy secure. To analyze the modified model, we need to add the '--defines=ForwardSecrecy' flag to the tamarin-prover execution command.
+
 ## Results
 The directory [results](results/) contains the results of all variations executed on the  Lichtenberg high performance computer of the TU Darmstadt.
 
diff --git a/SigPQEAC.spthy b/SigPQEAC.spthy
index 9ad48e5..bc9d371 100644
--- a/SigPQEAC.spthy
+++ b/SigPQEAC.spthy
@@ -30,9 +30,9 @@ rule TA_INIT_T:
 let
     msg1 = <certT, '1', 't'>
 in
-    [ !Cert($T, certT, 'terminal'), Fr(~iid) ]
+    [ !Cert($T, certT, 'terminal') ]
   --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ]
+    [ Out(msg1), TAInitT($T) ]
 
 // We generate a fresh IDc to simulate the previous execution of PACE or BAC
 rule TA_CHALLENGE_C:
@@ -40,9 +40,9 @@ let
     msg1 = <certT, '1', 't'>
     msg2 = <~id_c, ~r1, '2', 'c'>
 in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ]
+    [ In(msg1), Fr(~r1), Fr(~id_c) ]
   --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1) ]
+    [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1) ]
 
 rule TA_RESPONSE_T:
 let
@@ -50,43 +50,43 @@ let
     s = sign(<'TA', id_c, r1>, ~skT)
     msg3 = <s, '3', 't'>
 in
-    [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ]
+    [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal') ]
   -->
-    [ Out(msg3), TAResponseT(<$T, iid>, id_c) ]
+    [ Out(msg3), TAResponseT($T, id_c) ]
 
 rule TA_COMPLETE_C:
 let
     msg3 = <s, '3', 't'>
 in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1) ]
-  --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]->
-    [ TACompleteC(<$C, iid>, certT, id_c, r1) ]
+    [ In(msg3), TAChallengeC($C, certT, id_c, r1) ]
+  --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true) ]->
+    [ TACompleteC($C, certT, id_c, r1) ]
 
 
 
 /* Chip Authentication */
 // State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_INIT_C:
 let
     msg4 = <certC, ~r2, pk(~skCe), '4', 'c'>
 in
-    [ Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ]
+    [ Fr(~r2), Fr(~skCe), TACompleteC($C, certT, id_c, r1), !Cert($C, certC, 'chip') ]
   -->
-    [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2, ~skCe) ]
+    [ Out(msg4), CAInitC($C, certT, id_c, r1, ~r2, ~skCe) ]
 #else
 rule CA_INIT_C:
 let
     msg4 = <certC, ~r2, '4', 'c'>
 in
-    [ Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ]
+    [ Fr(~r2), TACompleteC($C, certT, id_c, r1), !Cert($C, certC, 'chip') ]
   -->
-    [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2) ]
+    [ Out(msg4), CAInitC($C, certT, id_c, r1, ~r2) ]
 #endif
 
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_INIT_T:
 let
     msg4 = <certC, r2, pkCe, '4', 'c'>
@@ -97,9 +97,9 @@ let
     s = sign(<'CA', sid>, ~skT)
     msg5 = <cip, s, cipe, '5', 't'>
 in
-    [ In(msg4), Fr(~k), Fr(~ke), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), Fr(~k), Fr(~ke), TAResponseT($T, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
+    [ Out(msg5), CAInitT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
 #else
 rule CA_INIT_T:
 let
@@ -110,13 +110,13 @@ let
     s = sign(<'CA', sid>, ~skT)
     msg5 = <cip, s, '5', 't'>
 in
-    [ In(msg4), Fr(~k), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
+    [ In(msg4), Fr(~k), TAResponseT($T, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
   --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ]
+    [ Out(msg5), CAInitT($T, id_c, certC, r2, <~k, cip>) ]
 #endif
 
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_C:
 let
     msg5 = <cip, s, cipe, '5', 't'>
@@ -127,9 +127,9 @@ let
     kKEY = kdf(<'KEY', sid>, <k, ke>)
     msg6 = <kCNF, '6', 'c'>
 in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+    [ In(msg5), CAInitC($C, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
   --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
+    [ Out(msg6) ]
 #else
 rule CA_FINISH_C:
 let
@@ -140,12 +140,12 @@ let
     kKEY = kdf(<'KEY', sid>, k)
     msg6 = <kCNF, '6', 'c'>
 in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
+    [ In(msg5), CAInitC($C, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
   --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
+    [ Out(msg6) ]
 #endif
 
-#ifdef PFS
+#ifdef ForwardSecrecy
 rule CA_FINISH_T:
 let
     msg6 = <kCNF_C, '6', 'c'>
@@ -153,9 +153,9 @@ let
     kCNF = kdf(<'CNF', sid>, <k, ke>)
     kKEY = kdf(<'KEY', sid>, <k, ke>)
 in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
+    [ In(msg6), CAInitT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #else
 rule CA_FINISH_T:
 let
@@ -164,9 +164,9 @@ let
     kCNF = kdf(<'CNF', sid>, k)
     kKEY = kdf(<'KEY', sid>, k)
 in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
+    [ In(msg6), CAInitT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
   --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
+    [ !SessionReveal(sid, kKEY) ]
 #endif
 
 
diff --git a/include/include/attacker.spthy b/include/include/attacker.spthy
new file mode 100644
index 0000000..c535652
--- /dev/null
+++ b/include/include/attacker.spthy
@@ -0,0 +1,12 @@
+/* Attacker model */
+// We extend the Dolev-Yao attack model in tamarin with Reveal and Corrupt capabilities
+
+rule Corrupt_ltk:
+    [ !Ltk($A, ltk, role) ]
+  --[ Corrupted($A) ]->
+    [ Out(<ltk, role>) ]
+
+rule Reveal_session:
+    [ !SessionReveal(sid, k) ]
+  --[ Revealed(sid) ]->
+    [ Out(k) ]
diff --git a/include/include/classic_verify_transcript.spthy b/include/include/classic_verify_transcript.spthy
new file mode 100644
index 0000000..2453ba3
--- /dev/null
+++ b/include/include/classic_verify_transcript.spthy
@@ -0,0 +1,24 @@
+rule Verify_Transcript_C:
+let
+    pkT = cert_pk(certT)
+    k = pkTe^skC
+    kMac = kdf_mac(k, r2)
+    tag_c = mac(pkTe, kMac)
+in
+    [ In(<certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag>), !Ltk(C, skC, 'chip') ]
+  --[ Eq(C, cert_id(certC)), Eq(tag, tag_c),  Eq(pkTe, pkTe2), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(s1, <IDc, r1, pkTe>, pkT), true), ValidTrans(C, 'chip', cert_id(certT)) ]->
+    [  ]
+
+rule Verify_Transcript_T:
+let
+    pkT = cert_pk(certT)
+    pkC = cert_pk(certC)
+    tag_t = mac(pkTe, kdf_mac(r2, skTe^pkC))
+    k = pkC^skTe
+    kMac = kdf_mac(k, r2)
+    tag_t = mac(pkTe, kMac)
+in
+    [ In(<certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag>), In(<skTe, T>) ]
+  --[ Eq(T, cert_id(certT)), Eq(tag, tag_t),  Eq(pkTe, pkTe2), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(s1, <IDc, r1, pkTe>, pkT), true), ValidTrans(T, 'terminal', cert_id(certC)) ]->
+    [  ]
+
diff --git a/include/include/kem_verify_transcript.spthy b/include/include/kem_verify_transcript.spthy
new file mode 100644
index 0000000..774a2f5
--- /dev/null
+++ b/include/include/kem_verify_transcript.spthy
@@ -0,0 +1,75 @@
+#ifdef PFS
+rule Verify_Transcript_C:
+let
+    pkCe = pk(skCe)
+    kTMAC = kdf(<'TMAC', r1>, kTA)
+    kTENC = kdf(<'TENC', r1>, kTA)
+    kTCNF_c = kdf(<'TCNF', r1>, kTA)
+    dmesg = sdec(cCA, kTENC)
+    certC = fst(dmesg)
+    r2 = snd(dmesg)
+    sid = <certT, certC, r2, cip, pkCe, cipe>
+    s_c = mac(<'CA', sid>, kTMAC)
+    k = decaps(cip, skC)
+    ke = decaps(cipe, skCe)
+    kCNF_c = kdf(<'CNF', sid>, <k, ke>)
+in
+    [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF>), In(<kTA, skCe>), !Ltk(C, skC, 'chip') ]
+  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_c), Eq(s, s_c), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
+    [  ]
+#else
+rule Verify_Transcript_C:
+let
+    kTMAC = kdf(<'TMAC', r1>, kTA)
+    kTENC = kdf(<'TENC', r1>, kTA)
+    kTCNF_c = kdf(<'TCNF', r1>, kTA)
+    dmesg = sdec(cCA, kTENC)
+    certC = fst(dmesg)
+    r2 = snd(dmesg)
+    sid = <certT, certC, r2, cip>
+    s_c = mac(<'CA', sid>, kTMAC)
+    kKDF = decaps(cip, skC)
+    kCNF_c = kdf(<'CNF', sid>, kKDF)
+in
+    [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF>), In(kTA), !Ltk(C, skC, 'chip') ]
+  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_c), Eq(s, s_c), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
+    [  ]
+#endif
+
+
+#ifdef PFS
+rule Verify_Transcript_T:
+let
+    kTA = decaps(cTA, skT)
+    kTMAC = kdf(<'TMAC', r1>, kTA)
+    kTENC = kdf(<'TENC', r1>, kTA)
+    kTCNF_t = kdf(<'TCNF', r1>, kTA)
+    dmesg = sdec(cCA, kTENC)
+    certC = fst(dmesg)
+    r2 = fst(snd(dmesg))
+    pkCe = snd(snd(dmesg))
+    sid = <certT, certC, r2, cip, pkCe, cipe>
+    s_t = mac(<'CA', sid>, kTMAC)
+    kCNF_t = kdf(<'CNF', sid>, <k, ke>)
+in
+    [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF>), In(<k, ke>), !Ltk(T, skT, 'terminal') ]
+  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_t), Eq(s, s_t), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
+    [  ]
+#else
+rule Verify_Transcript_T:
+let
+    kTA = decaps(cTA, skT)
+    kTMAC = kdf(<'TMAC', r1>, kTA)
+    kTENC = kdf(<'TENC', r1>, kTA)
+    kTCNF_t = kdf(<'TCNF', r1>, kTA)
+    dmesg = sdec(cCA, kTENC)
+    certC = fst(dmesg)
+    r2 = snd(dmesg)
+    sid = <certT, certC, r2, cip>
+    s_t = mac(<'CA', sid>, kTMAC)
+    kCNF_t = kdf(<'CNF', sid>, kKDF)
+in
+    [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF>), In(kKDF), !Ltk(T, skT, 'terminal') ]
+  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_t), Eq(s, s_t), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
+    [  ]
+#endif
diff --git a/include/include/lemmas.spthy b/include/include/lemmas.spthy
new file mode 100644
index 0000000..11bf1e2
--- /dev/null
+++ b/include/include/lemmas.spthy
@@ -0,0 +1,151 @@
+/* Contains the restrictions and lemmas for all EAC models */
+
+restriction Equality:
+    "All x y #i. Eq(x, y) @ i ==> x = y"
+
+
+// Correctness
+
+lemma session_exist: exists-trace
+  " Ex C T k sid #i #j.
+     Completed(k, sid, C, 'chip', T) @ #i
+     & Completed(k, sid, T, 'terminal', C) @ #j
+     & #i < #j
+  "
+
+lemma two_session_exist: exists-trace
+  " Ex C T k k2 sid sid2 #i #j #i2 #j2.
+     Completed(k, sid, C, 'chip', T) @ #i
+     & Completed(k, sid, T, 'terminal', C) @ #j
+     & #i < #j
+     & Completed(k2, sid2, C, 'chip', T) @ #i2
+     & Completed(k2, sid2, T, 'terminal', C) @ #j2
+     & #i2 < #j2
+     & not(k=k2)
+  "
+
+// Agreement
+lemma aliveness:
+  "All k sid A role B #i #t .
+    Completed(k, sid, A, role, B) @ #i
+    & Finished(sid) @ #t
+    ==> (Ex k2 sid2 role2 C #j .
+        Completed(k2, sid2, B, role2, C) @ #j)
+        | (Ex #k . Corrupted(B) @ #k)
+  "
+
+lemma weak_agreement_C:
+  "All k sid C T #i #t .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Finished(sid) @ #t
+    ==> (Ex k2 sid2 #j .
+        Completed(k2, sid2, T, 'terminal', C) @ #j)
+        | (Ex #k . Corrupted(C) @ #k)
+        | (Ex #k . Corrupted(T) @ #k)
+  "
+
+lemma weak_agreement_T:
+  "All k sid C T #i #t .
+    Completed(k, sid, T, 'terminal', C) @ #i
+    & Finished(sid) @ #t
+    ==> (Ex k2 sid2 #j .
+        Completed(k2, sid2, C, 'chip', T) @ #j)
+        | (Ex #k . Corrupted(C) @ #k)
+        | (Ex #k . Corrupted(T) @ #k)
+  "
+
+lemma agreement_C:
+  "All k sid C T #i #t .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Finished(sid) @ #t
+    ==> (Ex #j .
+        Completed(k, sid, T, 'terminal', C) @ #j)
+        | (Ex #k . Corrupted(C) @ #k)
+        | (Ex #k . Corrupted(T) @ #k)
+  "
+
+lemma agreement_T:
+  "All k sid C T #i #t .
+    Completed(k, sid, T, 'terminal', C) @ #i
+    & Finished(sid) @ #t
+    ==> (Ex #j .
+        Completed(k, sid, C, 'chip', T) @ #j)
+        | (Ex #k . Corrupted(C) @ #k)
+        | (Ex #k . Corrupted(T) @ #k)
+  "
+
+lemma session_uniqueness:
+  "All A B k sid sid2 role #i #j .
+    Completed(k, sid, A, role, B) @ #i
+    & Completed(k, sid2, A, role, B) @ #j
+    ==> (#i = #j) & (sid = sid2)
+  "
+
+// Sole purpose of static key of T is authentication
+// The final keys k/k2 are only derived from pkC/skC, pkTe/skTe and r2
+lemma consistency:
+  "All C T k k2 sid #i #j .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Completed(k2, sid, T, 'terminal', C) @ #j
+    ==> (k=k2)
+        | (Ex #m . Corrupted(C) @ #m)
+        | (Ex #m . Corrupted(T) @ #m)
+  "
+
+// Key secrecy
+lemma key_secrecy:
+  "All C T k sid #i #j .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Completed(k, sid, T, 'terminal', C) @ #j
+    ==> not(Ex #m . K(k) @ #m)
+        | (Ex #m . Revealed(sid) @ #m)
+        | (Ex #m . Corrupted(C) @ #m)
+        | (Ex #m . Corrupted(T) @ #m)
+  "
+
+/* We simulate a one sided protocol execution */
+// The terminal submits a transcript for a valid protocol execution and the chip verifies it
+// If the terminal succeeds it has disproven non-repudiation for the chip
+// 1.: We prohibit any previous protocol executions
+// 2.: The chip should not be corrupted, so that the terminal needs to forge the values
+// 3.: The terminal is not allowed to register a chip certificate
+
+lemma notNonRepudiation_C: exists-trace
+  "Ex C T #i .
+    ValidTrans(C, 'chip', T) @ #i
+    & not(Ex #k . Started() @ #k)                 // 1.
+    & not(Ex #k . Corrupted(C) @ #k)              // 2.
+    & not(Ex #k . RegisteredRole(T, 'chip') @ #k) // 3.
+  "
+
+
+// The chip submits a transcript for a valid protocol execution and the terminal verifies it
+// If the chip succeeds it has disproven non-repudiation for the terminal
+
+lemma notNonRepudiation_T: exists-trace
+  "Ex C T #i .
+    ValidTrans(T, 'terminal', C) @ #i
+    & not(Ex #k . Started() @ #k)
+    & not(Ex #k . Corrupted(T) @ #k)
+    & not(Ex #k . RegisteredRole(C, 'terminal') @ #k)
+  "
+
+lemma forward_secrecy:
+  "All C T k sid #i #j .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Completed(k, sid, T, 'terminal', C) @ #j
+    & not(Ex #m . Corrupted(C) @ #m & #m < #j)
+    & not(Ex #m . Corrupted(T) @ #m & #m < #j)
+    ==> (not(Ex #m . K(k) @ #m)
+        | (Ex #m . Revealed(sid) @ #m))
+  "
+
+lemma forward_secrecy_T:
+  "All C T k sid #i #j .
+    Completed(k, sid, C, 'chip', T) @ #i
+    & Completed(k, sid, T, 'terminal', C) @ #j
+    & not(Ex #m . Corrupted(C) @ #m)
+    & not(Ex #m . Corrupted(T) @ #m & #m < #j)
+    ==> (not(Ex #m . K(k) @ #m)
+        | (Ex #m . Revealed(sid) @ #m))
+  "
diff --git a/include/include/setup.spthy b/include/include/setup.spthy
new file mode 100644
index 0000000..3fa41f5
--- /dev/null
+++ b/include/include/setup.spthy
@@ -0,0 +1,49 @@
+/* Key setup and Certificate model for all EAC models */
+
+
+functions: cert/3, cert_pk/1, cert_sig/1, cert_id/1, ca_sk/0 [private]
+equations: cert_pk(cert(pk, s, id)) = pk, cert_sig(cert(pk, s, id)) = s, cert_id(cert(pk, s, id)) = id
+
+macros: verify_cert(cert, role) = verify(cert_sig(cert), <cert_pk(cert), cert_id(cert), role>, pk(ca_sk))
+
+
+rule Publish_ca_pk:
+    [ ]
+  -->
+    [ Out(pk(ca_sk)) ]
+
+// Generate long-term key pair for the chip. Classic version needs dh key pair
+#ifdef CLASSIC
+rule Generate_chip_key_pair:
+let
+    pk = 'g'^~ltk
+in
+    [ Fr(~ltk) ]
+  -->
+    [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ]
+#else
+rule Generate_chip_key_pair:
+let
+    pk = pk(~ltk)
+in
+    [ Fr(~ltk) ]
+  -->
+    [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ]
+#endif
+
+// Generate static long-term key pair for the terminal.
+rule Generate_terminal_key_pair:
+let
+    pk = pk(~ltk)
+in
+    [ Fr(~ltk) ]
+  -->
+    [ !Pk($A, pk, 'terminal'), !Ltk($A, ~ltk, 'terminal'), Out(pk) ]
+
+rule CA_Sign_ltk:
+let
+    certA = cert(pk, sign(<pk, A, role>, ca_sk), A)
+in
+    [ !Pk(A, pk, role) ]
+  --[ RegisteredRole(A, role) ]->
+    [ !Cert(A, certA, role), Out(certA) ]
diff --git a/include/include/sig_verify_transcript.spthy b/include/include/sig_verify_transcript.spthy
new file mode 100644
index 0000000..c88f69e
--- /dev/null
+++ b/include/include/sig_verify_transcript.spthy
@@ -0,0 +1,44 @@
+#ifdef PFS
+rule Verify_Transcript_C:
+let
+    pkT = cert_pk(certT)
+    sid = <certT, certC, r2, cip, pkCe, cipe>
+    k = decaps(cip, skC)
+    ke = decaps(cipe, skCe)
+    kCNF_c = kdf(<'CNF', sid>, <k, ke>)
+in
+    [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(skCe), !Ltk(C, skC, 'chip') ]
+  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
+    [  ]
+#else
+rule Verify_Transcript_C:
+let
+    pkT = cert_pk(certT)
+    sid = <certT, certC, r2, cip>
+    kKDF = decaps(cip, skC)
+    kCNF_c = kdf(<'CNF', sid>, kKDF)
+in
+    [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), !Ltk(C, skC, 'chip') ]
+  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
+    [  ]
+#endif
+
+#ifdef PFS
+rule Verify_Transcript_T:
+let
+    sid = <certT, certC, r2, cip, pkCe, cipe>
+    kCNF_t = kdf(<'CNF', sid>, <k, ke>)
+in
+    [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(<k, ke>), !Pk(T, pkT, 'terminal') ]
+  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
+    [  ]
+#else
+rule Verify_Transcript_T:
+let
+    sid = <certT, certC, r2, cip>
+    kCNF_t = kdf(<'CNF', sid>, kKDF)
+in
+    [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), In(kKDF), !Pk(T, pkT, 'terminal') ]
+  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
+    [  ]
+#endif
diff --git a/results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN b/results/46092847.err.FastSigPQEAC
similarity index 100%
rename from results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN
rename to results/46092847.err.FastSigPQEAC
diff --git a/results/45991792.out.ALL_FastSigPQEAC_TAMARIN b/results/46092847.out.FastSigPQEAC
similarity index 86%
rename from results/45991792.out.ALL_FastSigPQEAC_TAMARIN
rename to results/46092847.out.FastSigPQEAC
index 6571991..5513199 100644
--- a/results/45991792.out.ALL_FastSigPQEAC_TAMARIN
+++ b/results/46092847.out.FastSigPQEAC
@@ -71,49 +71,49 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
    [
-   In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+   In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~r2 ),
    !Cert( $C, certC, 'chip' )
    ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
-   Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+   Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ),
+   TAChallengeC( $C, certT, ~id_c, ~r1, ~r2 )
    ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
      [
-     In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ),
+     In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~r2 ),
      !Cert( $C, certC, 'chip' )
      ]
     --[ Eq( z, true ), Started( ) ]->
      [
-     Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 )
+     Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ),
+     TAChallengeC( $C, certT, ~id_c, ~r1, ~r2 )
      ]
     variants (modulo AC)
-    1. certT = certT.15
-       z     = verify(cert_sig(certT.15),
-                      <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk))
+    1. certT = certT.14
+       z     = verify(cert_sig(certT.14),
+                      <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17)
+    2. certT = cert(x.15, sign(<x.15, x.16, 'terminal'>, ca_sk), x.16)
        z     = true
     
-    3. certT = cert(x.17, x.18, x.19)
-       z     = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk))
+    3. certT = cert(x.16, x.17, x.18)
+       z     = verify(x.17, <x.16, x.18, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+   In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( $T ),
    !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
    ]
   --[ Eq( verify_cert(certC, 'chip'), true ) ]->
@@ -122,13 +122,13 @@ rule (modulo E) TA_RESPONSE_T:
          sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '3', 
          't'>
    ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
+   CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
    ]
 
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ),
+     In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( $T ),
      !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k )
      ]
     --[ Eq( z.1, true ) ]->
@@ -136,226 +136,217 @@ rule (modulo E) TA_RESPONSE_T:
      Out( <encaps(~k, z), sign(<'TA', id_c, r1>, ~skT), 
            sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '3', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
+     CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)> )
      ]
     variants (modulo AC)
-    1. certC = certC.20
-       z     = cert_pk(certC.20)
-       z.1   = verify(cert_sig(certC.20),
-                      <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
+    1. certC = certC.19
+       z     = cert_pk(certC.19)
+       z.1   = verify(cert_sig(certC.19),
+                      <cert_pk(certC.19), cert_id(certC.19), 'chip'>, pk(ca_sk))
     
-    2. certC = cert(z.57, sign(<z.57, x.100, 'chip'>, ca_sk), x.100)
-       z     = z.57
+    2. certC = cert(z.56, sign(<z.56, x.99, 'chip'>, ca_sk), x.99)
+       z     = z.56
        z.1   = true
     
-    3. certC = cert(z.58, x.101, x.102)
-       z     = z.58
-       z.1   = verify(x.101, <z.58, x.102, 'chip'>, pk(ca_sk))
+    3. certC = cert(z.57, x.100, x.101)
+       z     = z.57
+       z.1   = verify(x.100, <z.57, x.101, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
-   In( <cip, s1, s2, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
-   !Cert( $C, certC, 'chip' )
+   In( <cip, s1, s2, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1, r2 ),
+   !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
   Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
   Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ),
-  CompletedTA( $C, iid, cert_id(certT) ),
   Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
              <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
   )
   ]->
    [
-   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
-   ),
-   TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
+   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> )
    ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
      [
-     In( <cip, s1, s2, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ),
-     !Cert( $C, certC, 'chip' )
+     In( <cip, s1, s2, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1, r2 ),
+     !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
-    Eq( z.1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3 ),
+    Eq( z.1, true ), Eq( z.2, true ),
     Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
                <certT, certC, r2, cip>, $C, 'chip', z.3
     )
     ]->
-     [
-     Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
-     TACompleteC( <$C, iid>, certT, id_c, r1, r2 )
-     ]
+     [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ) ]
     variants (modulo AC)
-     1. ~skC  = ~skC.32
-        certC = certC.33
-        certT = certT.34
-        cip   = cip.35
-        id_c  = id_c.36
-        r1    = r1.38
-        r2    = r2.39
-        s1    = s1.40
-        s2    = s2.41
-        z     = decaps(cip.35, ~skC.32)
-        z.1   = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34))
-        z.2   = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>,
-                       cert_pk(certT.34))
-        z.3   = cert_id(certT.34)
-    
-     2. ~skC  = ~skC.37
-        certC = certC.38
-        certT = certT.39
-        cip   = encaps(z.51, pk(~skC.37))
-        id_c  = id_c.41
-        r1    = r1.43
-        r2    = r2.44
-        s1    = s1.45
-        s2    = s2.46
-        z     = z.51
-        z.1   = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39))
-        z.2   = verify(s2.46,
-                       <'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>,
-                       cert_pk(certT.39))
-        z.3   = cert_id(certT.39)
-    
-     3. ~skC  = ~skC.150
-        certC = certC.151
-        certT = cert(x.296, x.297, z.169)
-        cip   = cip.153
-        id_c  = id_c.154
-        r1    = r1.156
-        r2    = r2.157
-        s1    = s1.158
-        s2    = s2.159
-        z     = decaps(cip.153, ~skC.150)
-        z.1   = verify(s1.158, <'TA', id_c.154, r1.156>, x.296)
-        z.2   = verify(s2.159,
-                       <'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296)
-        z.3   = z.169
-    
-     4. ~skC  = ~skC.150
-        certC = certC.151
-        certT = cert(pk(x.296), x.297, z.169)
-        cip   = cip.153
-        id_c  = id_c.154
-        r1    = r1.156
-        r2    = r2.157
-        s1    = sign(<'TA', id_c.154, r1.156>, x.296)
-        s2    = s2.159
-        z     = decaps(cip.153, ~skC.150)
+     1. ~skC  = ~skC.31
+        certC = certC.32
+        certT = certT.33
+        cip   = cip.34
+        id_c  = id_c.35
+        r1    = r1.36
+        r2    = r2.37
+        s1    = s1.38
+        s2    = s2.39
+        z     = decaps(cip.34, ~skC.31)
+        z.1   = verify(s1.38, <'TA', id_c.35, r1.36>, cert_pk(certT.33))
+        z.2   = verify(s2.39, <'CA', certT.33, certC.32, r2.37, cip.34>,
+                       cert_pk(certT.33))
+        z.3   = cert_id(certT.33)
+    
+     2. ~skC  = ~skC.36
+        certC = certC.37
+        certT = certT.38
+        cip   = encaps(z.49, pk(~skC.36))
+        id_c  = id_c.40
+        r1    = r1.41
+        r2    = r2.42
+        s1    = s1.43
+        s2    = s2.44
+        z     = z.49
+        z.1   = verify(s1.43, <'TA', id_c.40, r1.41>, cert_pk(certT.38))
+        z.2   = verify(s2.44,
+                       <'CA', certT.38, certC.37, r2.42, encaps(z.49, pk(~skC.36))>,
+                       cert_pk(certT.38))
+        z.3   = cert_id(certT.38)
+    
+     3. ~skC  = ~skC.144
+        certC = certC.145
+        certT = cert(x.284, x.285, z.163)
+        cip   = cip.147
+        id_c  = id_c.148
+        r1    = r1.149
+        r2    = r2.150
+        s1    = s1.151
+        s2    = s2.152
+        z     = decaps(cip.147, ~skC.144)
+        z.1   = verify(s1.151, <'TA', id_c.148, r1.149>, x.284)
+        z.2   = verify(s2.152,
+                       <'CA', cert(x.284, x.285, z.163), certC.145, r2.150, cip.147>, x.284)
+        z.3   = z.163
+    
+     4. ~skC  = ~skC.144
+        certC = certC.145
+        certT = cert(pk(x.284), x.285, z.163)
+        cip   = cip.147
+        id_c  = id_c.148
+        r1    = r1.149
+        r2    = r2.150
+        s1    = sign(<'TA', id_c.148, r1.149>, x.284)
+        s2    = s2.152
+        z     = decaps(cip.147, ~skC.144)
         z.1   = true
-        z.2   = verify(s2.159,
-                       <'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>,
-                       pk(x.296))
-        z.3   = z.169
-    
-     5. ~skC  = ~skC.151
-        certC = certC.152
-        certT = cert(pk(x.298), x.299, z.170)
-        cip   = cip.154
-        id_c  = id_c.155
-        r1    = r1.157
-        r2    = r2.158
-        s1    = s1.159
-        s2    = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158, 
-                      cip.154>,
-                     x.298)
-        z     = decaps(cip.154, ~skC.151)
-        z.1   = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298))
+        z.2   = verify(s2.152,
+                       <'CA', cert(pk(x.284), x.285, z.163), certC.145, r2.150, cip.147>,
+                       pk(x.284))
+        z.3   = z.163
+    
+     5. ~skC  = ~skC.145
+        certC = certC.146
+        certT = cert(pk(x.286), x.287, z.164)
+        cip   = cip.148
+        id_c  = id_c.149
+        r1    = r1.150
+        r2    = r2.151
+        s1    = s1.152
+        s2    = sign(<'CA', cert(pk(x.286), x.287, z.164), certC.146, r2.151, 
+                      cip.148>,
+                     x.286)
+        z     = decaps(cip.148, ~skC.145)
+        z.1   = verify(s1.152, <'TA', id_c.149, r1.150>, pk(x.286))
         z.2   = true
-        z.3   = z.170
-    
-     6. ~skC  = ~skC.151
-        certC = certC.152
-        certT = cert(pk(x.298), x.299, z.170)
-        cip   = cip.154
-        id_c  = id_c.155
-        r1    = r1.157
-        r2    = r2.158
-        s1    = sign(<'TA', id_c.155, r1.157>, x.298)
-        s2    = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158, 
-                      cip.154>,
-                     x.298)
-        z     = decaps(cip.154, ~skC.151)
+        z.3   = z.164
+    
+     6. ~skC  = ~skC.145
+        certC = certC.146
+        certT = cert(pk(x.286), x.287, z.164)
+        cip   = cip.148
+        id_c  = id_c.149
+        r1    = r1.150
+        r2    = r2.151
+        s1    = sign(<'TA', id_c.149, r1.150>, x.286)
+        s2    = sign(<'CA', cert(pk(x.286), x.287, z.164), certC.146, r2.151, 
+                      cip.148>,
+                     x.286)
+        z     = decaps(cip.148, ~skC.145)
         z.1   = true
         z.2   = true
-        z.3   = z.170
-    
-     7. ~skC  = ~skC.152
-        certC = certC.153
-        certT = cert(x.300, x.301, z.171)
-        cip   = encaps(z.166, pk(~skC.152))
-        id_c  = id_c.156
-        r1    = r1.158
-        r2    = r2.159
-        s1    = s1.160
-        s2    = s2.161
-        z     = z.166
-        z.1   = verify(s1.160, <'TA', id_c.156, r1.158>, x.300)
-        z.2   = verify(s2.161,
-                       <'CA', cert(x.300, x.301, z.171), certC.153, r2.159, 
-                        encaps(z.166, pk(~skC.152))>,
-                       x.300)
-        z.3   = z.171
-    
-     8. ~skC  = ~skC.152
-        certC = certC.153
-        certT = cert(pk(x.300), x.301, z.171)
-        cip   = encaps(z.166, pk(~skC.152))
-        id_c  = id_c.156
-        r1    = r1.158
-        r2    = r2.159
-        s1    = s1.160
-        s2    = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, 
-                      encaps(z.166, pk(~skC.152))>,
-                     x.300)
-        z     = z.166
-        z.1   = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300))
+        z.3   = z.164
+    
+     7. ~skC  = ~skC.146
+        certC = certC.147
+        certT = cert(x.288, x.289, z.165)
+        cip   = encaps(z.159, pk(~skC.146))
+        id_c  = id_c.150
+        r1    = r1.151
+        r2    = r2.152
+        s1    = s1.153
+        s2    = s2.154
+        z     = z.159
+        z.1   = verify(s1.153, <'TA', id_c.150, r1.151>, x.288)
+        z.2   = verify(s2.154,
+                       <'CA', cert(x.288, x.289, z.165), certC.147, r2.152, 
+                        encaps(z.159, pk(~skC.146))>,
+                       x.288)
+        z.3   = z.165
+    
+     8. ~skC  = ~skC.146
+        certC = certC.147
+        certT = cert(pk(x.288), x.289, z.165)
+        cip   = encaps(z.159, pk(~skC.146))
+        id_c  = id_c.150
+        r1    = r1.151
+        r2    = r2.152
+        s1    = s1.153
+        s2    = sign(<'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, 
+                      encaps(z.159, pk(~skC.146))>,
+                     x.288)
+        z     = z.159
+        z.1   = verify(s1.153, <'TA', id_c.150, r1.151>, pk(x.288))
         z.2   = true
-        z.3   = z.171
-    
-     9. ~skC  = ~skC.152
-        certC = certC.153
-        certT = cert(pk(x.300), x.301, z.171)
-        cip   = encaps(z.166, pk(~skC.152))
-        id_c  = id_c.156
-        r1    = r1.158
-        r2    = r2.159
-        s1    = sign(<'TA', id_c.156, r1.158>, x.300)
-        s2    = s2.161
-        z     = z.166
+        z.3   = z.165
+    
+     9. ~skC  = ~skC.146
+        certC = certC.147
+        certT = cert(pk(x.288), x.289, z.165)
+        cip   = encaps(z.159, pk(~skC.146))
+        id_c  = id_c.150
+        r1    = r1.151
+        r2    = r2.152
+        s1    = sign(<'TA', id_c.150, r1.151>, x.288)
+        s2    = s2.154
+        z     = z.159
         z.1   = true
-        z.2   = verify(s2.161,
-                       <'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, 
-                        encaps(z.166, pk(~skC.152))>,
-                       pk(x.300))
-        z.3   = z.171
-    
-    10. ~skC  = ~skC.152
-        certC = certC.153
-        certT = cert(pk(x.300), x.301, z.171)
-        cip   = encaps(z.166, pk(~skC.152))
-        id_c  = id_c.156
-        r1    = r1.158
-        r2    = r2.159
-        s1    = sign(<'TA', id_c.156, r1.158>, x.300)
-        s2    = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, 
-                      encaps(z.166, pk(~skC.152))>,
-                     x.300)
-        z     = z.166
+        z.2   = verify(s2.154,
+                       <'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, 
+                        encaps(z.159, pk(~skC.146))>,
+                       pk(x.288))
+        z.3   = z.165
+    
+    10. ~skC  = ~skC.146
+        certC = certC.147
+        certT = cert(pk(x.288), x.289, z.165)
+        cip   = encaps(z.159, pk(~skC.146))
+        id_c  = id_c.150
+        r1    = r1.151
+        r2    = r2.152
+        s1    = sign(<'TA', id_c.150, r1.151>, x.288)
+        s2    = sign(<'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, 
+                      encaps(z.159, pk(~skC.146))>,
+                     x.288)
+        z     = z.159
         z.1   = true
         z.2   = true
-        z.3   = z.171
+        z.3   = z.165
   */
 
 rule (modulo E) CA_FINISH_T:
    [
-   In( <kCNF_C, '4', 'c'> ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+   In( <kCNF_C, '4', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -366,7 +357,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
    !SessionReveal( <certT, certC, r2, cip>,
                    kdf(<'KEY', certT, certC, r2, cip>, k)
    )
@@ -375,8 +365,7 @@ rule (modulo E) CA_FINISH_T:
   /*
   rule (modulo AC) CA_FINISH_T:
      [
-     In( <kCNF_C, '4', 'c'> ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+     In( <kCNF_C, '4', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -387,17 +376,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip> )
     ]->
      [
-     CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
      !SessionReveal( <certT, certC, r2, cip>,
                      kdf(<'KEY', certT, certC, r2, cip>, k)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.15
-       z     = cert_id(certC.15)
+    1. certC = certC.16
+       z     = cert_id(certC.16)
     
-    2. certC = cert(x.41, x.42, z.28)
-       z     = z.28
+    2. certC = cert(x.26, x.27, z.21)
+       z     = z.21
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -2241,8 +2229,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -2257,7 +2244,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -2339,8 +2326,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -2355,7 +2341,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -2365,8 +2351,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case TA_COMPLETE_C
-                solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
-                                     r2.1
+                solve( TAChallengeC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1
                        ) ▶₁ #i2 )
                   case TA_CHALLENGE_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -2384,7 +2369,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3,
+                        solve( CAInitT( $T, id_c.3,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>
                                ) ▶₁ #j2 )
@@ -2521,6 +2506,88 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma aliveness:
+  all-traces
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+  case TA_RESPONSE_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+                      A, role, B
+           ) @ #i )
+      case CA_FINISH_T
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                      <k.1, encaps(~k, z)>
+             ) ▶₁ #i )
+        case TA_RESPONSE_T
+        solve( !KU( kdf(<'CNF', 
+                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                        ~k)
+               ) @ #vk.1 )
+          case TA_COMPLETE_C
+          by contradiction /* from formulas */
+        next
+          case c_kdf
+          solve( !KU( ~k ) @ #vk.18 )
+            case TA_RESPONSE_T
+            solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                   ) @ #vk.13 )
+              case CA_Sign_ltk
+              solve( !KU( ~ltk.1 ) @ #vk.23 )
+                case Corrupt_ltk
+                by contradiction /* from formulas */
+              qed
+            next
+              case TA_CHALLENGE_C
+              solve( !KU( ~ltk.1 ) @ #vk.23 )
+                case Corrupt_ltk
+                by contradiction /* from formulas */
+              qed
+            next
+              case c_cert
+              solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 )
+                case CA_Sign_ltk
+                solve( !KU( ~ltk.1 ) @ #vk.24 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case TA_CHALLENGE_C
+                solve( !KU( ~ltk.1 ) @ #vk.24 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case c_sign
+                by solve( !KU( ca_sk ) @ #vk.29 )
+              qed
+            qed
+          qed
+        qed
+      qed
+    next
+      case TA_COMPLETE_C
+      by contradiction /* from formulas */
+    qed
+  qed
+qed
+
 lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
@@ -2538,7 +2605,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2548,7 +2615,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
              ) ▶₁ #i )
         case TA_CHALLENGE_C
@@ -2582,7 +2649,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2592,8 +2659,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -2663,7 +2730,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2673,7 +2740,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
              ) ▶₁ #i )
         case TA_CHALLENGE_C
@@ -2750,7 +2817,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2760,8 +2827,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -2814,88 +2881,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   qed
 qed
 
-lemma aliveness:
-  all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
-  case TA_RESPONSE_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      A, role, B
-           ) @ #i )
-      case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
-             ) ▶₁ #i )
-        case TA_RESPONSE_T
-        solve( !KU( kdf(<'CNF', 
-                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
-                        ~k)
-               ) @ #vk.1 )
-          case TA_COMPLETE_C
-          by contradiction /* from formulas */
-        next
-          case c_kdf
-          solve( !KU( ~k ) @ #vk.18 )
-            case TA_RESPONSE_T
-            solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                   ) @ #vk.13 )
-              case CA_Sign_ltk
-              solve( !KU( ~ltk.1 ) @ #vk.23 )
-                case Corrupt_ltk
-                by contradiction /* from formulas */
-              qed
-            next
-              case TA_CHALLENGE_C
-              solve( !KU( ~ltk.1 ) @ #vk.23 )
-                case Corrupt_ltk
-                by contradiction /* from formulas */
-              qed
-            next
-              case c_cert
-              solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 )
-                case CA_Sign_ltk
-                solve( !KU( ~ltk.1 ) @ #vk.24 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case TA_CHALLENGE_C
-                solve( !KU( ~ltk.1 ) @ #vk.24 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case c_sign
-                by solve( !KU( ca_sk ) @ #vk.29 )
-              qed
-            qed
-          qed
-        qed
-      qed
-    next
-      case TA_COMPLETE_C
-      by contradiction /* from formulas */
-    qed
-  qed
-qed
-
 lemma session_uniqueness:
   all-traces
   "∀ A B k sid sid2 role #i #j.
@@ -2917,7 +2902,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2928,8 +2913,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -2939,8 +2924,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -2953,7 +2937,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C
-              solve( TAChallengeC( <$C, iid.1>,
+              solve( TAChallengeC( $C,
                                    cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
@@ -2968,7 +2952,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2979,8 +2963,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -2990,8 +2974,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -3004,7 +2987,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C
-              solve( TAChallengeC( <$C, iid.1>,
+              solve( TAChallengeC( $C,
                                    cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
@@ -3020,7 +3003,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+    solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
       case TA_RESPONSE_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -3037,8 +3020,7 @@ next
     qed
   next
     case TA_COMPLETE_C
-    solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2
-           ) ▶₁ #i )
+    solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
@@ -3064,20 +3046,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3089,7 +3072,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3130,67 +3113,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                     case c_sign
                     solve( !KU( ~ltk.1 ) @ #vk.40 )
                       case Corrupt_ltk
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.19 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.43 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.45 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
+                      by contradiction /* from formulas */
                     qed
                   qed
                 next
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.29 )
                     case Corrupt_ltk
-                    solve( !KU( sign(<'CA', 
-                                      cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                      cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                      encaps(~k, pk(~ltk))>,
-                                     ~ltk.1)
-                           ) @ #vk.6 )
-                      case TA_RESPONSE_T
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.15 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.38 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.40 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    next
-                      case c_sign
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.17 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.40 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.42 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               qed
@@ -3207,8 +3137,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -3217,13 +3148,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3238,7 +3169,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3277,140 +3208,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.41 )
                     case Corrupt_ltk
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.6 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.44 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ltk ) @ #vk.46 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               next
                 case c_sign
                 solve( !KU( ~ltk.1 ) @ #vk.30 )
                   case Corrupt_ltk
-                  solve( !KU( sign(<'CA', 
-                                    cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                    encaps(~k, pk(~ltk))>,
-                                   ~ltk.1)
-                         ) @ #vk.7 )
-                    case TA_RESPONSE_T
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.39 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ltk ) @ #vk.41 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  next
-                    case c_sign
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.41 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ltk ) @ #vk.43 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-       ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-    case Generate_chip_key_pair
-    solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
-      case CA_Sign_ltk
-      solve( splitEqs(0) )
-        case split_case_1
-        solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 )
-          case TA_RESPONSE_T
-          solve( !KU( sign(<'CA', 
-                            cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T), 
-                            cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
-                           ~skT)
-                 ) @ #vk.5 )
-            case TA_RESPONSE_T
-            solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 )
-              case CA_Sign_ltk
-              solve( !KU( ~iid ) @ #vk.12 )
-                case TA_CHALLENGE_C
-                solve( !KU( ~id_c ) @ #vk.17 )
-                  case TA_CHALLENGE_C
-                  solve( !KU( ~r1 ) @ #vk.19 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~r2 ) @ #vk.32 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
-                             ) @ #vk.19 )
-                        case CA_Sign_ltk
-                        solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.32 )
-                          case CA_Sign_ltk
-                          solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 )
-                            case TA_RESPONSE_T
-                            SOLVED // trace found
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
+                  by contradiction /* from formulas */
                 qed
               qed
             qed
@@ -3421,7 +3226,7 @@ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
   qed
 qed
 
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3482,7 +3287,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3515,7 +3320,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -3537,8 +3342,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3553,7 +3357,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3674,21 +3478,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 750.72s
+  processing time: 562.41s
   
   session_exist (exists-trace): verified (19 steps)
   two_session_exist (exists-trace): verified (36 steps)
+  aliveness (all-traces): verified (20 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): verified (19 steps)
   agreement_C (all-traces): verified (19 steps)
   agreement_T (all-traces): verified (19 steps)
-  aliveness (all-traces): verified (20 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (31 steps)
-  key_secrecy (all-traces): verified (33 steps)
-  chip_hiding (all-traces): falsified - found trace (16 steps)
-  nonRepudiation_terminal (exists-trace): verified (13 steps)
-  nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
-  pfs (all-traces): falsified - found trace (22 steps)
+  consistency (all-traces): verified (20 steps)
+  key_secrecy (all-traces): verified (19 steps)
+  notNonRepudiation_C (exists-trace): verified (13 steps)
+  notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps)
+  forward_secrecy (all-traces): falsified - found trace (22 steps)
 
 ==============================================================================
diff --git a/results/45991167.err.ALL_CLASSIC_EAC_TAMARIN b/results/46092855.err.SigPQEAC
similarity index 100%
rename from results/45991167.err.ALL_CLASSIC_EAC_TAMARIN
rename to results/46092855.err.SigPQEAC
diff --git a/results/45992234.out.ALL_SigPQEAC_TAMARIN b/results/46092855.out.SigPQEAC
similarity index 89%
rename from results/45992234.out.ALL_SigPQEAC_TAMARIN
rename to results/46092855.out.SigPQEAC
index cc39be4..61dbbbb 100644
--- a/results/45992234.out.ALL_SigPQEAC_TAMARIN
+++ b/results/46092855.out.SigPQEAC
@@ -71,105 +71,86 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
-   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
-   [
-   Out( <~id_c, ~r1, '2', 'c'> ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
-   ]
+   [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
-     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
     --[ Eq( z, true ), Started( ) ]->
-     [
-     Out( <~id_c, ~r1, '2', 'c'> ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
-     ]
+     [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ]
     variants (modulo AC)
-    1. certT = certT.12
-       z     = verify(cert_sig(certT.12),
-                      <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk))
+    1. certT = certT.11
+       z     = verify(cert_sig(certT.11),
+                      <cert_pk(certT.11), cert_id(certT.11), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14)
+    2. certT = cert(x.12, sign(<x.12, x.13, 'terminal'>, ca_sk), x.13)
        z     = true
     
-    3. certT = cert(x.14, x.15, x.16)
-       z     = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk))
+    3. certT = cert(x.13, x.14, x.15)
+       z     = verify(x.14, <x.13, x.15, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
-   [
-   In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ),
-   !Ltk( $T, ~skT, 'terminal' )
+   [ In( <id_c, r1, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' )
    ]
   -->
    [
-   Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ),
-   TAResponseT( <$T, iid>, id_c )
+   Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), TAResponseT( $T, id_c )
    ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_COMPLETE_C:
-   [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
-  --[
-  Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ),
-  CompletedTA( $C, iid, cert_id(certT) )
-  ]->
-   [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+   [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ]
+  --[ Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ) ]->
+   [ TACompleteC( $C, certT, id_c, r1 ) ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
-     [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
-    --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
-     [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+     [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ]
+    --[ Eq( z, true ) ]->
+     [ TACompleteC( $C, certT, id_c, r1 ) ]
     variants (modulo AC)
-    1. certT = certT.16
-       id_c  = id_c.17
+    1. certT = certT.13
+       id_c  = id_c.14
+       r1    = r1.15
+       s     = s.16
+       z     = verify(s.16, <'TA', id_c.14, r1.15>, cert_pk(certT.13))
+    
+    2. certT = cert(x.30, x.31, x.32)
+       id_c  = id_c.18
        r1    = r1.19
        s     = s.20
-       z     = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16))
-       z.1   = cert_id(certT.16)
-    
-    2. certT = cert(x.37, x.38, z.28)
-       id_c  = id_c.21
-       r1    = r1.23
-       s     = s.24
-       z     = verify(s.24, <'TA', id_c.21, r1.23>, x.37)
-       z.1   = z.28
-    
-    3. certT = cert(pk(x.37), x.38, z.28)
-       id_c  = id_c.21
-       r1    = r1.23
-       s     = sign(<'TA', id_c.21, r1.23>, x.37)
+       z     = verify(s.20, <'TA', id_c.18, r1.19>, x.30)
+    
+    3. certT = cert(pk(x.30), x.31, x.32)
+       id_c  = id_c.18
+       r1    = r1.19
+       s     = sign(<'TA', id_c.18, r1.19>, x.30)
        z     = true
-       z.1   = z.28
   */
 
 rule (modulo E) CA_INIT_C:
    [
-   Fr( ~r2 ), TACompleteC( <$C, iid>, certT, id_c, r1 ),
-   !Cert( $C, certC, 'chip' )
+   Fr( ~r2 ), TACompleteC( $C, certT, id_c, r1 ), !Cert( $C, certC, 'chip' )
    ]
   -->
-   [
-   Out( <certC, ~r2, '4', 'c'> ), Out( iid ),
-   CAInitC( <$C, iid>, certT, id_c, r1, ~r2 )
-   ]
+   [ Out( <certC, ~r2, '4', 'c'> ), CAInitC( $C, certT, id_c, r1, ~r2 ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_T:
    [
-   In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ),
+   In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( $T, id_c ),
    !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
    ]
   --[ Eq( verify_cert(certC, 'chip'), true ) ]->
@@ -178,13 +159,13 @@ rule (modulo E) CA_INIT_T:
          sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '5', 
          't'>
    ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
+   CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> )
    ]
 
   /*
   rule (modulo AC) CA_INIT_T:
      [
-     In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ),
+     In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( $T, id_c ),
      !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
      ]
     --[ Eq( z.1, true ) ]->
@@ -192,26 +173,26 @@ rule (modulo E) CA_INIT_T:
      Out( <encaps(~k, z), 
            sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '5', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> )
+     CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)> )
      ]
     variants (modulo AC)
-    1. certC = certC.18
-       z     = cert_pk(certC.18)
-       z.1   = verify(cert_sig(certC.18),
-                      <cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk))
+    1. certC = certC.17
+       z     = cert_pk(certC.17)
+       z.1   = verify(cert_sig(certC.17),
+                      <cert_pk(certC.17), cert_id(certC.17), 'chip'>, pk(ca_sk))
     
-    2. certC = cert(z.44, sign(<z.44, x.75, 'chip'>, ca_sk), x.75)
-       z     = z.44
+    2. certC = cert(z.43, sign(<z.43, x.74, 'chip'>, ca_sk), x.74)
+       z     = z.43
        z.1   = true
     
-    3. certC = cert(z.45, x.76, x.77)
-       z     = z.45
-       z.1   = verify(x.76, <z.45, x.77, 'chip'>, pk(ca_sk))
+    3. certC = cert(z.44, x.75, x.76)
+       z     = z.44
+       z.1   = verify(x.75, <z.44, x.76, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) CA_FINISH_C:
    [
-   In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
+   In( <cip, s, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2 ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
@@ -221,106 +202,98 @@ rule (modulo E) CA_FINISH_C:
   )
   ]->
    [
-   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'>
-   ),
-   CAFinishC( $C, cert_id(certT),
-              kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
-   )
+   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> )
    ]
 
   /*
   rule (modulo AC) CA_FINISH_C:
      [
-     In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ),
+     In( <cip, s, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2 ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
-    Eq( z.2, true ),
+    Eq( z.1, true ),
     Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
-               <certT, certC, r2, cip>, $C, 'chip', z.1
+               <certT, certC, r2, cip>, $C, 'chip', z.2
     )
     ]->
-     [
-     Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ),
-     CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) )
-     ]
+     [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ) ]
     variants (modulo AC)
-    1. ~skC  = ~skC.30
-       certC = certC.31
-       certT = certT.32
-       cip   = cip.33
-       r2    = r2.37
-       s     = s.38
-       z     = decaps(cip.33, ~skC.30)
-       z.1   = cert_id(certT.32)
-       z.2   = verify(s.38, <'CA', certT.32, certC.31, r2.37, cip.33>,
-                      cert_pk(certT.32))
-    
-    2. ~skC  = ~skC.35
-       certC = certC.36
-       certT = certT.37
-       cip   = encaps(z.48, pk(~skC.35))
-       r2    = r2.42
-       s     = s.43
-       z     = z.48
-       z.1   = cert_id(certT.37)
-       z.2   = verify(s.43,
-                      <'CA', certT.37, certC.36, r2.42, encaps(z.48, pk(~skC.35))>,
-                      cert_pk(certT.37))
-    
-    3. ~skC  = ~skC.137
-       certC = certC.138
-       certT = cert(x.270, x.271, z.153)
-       cip   = cip.140
-       r2    = r2.144
-       s     = s.145
-       z     = decaps(cip.140, ~skC.137)
-       z.1   = z.153
-       z.2   = verify(s.145,
-                      <'CA', cert(x.270, x.271, z.153), certC.138, r2.144, cip.140>, x.270)
-    
-    4. ~skC  = ~skC.138
-       certC = certC.139
-       certT = cert(pk(x.272), x.273, z.154)
-       cip   = cip.141
-       r2    = r2.145
-       s     = sign(<'CA', cert(pk(x.272), x.273, z.154), certC.139, r2.145, 
-                     cip.141>,
-                    x.272)
-       z     = decaps(cip.141, ~skC.138)
-       z.1   = z.154
-       z.2   = true
-    
-    5. ~skC  = ~skC.139
-       certC = certC.140
-       certT = cert(x.274, x.275, z.155)
-       cip   = encaps(z.152, pk(~skC.139))
-       r2    = r2.146
-       s     = s.147
-       z     = z.152
-       z.1   = z.155
-       z.2   = verify(s.147,
-                      <'CA', cert(x.274, x.275, z.155), certC.140, r2.146, 
-                       encaps(z.152, pk(~skC.139))>,
-                      x.274)
-    
-    6. ~skC  = ~skC.139
-       certC = certC.140
-       certT = cert(pk(x.274), x.275, z.155)
-       cip   = encaps(z.152, pk(~skC.139))
-       r2    = r2.146
-       s     = sign(<'CA', cert(pk(x.274), x.275, z.155), certC.140, r2.146, 
-                     encaps(z.152, pk(~skC.139))>,
-                    x.274)
-       z     = z.152
-       z.1   = z.155
-       z.2   = true
+    1. ~skC  = ~skC.28
+       certC = certC.29
+       certT = certT.30
+       cip   = cip.31
+       r2    = r2.34
+       s     = s.35
+       z     = decaps(cip.31, ~skC.28)
+       z.1   = verify(s.35, <'CA', certT.30, certC.29, r2.34, cip.31>,
+                      cert_pk(certT.30))
+       z.2   = cert_id(certT.30)
+    
+    2. ~skC  = ~skC.33
+       certC = certC.34
+       certT = certT.35
+       cip   = encaps(z.45, pk(~skC.33))
+       r2    = r2.39
+       s     = s.40
+       z     = z.45
+       z.1   = verify(s.40,
+                      <'CA', certT.35, certC.34, r2.39, encaps(z.45, pk(~skC.33))>,
+                      cert_pk(certT.35))
+       z.2   = cert_id(certT.35)
+    
+    3. ~skC  = ~skC.130
+       certC = certC.131
+       certT = cert(x.256, x.257, z.147)
+       cip   = cip.133
+       r2    = r2.136
+       s     = s.137
+       z     = decaps(cip.133, ~skC.130)
+       z.1   = verify(s.137,
+                      <'CA', cert(x.256, x.257, z.147), certC.131, r2.136, cip.133>, x.256)
+       z.2   = z.147
+    
+    4. ~skC  = ~skC.131
+       certC = certC.132
+       certT = cert(pk(x.258), x.259, z.148)
+       cip   = cip.134
+       r2    = r2.137
+       s     = sign(<'CA', cert(pk(x.258), x.259, z.148), certC.132, r2.137, 
+                     cip.134>,
+                    x.258)
+       z     = decaps(cip.134, ~skC.131)
+       z.1   = true
+       z.2   = z.148
+    
+    5. ~skC  = ~skC.132
+       certC = certC.133
+       certT = cert(x.260, x.261, z.149)
+       cip   = encaps(z.144, pk(~skC.132))
+       r2    = r2.138
+       s     = s.139
+       z     = z.144
+       z.1   = verify(s.139,
+                      <'CA', cert(x.260, x.261, z.149), certC.133, r2.138, 
+                       encaps(z.144, pk(~skC.132))>,
+                      x.260)
+       z.2   = z.149
+    
+    6. ~skC  = ~skC.132
+       certC = certC.133
+       certT = cert(pk(x.260), x.261, z.149)
+       cip   = encaps(z.144, pk(~skC.132))
+       r2    = r2.138
+       s     = sign(<'CA', cert(pk(x.260), x.261, z.149), certC.133, r2.138, 
+                     encaps(z.144, pk(~skC.132))>,
+                    x.260)
+       z     = z.144
+       z.1   = true
+       z.2   = z.149
   */
 
 rule (modulo E) CA_FINISH_T:
    [
-   In( <kCNF_c, '6', 'c'> ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+   In( <kCNF_c, '6', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -331,7 +304,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
    !SessionReveal( <certT, certC, r2, cip>,
                    kdf(<'KEY', certT, certC, r2, cip>, k)
    )
@@ -340,8 +312,7 @@ rule (modulo E) CA_FINISH_T:
   /*
   rule (modulo AC) CA_FINISH_T:
      [
-     In( <kCNF_c, '6', 'c'> ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+     In( <kCNF_c, '6', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -352,17 +323,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip> )
     ]->
      [
-     CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
      !SessionReveal( <certT, certC, r2, cip>,
                      kdf(<'KEY', certT, certC, r2, cip>, k)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.15
-       z     = cert_id(certC.15)
+    1. certC = certC.16
+       z     = cert_id(certC.16)
     
-    2. certC = cert(x.41, x.42, z.28)
-       z     = z.28
+    2. certC = cert(x.26, x.27, z.21)
+       z     = z.21
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -2206,7 +2176,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -2221,7 +2191,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -2259,7 +2229,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                               case CA_INIT_C
                               solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.38 )
                                 case TA_RESPONSE_T
-                                solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z)
+                                solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk), x)
                                        ) @ #vk.40 )
                                   case CA_Sign_ltk
                                   solve( !KU( ~id_c.2 ) @ #vk.42 )
@@ -2313,7 +2283,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -2328,7 +2298,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -2338,8 +2308,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case CA_FINISH_C
-                solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1
-                       ) ▶₁ #i2 )
+                solve( CAInitC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1 ) ▶₁ #i2 )
                   case CA_INIT_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
                     case Generate_chip_key_pair
@@ -2356,7 +2325,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3,
+                        solve( CAInitT( $T, id_c.3,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>
                                ) ▶₁ #j2 )
@@ -2420,9 +2389,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                       solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.60 )
                                                         case TA_RESPONSE_T
                                                         solve( !KU( cert(pk(~skT.3),
-                                                                         sign(<pk(~skT.3), z, 'terminal'>,
+                                                                         sign(<pk(~skT.3), x, 'terminal'>,
                                                                               ca_sk),
-                                                                         z)
+                                                                         x)
                                                                ) @ #vk.62 )
                                                           case CA_Sign_ltk
                                                           solve( !KU( ~id_c.4 ) @ #vk.64 )
@@ -2466,10 +2435,10 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                                              ) @ #vk.68 )
                                                                         case TA_RESPONSE_T
                                                                         solve( !KU( cert(pk(~skT.4),
-                                                                                         sign(<pk(~skT.4), z, 
+                                                                                         sign(<pk(~skT.4), x, 
                                                                                                'terminal'>,
                                                                                               ca_sk),
-                                                                                         z)
+                                                                                         x)
                                                                                ) @ #vk.70 )
                                                                           case CA_Sign_ltk
                                                                           solve( !KU( ~id_c.5 ) @ #vk.72 )
@@ -2522,6 +2491,88 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma aliveness:
+  all-traces
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+  case CA_INIT_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+                      A, role, B
+           ) @ #i )
+      case CA_FINISH_C
+      by contradiction /* from formulas */
+    next
+      case CA_FINISH_T
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                      <k.1, encaps(~k, z)>
+             ) ▶₁ #i )
+        case CA_INIT_T
+        solve( !KU( kdf(<'CNF', 
+                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                        ~k)
+               ) @ #vk.1 )
+          case CA_FINISH_C
+          by contradiction /* from formulas */
+        next
+          case c_kdf
+          solve( !KU( ~k ) @ #vk.20 )
+            case CA_INIT_T
+            solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                   ) @ #vk.12 )
+              case CA_INIT_C
+              solve( !KU( ~ltk.1 ) @ #vk.25 )
+                case Corrupt_ltk
+                by contradiction /* from formulas */
+              qed
+            next
+              case CA_Sign_ltk
+              solve( !KU( ~ltk.1 ) @ #vk.25 )
+                case Corrupt_ltk
+                by contradiction /* from formulas */
+              qed
+            next
+              case c_cert
+              solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.27 )
+                case CA_INIT_C
+                solve( !KU( ~ltk.1 ) @ #vk.26 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case CA_Sign_ltk
+                solve( !KU( ~ltk.1 ) @ #vk.26 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case c_sign
+                by solve( !KU( ca_sk ) @ #vk.31 )
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
 lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
@@ -2539,7 +2590,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2549,7 +2600,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
              ) ▶₁ #i )
         case CA_INIT_C
@@ -2583,7 +2634,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2593,8 +2644,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( kdf(<'CNF', 
@@ -2664,7 +2715,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2674,7 +2725,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2
              ) ▶₁ #i )
         case CA_INIT_C
@@ -2751,7 +2802,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2761,8 +2812,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( kdf(<'CNF', 
@@ -2815,88 +2866,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   qed
 qed
 
-lemma aliveness:
-  all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
-  case CA_INIT_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      A, role, B
-           ) @ #i )
-      case CA_FINISH_C
-      by contradiction /* from formulas */
-    next
-      case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
-             ) ▶₁ #i )
-        case CA_INIT_T
-        solve( !KU( kdf(<'CNF', 
-                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
-                        ~k)
-               ) @ #vk.1 )
-          case CA_FINISH_C
-          by contradiction /* from formulas */
-        next
-          case c_kdf
-          solve( !KU( ~k ) @ #vk.20 )
-            case CA_INIT_T
-            solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                   ) @ #vk.12 )
-              case CA_INIT_C
-              solve( !KU( ~ltk.1 ) @ #vk.25 )
-                case Corrupt_ltk
-                by contradiction /* from formulas */
-              qed
-            next
-              case CA_Sign_ltk
-              solve( !KU( ~ltk.1 ) @ #vk.25 )
-                case Corrupt_ltk
-                by contradiction /* from formulas */
-              qed
-            next
-              case c_cert
-              solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.27 )
-                case CA_INIT_C
-                solve( !KU( ~ltk.1 ) @ #vk.26 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case CA_Sign_ltk
-                solve( !KU( ~ltk.1 ) @ #vk.26 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case c_sign
-                by solve( !KU( ca_sk ) @ #vk.31 )
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
 lemma session_uniqueness:
   all-traces
   "∀ A B k sid sid2 role #i #j.
@@ -2918,7 +2887,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
+      solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -2931,8 +2900,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>,
-                              cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+              solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+                              id_c.1, r1.1, ~r2
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -2943,7 +2912,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2954,8 +2923,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case CA_INIT_T
               by contradiction /* cyclic */
@@ -2968,7 +2937,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
+      solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -2981,8 +2950,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>,
-                              cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2
+              solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+                              id_c.1, r1.1, ~r2
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -2993,7 +2962,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -3004,8 +2973,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case CA_INIT_T
               by contradiction /* cyclic */
@@ -3019,7 +2988,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_C
-    solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
+    solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i )
       case CA_INIT_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
@@ -3039,7 +3008,7 @@ next
     qed
   next
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+    solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
       case CA_INIT_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -3062,19 +3031,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3086,7 +3057,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3127,62 +3098,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                     case c_sign
                     solve( !KU( ~skT ) @ #vk.33 )
                       case Corrupt_ltk
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.17 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.42 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.44 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
+                      by contradiction /* from formulas */
                     qed
                   qed
                 next
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.36 )
                     case Corrupt_ltk
-                    solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.14 )
-                      case TA_RESPONSE_T
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.21 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.43 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.45 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    next
-                      case c_sign
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk))>,
-                                      ~k)
-                             ) @ #vk.21 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.44 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.46 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               qed
@@ -3199,8 +3122,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -3209,12 +3133,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3229,7 +3154,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3268,71 +3193,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   case c_sign
                   solve( !KU( ~skT ) @ #vk.34 )
                     case Corrupt_ltk
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.6 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.43 )
-                        case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.45 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               next
                 case c_sign
                 solve( !KU( ~ltk.1 ) @ #vk.37 )
                   case Corrupt_ltk
-                  solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.15 )
-                    case TA_RESPONSE_T
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.44 )
-                        case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.46 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  next
-                    case c_sign
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk))>,
-                                    ~k)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.45 )
-                        case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.47 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  qed
+                  by contradiction /* from formulas */
                 qed
               qed
             qed
@@ -3343,28 +3211,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !KU( ~iid ) @ #vk.6 )
-    case CA_INIT_C
-    by contradiction /* cyclic */
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3425,7 +3272,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3458,7 +3305,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -3480,7 +3327,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3495,7 +3342,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3544,8 +3391,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                     case CA_INIT_C
                                     solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.46 )
                                       case TA_RESPONSE_T
-                                      solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk),
-                                                       z)
+                                      solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk),
+                                                       x)
                                              ) @ #vk.48 )
                                         case CA_Sign_ltk
                                         solve( !KU( ~id_c.2 ) @ #vk.50 )
@@ -3626,21 +3473,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 98.76s
+  processing time: 92.56s
   
   session_exist (exists-trace): verified (22 steps)
   two_session_exist (exists-trace): verified (42 steps)
+  aliveness (all-traces): verified (20 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): verified (19 steps)
   agreement_C (all-traces): verified (19 steps)
   agreement_T (all-traces): verified (19 steps)
-  aliveness (all-traces): verified (20 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (31 steps)
-  key_secrecy (all-traces): verified (33 steps)
-  chip_hiding (all-traces): verified (4 steps)
-  nonRepudiation_terminal (exists-trace): verified (13 steps)
-  nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
-  pfs (all-traces): falsified - found trace (25 steps)
+  consistency (all-traces): verified (20 steps)
+  key_secrecy (all-traces): verified (19 steps)
+  notNonRepudiation_C (exists-trace): verified (13 steps)
+  notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps)
+  forward_secrecy (all-traces): falsified - found trace (25 steps)
 
 ==============================================================================
diff --git a/results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN b/results/46092858.err.KemPQEAC
similarity index 100%
rename from results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN
rename to results/46092858.err.KemPQEAC
diff --git a/results/45991793.out.ALL_KemPQEAC_TAMARIN b/results/46092858.out.KemPQEAC
similarity index 92%
rename from results/45991793.out.ALL_KemPQEAC_TAMARIN
rename to results/46092858.out.KemPQEAC
index fcb4fe9..1231c41 100644
--- a/results/45991793.out.ALL_KemPQEAC_TAMARIN
+++ b/results/46092858.out.KemPQEAC
@@ -74,56 +74,53 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
-   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
-   ]
+   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
    Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1,
-                 <~kTA, encaps(~kTA, cert_pk(certT))>
+   TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, cert_pk(certT))>
    )
    ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
-     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
-     ]
+     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ]
     --[ Eq( z.1, true ), Started( ) ]->
      [
      Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
+     TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
      ]
     variants (modulo AC)
-    1. certT = certT.14
-       z     = cert_pk(certT.14)
-       z.1   = verify(cert_sig(certT.14),
-                      <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk))
+    1. certT = certT.13
+       z     = cert_pk(certT.13)
+       z.1   = verify(cert_sig(certT.13),
+                      <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44)
-       z     = z.27
+    2. certT = cert(z.26, sign(<z.26, x.43, 'terminal'>, ca_sk), x.43)
+       z     = z.26
        z.1   = true
     
-    3. certT = cert(z.28, x.45, x.46)
-       z     = z.28
-       z.1   = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk))
+    3. certT = cert(z.27, x.44, x.45)
+       z     = z.27
+       z.1   = verify(x.44, <z.27, x.45, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+   In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ),
    !Ltk( $T, ~skT, 'terminal' )
    ]
   -->
    [
    Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ),
-   TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
+   TAResponseT( $T, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
                 kdf(<'TENC', r1>, decaps(cTA, ~skT))
    )
    ]
@@ -131,77 +128,54 @@ rule (modulo E) TA_RESPONSE_T:
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+     In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ),
      !Ltk( $T, ~skT, 'terminal' )
      ]
     -->
      [
      Out( <kdf(<'TCNF', r1>, z), '3', 't'> ),
-     TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z)
-     )
+     TAResponseT( $T, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) )
      ]
     variants (modulo AC)
-    1. ~skT  = ~skT.14
-       cTA   = cTA.15
-       z     = decaps(cTA.15, ~skT.14)
+    1. ~skT  = ~skT.13
+       cTA   = cTA.14
+       z     = decaps(cTA.14, ~skT.13)
     
-    2. ~skT  = ~skT.22
-       cTA   = encaps(z.31, pk(~skT.22))
-       z     = z.31
+    2. ~skT  = ~skT.20
+       cTA   = encaps(z.28, pk(~skT.20))
+       z     = z.28
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
    In( <kTCNF_T, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+   TAChallengeC( $C, certT, id_c, r1, <kTA, cTA> )
    ]
-  --[
-  Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ),
-  CompletedTA( $C, iid, cert_id(certT) )
-  ]->
+  --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ) ]->
    [
-   TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
-                kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+   TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kdf(<'TMAC', r1>, kTA),
+                kdf(<'TENC', r1>, kTA)
    )
    ]
 
-  /*
-  rule (modulo AC) TA_COMPLETE_C:
-     [
-     In( <kTCNF_T, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
-     ]
-    --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]->
-     [
-     TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
-                  kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
-     )
-     ]
-    variants (modulo AC)
-    1. certT = certT.16
-       z     = cert_id(certT.16)
-    
-    2. certT = cert(x.26, x.27, z.21)
-       z     = z.21
-  */
+  /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_C:
    [
    !Cert( $C, certC, 'chip' ), Fr( ~r2 ),
-   TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC )
+   TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC )
    ]
   -->
    [
-   Out( <senc(<certC, ~r2>, kTENC), '4', 'c'> ), Out( senc(iid, kTENC) ),
-   CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2 )
+   Out( <senc(<certC, ~r2>, kTENC), '4', 'c'> ),
+   CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2 )
    ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_T:
    [
-   In( <cCA, 'CA_INIT', '4', 'c'> ),
-   TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+   In( <cCA, 'CA_INIT', '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ),
    !Cert( $T, certT, 'terminal' ), Fr( ~k )
    ]
   --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]->
@@ -212,7 +186,7 @@ rule (modulo E) CA_INIT_T:
              kTMAC), 
          '5', 't'>
    ),
-   CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
+   CAInitT( $T, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
             snd(sdec(cCA, kTENC)), <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>
    )
    ]
@@ -220,8 +194,7 @@ rule (modulo E) CA_INIT_T:
   /*
   rule (modulo AC) CA_INIT_T:
      [
-     In( <cCA, 'CA_INIT', '4', 'c'> ),
-     TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+     In( <cCA, 'CA_INIT', '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ),
      !Cert( $T, certT, 'terminal' ), Fr( ~k )
      ]
     --[ Eq( z.3, true ) ]->
@@ -229,56 +202,56 @@ rule (modulo E) CA_INIT_T:
      Out( <encaps(~k, z), mac(<'CA', certT, z.1, z.2, encaps(~k, z)>, kTMAC), 
            '5', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)> )
+     CAInitT( $T, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)> )
      ]
     variants (modulo AC)
-    1. cCA   = cCA.25
-       kTENC = kTENC.29
-       z     = cert_pk(fst(sdec(cCA.25, kTENC.29)))
-       z.1   = fst(sdec(cCA.25, kTENC.29))
-       z.2   = snd(sdec(cCA.25, kTENC.29))
-       z.3   = verify(cert_sig(fst(sdec(cCA.25, kTENC.29))),
-                      <cert_pk(fst(sdec(cCA.25, kTENC.29))), 
-                       cert_id(fst(sdec(cCA.25, kTENC.29))), 'chip'>,
+    1. cCA   = cCA.23
+       kTENC = kTENC.26
+       z     = cert_pk(fst(sdec(cCA.23, kTENC.26)))
+       z.1   = fst(sdec(cCA.23, kTENC.26))
+       z.2   = snd(sdec(cCA.23, kTENC.26))
+       z.3   = verify(cert_sig(fst(sdec(cCA.23, kTENC.26))),
+                      <cert_pk(fst(sdec(cCA.23, kTENC.26))), 
+                       cert_id(fst(sdec(cCA.23, kTENC.26))), 'chip'>,
                       pk(ca_sk))
     
-    2. cCA   = senc(x.190, kTENC.99)
-       kTENC = kTENC.99
-       z     = cert_pk(fst(x.190))
-       z.1   = fst(x.190)
-       z.2   = snd(x.190)
-       z.3   = verify(cert_sig(fst(x.190)),
-                      <cert_pk(fst(x.190)), cert_id(fst(x.190)), 'chip'>, pk(ca_sk))
-    
-    3. cCA   = senc(<z.38, z.39>, kTENC.30)
-       kTENC = kTENC.30
-       z     = cert_pk(z.38)
-       z.1   = z.38
-       z.2   = z.39
-       z.3   = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>,
+    2. cCA   = senc(x.189, kTENC.98)
+       kTENC = kTENC.98
+       z     = cert_pk(fst(x.189))
+       z.1   = fst(x.189)
+       z.2   = snd(x.189)
+       z.3   = verify(cert_sig(fst(x.189)),
+                      <cert_pk(fst(x.189)), cert_id(fst(x.189)), 'chip'>, pk(ca_sk))
+    
+    3. cCA   = senc(<z.37, z.38>, kTENC.29)
+       kTENC = kTENC.29
+       z     = cert_pk(z.37)
+       z.1   = z.37
+       z.2   = z.38
+       z.3   = verify(cert_sig(z.37), <cert_pk(z.37), cert_id(z.37), 'chip'>,
                       pk(ca_sk))
     
     4. cCA   = senc(<
-                     cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192), z.109>,
-                    kTENC.100)
+                     cert(z.105, sign(<z.105, x.191, 'chip'>, ca_sk), x.191), z.108>,
+                    kTENC.99)
+       kTENC = kTENC.99
+       z     = z.105
+       z.1   = cert(z.105, sign(<z.105, x.191, 'chip'>, ca_sk), x.191)
+       z.2   = z.108
+       z.3   = true
+    
+    5. cCA   = senc(<cert(z.106, x.192, x.193), z.109>, kTENC.100)
        kTENC = kTENC.100
        z     = z.106
-       z.1   = cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192)
+       z.1   = cert(z.106, x.192, x.193)
        z.2   = z.109
-       z.3   = true
-    
-    5. cCA   = senc(<cert(z.107, x.193, x.194), z.110>, kTENC.101)
-       kTENC = kTENC.101
-       z     = z.107
-       z.1   = cert(z.107, x.193, x.194)
-       z.2   = z.110
-       z.3   = verify(x.193, <z.107, x.194, 'chip'>, pk(ca_sk))
+       z.3   = verify(x.192, <z.106, x.193, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) CA_FINISH_C:
    [
    In( <cip, s, '5', 't'> ),
-   CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
+   CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
@@ -288,18 +261,14 @@ rule (modulo E) CA_FINISH_C:
   )
   ]->
    [
-   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'>
-   ),
-   CAFinishC( $C, cert_id(certT),
-              kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
-   )
+   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> )
    ]
 
   /*
   rule (modulo AC) CA_FINISH_C:
      [
      In( <cip, s, '5', 't'> ),
-     CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
+     CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
@@ -308,40 +277,37 @@ rule (modulo E) CA_FINISH_C:
                <certT, certC, r2, cip>, $C, 'chip', z.1
     )
     ]->
-     [
-     Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ),
-     CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) )
-     ]
+     [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ) ]
     variants (modulo AC)
-    1. ~skC  = ~skC.28
-       certT = certT.31
-       cip   = cip.32
-       z     = decaps(cip.32, ~skC.28)
-       z.1   = cert_id(certT.31)
+    1. ~skC  = ~skC.29
+       certT = certT.32
+       cip   = cip.33
+       z     = decaps(cip.33, ~skC.29)
+       z.1   = cert_id(certT.32)
     
     2. ~skC  = ~skC.41
        certT = certT.44
-       cip   = encaps(z.58, pk(~skC.41))
-       z     = z.58
+       cip   = encaps(z.57, pk(~skC.41))
+       z     = z.57
        z.1   = cert_id(certT.44)
     
-    3. ~skC  = ~skC.186
-       certT = cert(x.368, x.369, z.206)
-       cip   = cip.190
-       z     = decaps(cip.190, ~skC.186)
-       z.1   = z.206
-    
-    4. ~skC  = ~skC.189
-       certT = cert(x.374, x.375, z.209)
-       cip   = encaps(z.206, pk(~skC.189))
-       z     = z.206
-       z.1   = z.209
+    3. ~skC  = ~skC.180
+       certT = cert(x.356, x.357, z.201)
+       cip   = cip.184
+       z     = decaps(cip.184, ~skC.180)
+       z.1   = z.201
+    
+    4. ~skC  = ~skC.183
+       certT = cert(x.362, x.363, z.204)
+       cip   = encaps(z.199, pk(~skC.183))
+       z     = z.199
+       z.1   = z.204
   */
 
 rule (modulo E) CA_FINISH_T:
    [
    In( <kCNF_c, '6', 'c'> ),
-   CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
+   CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -352,7 +318,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
    !SessionReveal( <certT, certC, r2, cip>,
                    kdf(<'KEY', certT, certC, r2, cip>, k)
    )
@@ -362,7 +327,7 @@ rule (modulo E) CA_FINISH_T:
   rule (modulo AC) CA_FINISH_T:
      [
      In( <kCNF_c, '6', 'c'> ),
-     CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
+     CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -373,17 +338,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip> )
     ]->
      [
-     CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
      !SessionReveal( <certT, certC, r2, cip>,
                      kdf(<'KEY', certT, certC, r2, cip>, k)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.17
-       z     = cert_id(certC.17)
+    1. certC = certC.18
+       z     = cert_id(certC.18)
     
-    2. certC = cert(x.43, x.44, z.30)
-       z     = z.30
+    2. certC = cert(x.28, x.29, z.23)
+       z     = z.23
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -1449,7 +1413,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -1465,7 +1429,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -1579,7 +1543,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -1595,7 +1559,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -1605,8 +1569,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case CA_FINISH_C
-                solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1,
-                                <kTA.1, cTA>, kTMAC, kTENC, r2.1
+                solve( CAInitC( $C, cert(x, x.1, $T), id_c.1, r1.1, <kTA.1, cTA>, kTMAC,
+                                kTENC, r2.1
                        ) ▶₁ #i2 )
                   case CA_INIT_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -1624,7 +1588,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC,
+                        solve( CAInitT( $T, id_c.3, kTMAC, kTENC,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>
                                ) ▶₁ #j2 )
@@ -1795,11 +1759,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                                                           solve( !KU( cert(pk(sk),
                                                                                                            sign(<
                                                                                                                  pk(sk), 
-                                                                                                                 z, 
+                                                                                                                 x, 
                                                                                                                  'terminal'
                                                                                                                 >,
                                                                                                                 ca_sk),
-                                                                                                           z)
+                                                                                                           x)
                                                                                                  ) @ #vk.87 )
                                                                                             case CA_Sign_ltk
                                                                                             solve( !KU( ~ltk.5
@@ -1863,89 +1827,43 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma weak_agreement_C:
+lemma aliveness:
   all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
     solve( Completed( k.1,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      C, 'chip', T.1
+                      A, role, B
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
-                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
-                      <kTA, cTA>, kTMAC, kTENC, r2
-             ) ▶₁ #i )
-        case CA_INIT_C
-        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-          case Generate_chip_key_pair
-          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
-                 ) ▶₃ #i )
-            case CA_Sign_ltk
-            by contradiction /* from formulas */
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma weak_agreement_T:
-  all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-       ) ▶₁ #t )
-  case CA_INIT_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      T.1, 'terminal', C
-           ) @ #i )
+      by contradiction /* from formulas */
+    next
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
+                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case CA_INIT_T
         solve( splitEqs(1) )
           case split_case_1
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case CA_FINISH_C
@@ -1954,11 +1872,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
             case c_kdf
             solve( !KU( ~k ) @ #vk.20 )
               case CA_INIT_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
                                kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                      ) @ #vk.13 )
                 case c_senc
-                solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                        ) @ #vk.26 )
                   case CA_INIT_C
                   solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -1973,7 +1891,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case c_cert
-                  solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
+                  solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.31 )
                       case Corrupt_ltk
@@ -1997,7 +1915,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
           case split_case_2
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case CA_FINISH_C
@@ -2006,7 +1924,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
             case c_kdf
             solve( !KU( ~k ) @ #vk.20 )
               case CA_INIT_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
                                kdf(<'TENC', r1>, z))
                      ) @ #vk.13 )
                 case CA_INIT_C
@@ -2023,7 +1941,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   case CA_INIT_T
                   solve( splitEqs(6) )
                     case split_case_1
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                            ) @ #vk.30 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.34 )
@@ -2038,7 +1956,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
                           case Corrupt_ltk
@@ -2057,7 +1975,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case split_case_2
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                            ) @ #vk.30 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.34 )
@@ -2072,7 +1990,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
                           case Corrupt_ltk
@@ -2092,7 +2010,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case TA_CHALLENGE_C
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                          ) @ #vk.27 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -2107,7 +2025,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 )
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.38 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.31 )
                         case Corrupt_ltk
@@ -2126,7 +2044,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case c_encaps
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                          ) @ #vk.27 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -2141,7 +2059,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.31 )
                         case Corrupt_ltk
@@ -2168,11 +2086,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
   qed
 qed
 
-lemma agreement_C:
+lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -2180,13 +2098,12 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2196,7 +2113,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                       <kTA, cTA>, kTMAC, kTENC, r2
              ) ▶₁ #i )
@@ -2206,59 +2123,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
           solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
                  ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( splitEqs(1) )
-              case split_case_1
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.37 )
-                    case CA_INIT_T
-                    solve( !KU( ~r2 ) @ #vk.41 )
-                      case CA_INIT_C
-                      solve( !KU( ~ltk ) @ #vk.42 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            next
-              case split_case_2
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.37 )
-                    case CA_INIT_T
-                    solve( !KU( ~r2 ) @ #vk.41 )
-                      case CA_INIT_C
-                      solve( !KU( ~ltk ) @ #vk.42 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
+            by contradiction /* from formulas */
           qed
         qed
       qed
@@ -2266,11 +2131,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
   qed
 qed
 
-lemma agreement_T:
+lemma weak_agreement_T:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -2278,13 +2143,12 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2294,7 +2158,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
                       cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case CA_INIT_T
@@ -2525,44 +2389,139 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
   qed
 qed
 
-lemma aliveness:
+lemma agreement_C:
   all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid C T #i #t.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
     solve( Completed( k.1,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      A, role, B
+                      C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      by contradiction /* from formulas */
-    next
+      solve( CAInitC( $C,
+                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+                      <kTA, cTA>, kTMAC, kTENC, r2
+             ) ▶₁ #i )
+        case CA_INIT_C
+        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+          case Generate_chip_key_pair
+          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+                 ) ▶₃ #i )
+            case CA_Sign_ltk
+            solve( splitEqs(1) )
+              case split_case_1
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.37 )
+                    case CA_INIT_T
+                    solve( !KU( ~r2 ) @ #vk.41 )
+                      case CA_INIT_C
+                      solve( !KU( ~ltk ) @ #vk.42 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            next
+              case split_case_2
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.37 )
+                    case CA_INIT_T
+                    solve( !KU( ~r2 ) @ #vk.41 )
+                      case CA_INIT_C
+                      solve( !KU( ~ltk ) @ #vk.42 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma agreement_T:
+  all-traces
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t )
+  case CA_INIT_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+                      T.1, 'terminal', C
+           ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
+                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case CA_INIT_T
         solve( splitEqs(1) )
           case split_case_1
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case CA_FINISH_C
@@ -2571,11 +2530,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
             case c_kdf
             solve( !KU( ~k ) @ #vk.20 )
               case CA_INIT_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
                                kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                      ) @ #vk.13 )
                 case c_senc
-                solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                        ) @ #vk.26 )
                   case CA_INIT_C
                   solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -2590,7 +2549,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case c_cert
-                  solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
+                  solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.31 )
                       case Corrupt_ltk
@@ -2614,7 +2573,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
           case split_case_2
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case CA_FINISH_C
@@ -2623,7 +2582,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
             case c_kdf
             solve( !KU( ~k ) @ #vk.20 )
               case CA_INIT_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
                                kdf(<'TENC', r1>, z))
                      ) @ #vk.13 )
                 case CA_INIT_C
@@ -2640,7 +2599,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   case CA_INIT_T
                   solve( splitEqs(6) )
                     case split_case_1
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.30 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.34 )
@@ -2655,7 +2614,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
                           case Corrupt_ltk
@@ -2674,7 +2633,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case split_case_2
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.30 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.34 )
@@ -2689,7 +2648,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
                           case Corrupt_ltk
@@ -2709,7 +2668,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case TA_CHALLENGE_C
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                          ) @ #vk.27 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -2724,7 +2683,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.38 )
+                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.31 )
                         case Corrupt_ltk
@@ -2743,7 +2702,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                   qed
                 next
                   case c_encaps
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                          ) @ #vk.27 )
                     case CA_INIT_C
                     solve( !KU( ~ltk.1 ) @ #vk.30 )
@@ -2758,7 +2717,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
+                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.31 )
                         case Corrupt_ltk
@@ -2806,7 +2765,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+      solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
              ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2820,8 +2779,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
-                              id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
+              solve( CAInitC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1,
+                              r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -2832,8 +2791,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2844,7 +2802,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+            solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case CA_INIT_T
@@ -2858,7 +2816,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+      solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
              ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2872,8 +2830,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
-                              id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
+              solve( CAInitC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1,
+                              r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -2884,8 +2842,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2896,7 +2853,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+            solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case CA_INIT_T
@@ -2911,7 +2868,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_C
-    solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+    solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
            ) ▶₁ #i )
       case CA_INIT_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2932,8 +2889,7 @@ next
     qed
   next
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>
-           ) ▶₁ #i )
+    solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i )
       case CA_INIT_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -2956,19 +2912,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2981,7 +2939,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3028,21 +2986,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.47 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.23 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.49 )
-                                case CA_INIT_T
-                                solve( !KU( ~ltk ) @ #vk.51 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3102,21 +3046,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.47 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.23 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.49 )
-                                case CA_INIT_T
-                                solve( !KU( ~ltk ) @ #vk.51 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3137,8 +3067,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -3147,12 +3078,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3168,7 +3100,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3231,28 +3163,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !KU( ~iid ) @ #vk.6 )
-    case CA_INIT_C
-    by contradiction /* cyclic */
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3321,7 +3232,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3388,7 +3299,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -3410,7 +3321,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3426,7 +3337,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -3575,21 +3486,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 376.55s
+  processing time: 154.54s
   
   session_exist (exists-trace): verified (27 steps)
   two_session_exist (exists-trace): verified (51 steps)
+  aliveness (all-traces): verified (75 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): verified (74 steps)
   agreement_C (all-traces): verified (22 steps)
   agreement_T (all-traces): verified (74 steps)
-  aliveness (all-traces): verified (75 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (42 steps)
+  consistency (all-traces): verified (36 steps)
   key_secrecy (all-traces): verified (21 steps)
-  chip_hiding (all-traces): verified (4 steps)
-  nonRepudiation_terminal (exists-trace): verified (15 steps)
-  nonRepudiation_chip (exists-trace): verified (15 steps)
-  pfs (all-traces): falsified - found trace (27 steps)
+  notNonRepudiation_C (exists-trace): verified (15 steps)
+  notNonRepudiation_T (exists-trace): verified (15 steps)
+  forward_secrecy (all-traces): falsified - found trace (27 steps)
 
 ==============================================================================
diff --git a/results/45991792.err.ALL_FastSigPQEAC_TAMARIN b/results/46092862.err.FastKemPQEAC
similarity index 100%
rename from results/45991792.err.ALL_FastSigPQEAC_TAMARIN
rename to results/46092862.err.FastKemPQEAC
diff --git a/results/45991794.out.ALL_FastKemPQEAC_TAMARIN b/results/46092862.out.FastKemPQEAC
similarity index 88%
rename from results/45991794.out.ALL_FastKemPQEAC_TAMARIN
rename to results/46092862.out.FastKemPQEAC
index 8fda036..69990f3 100644
--- a/results/45991794.out.ALL_FastKemPQEAC_TAMARIN
+++ b/results/46092862.out.FastKemPQEAC
@@ -74,25 +74,24 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
    [
    In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
-   Fr( ~iid ), !Cert( $C, certC, 'chip' )
+   !Cert( $C, certC, 'chip' )
    ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
    Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), 
          senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
    ),
-   Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2,
-                 kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+   TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, kdf(<'TMAC', ~r1>, ~kTA),
+                 kdf(<'TCNF', ~r1>, ~kTA)
    )
    ]
 
@@ -100,36 +99,35 @@ rule (modulo E) TA_CHALLENGE_C:
   rule (modulo AC) TA_CHALLENGE_C:
      [
      In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
-     Fr( ~iid ), !Cert( $C, certC, 'chip' )
+     !Cert( $C, certC, 'chip' )
      ]
     --[ Eq( z.1, true ), Started( ) ]->
      [
      Out( <~id_c, ~r1, encaps(~kTA, z), 
            senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
      ),
-     Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2,
-                   kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
+     TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, kdf(<'TMAC', ~r1>, ~kTA),
+                   kdf(<'TCNF', ~r1>, ~kTA)
      )
      ]
     variants (modulo AC)
-    1. certT = certT.20
-       z     = cert_pk(certT.20)
-       z.1   = verify(cert_sig(certT.20),
-                      <cert_pk(certT.20), cert_id(certT.20), 'terminal'>, pk(ca_sk))
+    1. certT = certT.19
+       z     = cert_pk(certT.19)
+       z.1   = verify(cert_sig(certT.19),
+                      <cert_pk(certT.19), cert_id(certT.19), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(z.70, sign(<z.70, x.127, 'terminal'>, ca_sk), x.127)
-       z     = z.70
+    2. certT = cert(z.69, sign(<z.69, x.126, 'terminal'>, ca_sk), x.126)
+       z     = z.69
        z.1   = true
     
-    3. certT = cert(z.71, x.128, x.129)
-       z     = z.71
-       z.1   = verify(x.128, <z.71, x.129, 'terminal'>, pk(ca_sk))
+    3. certT = cert(z.70, x.127, x.128)
+       z     = z.70
+       z.1   = verify(x.127, <z.70, x.128, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ),
+   In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( $T ),
    !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -149,7 +147,7 @@ rule (modulo E) TA_RESPONSE_T:
              kdf(<'TMAC', r1>, decaps(cTA, ~skT))), 
          '3', 't'>
    ),
-   TAResponseT( <$T, iid>, id_c,
+   TAResponseT( $T, id_c,
                 fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
                 snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
                 <~k, 
@@ -161,7 +159,7 @@ rule (modulo E) TA_RESPONSE_T:
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ),
+     In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( $T ),
      !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
      ]
     --[ Eq( z.4, true ) ]->
@@ -170,141 +168,140 @@ rule (modulo E) TA_RESPONSE_T:
            mac(<'CA', certT, z.2, z.3, encaps(~k, z.1)>, kdf(<'TMAC', r1>, z)), 
            '3', 't'>
      ),
-     TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)> )
+     TAResponseT( $T, id_c, z.2, z.3, <~k, encaps(~k, z.1)> )
      ]
     variants (modulo AC)
-     1. ~skT  = ~skT.30
-        cCA   = cCA.31
-        cTA   = cTA.32
-        r1    = r1.36
-        z     = decaps(cTA.32, ~skT.30)
-        z.1   = cert_pk(fst(sdec(cCA.31,
-                                 kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30)))))
-        z.2   = fst(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))
-        z.3   = snd(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))
-        z.4   = verify(cert_sig(fst(sdec(cCA.31,
-                                         kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))),
+     1. ~skT  = ~skT.28
+        cCA   = cCA.29
+        cTA   = cTA.30
+        r1    = r1.33
+        z     = decaps(cTA.30, ~skT.28)
+        z.1   = cert_pk(fst(sdec(cCA.29,
+                                 kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28)))))
+        z.2   = fst(sdec(cCA.29, kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))
+        z.3   = snd(sdec(cCA.29, kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))
+        z.4   = verify(cert_sig(fst(sdec(cCA.29,
+                                         kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))),
                        <
-                        cert_pk(fst(sdec(cCA.31,
-                                         kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))), 
-                        cert_id(fst(sdec(cCA.31,
-                                         kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))), 
+                        cert_pk(fst(sdec(cCA.29,
+                                         kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))), 
+                        cert_id(fst(sdec(cCA.29,
+                                         kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))), 
                         'chip'>,
                        pk(ca_sk))
     
-     2. ~skT  = ~skT.35
-        cCA   = cCA.36
-        cTA   = encaps(z.46, pk(~skT.35))
-        r1    = r1.41
-        z     = z.46
-        z.1   = cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46))))
-        z.2   = fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))
-        z.3   = snd(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))
-        z.4   = verify(cert_sig(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))),
-                       <cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), 
-                        cert_id(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), 'chip'>,
+     2. ~skT  = ~skT.33
+        cCA   = cCA.34
+        cTA   = encaps(z.43, pk(~skT.33))
+        r1    = r1.38
+        z     = z.43
+        z.1   = cert_pk(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43))))
+        z.2   = fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))
+        z.3   = snd(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))
+        z.4   = verify(cert_sig(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))),
+                       <cert_pk(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))), 
+                        cert_id(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))), 'chip'>,
                        pk(ca_sk))
     
-     3. ~skT  = ~skT.39
-        cCA   = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, z.50))
-        cTA   = encaps(z.50, pk(~skT.39))
-        r1    = r1.45
-        z     = z.50
-        z.1   = cert_pk(z.53)
-        z.2   = z.53
-        z.3   = z.54
-        z.4   = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
+     3. ~skT  = ~skT.37
+        cCA   = senc(<z.50, z.51>, kdf(<'TENC', r1.42>, z.47))
+        cTA   = encaps(z.47, pk(~skT.37))
+        r1    = r1.42
+        z     = z.47
+        z.1   = cert_pk(z.50)
+        z.2   = z.50
+        z.3   = z.51
+        z.4   = verify(cert_sig(z.50), <cert_pk(z.50), cert_id(z.50), 'chip'>,
                        pk(ca_sk))
     
-     4. ~skT  = ~skT.39
-        cCA   = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, decaps(cTA.41, ~skT.39)))
-        cTA   = cTA.41
-        r1    = r1.45
-        z     = decaps(cTA.41, ~skT.39)
-        z.1   = cert_pk(z.53)
-        z.2   = z.53
-        z.3   = z.54
-        z.4   = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
+     4. ~skT  = ~skT.37
+        cCA   = senc(<z.50, z.51>, kdf(<'TENC', r1.42>, decaps(cTA.39, ~skT.37)))
+        cTA   = cTA.39
+        r1    = r1.42
+        z     = decaps(cTA.39, ~skT.37)
+        z.1   = cert_pk(z.50)
+        z.2   = z.50
+        z.3   = z.51
+        z.4   = verify(cert_sig(z.50), <cert_pk(z.50), cert_id(z.50), 'chip'>,
                        pk(ca_sk))
     
-     5. ~skT  = ~skT.165
-        cCA   = senc(x.326, kdf(<'TENC', r1.171>, z.176))
-        cTA   = encaps(z.176, pk(~skT.165))
-        r1    = r1.171
-        z     = z.176
-        z.1   = cert_pk(fst(x.326))
-        z.2   = fst(x.326)
-        z.3   = snd(x.326)
-        z.4   = verify(cert_sig(fst(x.326)),
-                       <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk))
-    
-     6. ~skT  = ~skT.165
-        cCA   = senc(x.326, kdf(<'TENC', r1.171>, decaps(cTA.167, ~skT.165)))
-        cTA   = cTA.167
-        r1    = r1.171
-        z     = decaps(cTA.167, ~skT.165)
-        z.1   = cert_pk(fst(x.326))
-        z.2   = fst(x.326)
-        z.3   = snd(x.326)
-        z.4   = verify(cert_sig(fst(x.326)),
-                       <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk))
-    
-     7. ~skT  = ~skT.166
-        cCA   = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328), 
-                      z.181>,
-                     kdf(<'TENC', r1.172>, z.177))
-        cTA   = encaps(z.177, pk(~skT.166))
-        r1    = r1.172
-        z     = z.177
-        z.1   = z.178
-        z.2   = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328)
-        z.3   = z.181
+     5. ~skT  = ~skT.157
+        cCA   = senc(x.310, kdf(<'TENC', r1.162>, z.167))
+        cTA   = encaps(z.167, pk(~skT.157))
+        r1    = r1.162
+        z     = z.167
+        z.1   = cert_pk(fst(x.310))
+        z.2   = fst(x.310)
+        z.3   = snd(x.310)
+        z.4   = verify(cert_sig(fst(x.310)),
+                       <cert_pk(fst(x.310)), cert_id(fst(x.310)), 'chip'>, pk(ca_sk))
+    
+     6. ~skT  = ~skT.157
+        cCA   = senc(x.310, kdf(<'TENC', r1.162>, decaps(cTA.159, ~skT.157)))
+        cTA   = cTA.159
+        r1    = r1.162
+        z     = decaps(cTA.159, ~skT.157)
+        z.1   = cert_pk(fst(x.310))
+        z.2   = fst(x.310)
+        z.3   = snd(x.310)
+        z.4   = verify(cert_sig(fst(x.310)),
+                       <cert_pk(fst(x.310)), cert_id(fst(x.310)), 'chip'>, pk(ca_sk))
+    
+     7. ~skT  = ~skT.158
+        cCA   = senc(<cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312), 
+                      z.172>,
+                     kdf(<'TENC', r1.163>, z.168))
+        cTA   = encaps(z.168, pk(~skT.158))
+        r1    = r1.163
+        z     = z.168
+        z.1   = z.169
+        z.2   = cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312)
+        z.3   = z.172
         z.4   = true
     
-     8. ~skT  = ~skT.166
-        cCA   = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328), 
-                      z.181>,
-                     kdf(<'TENC', r1.172>, decaps(cTA.168, ~skT.166)))
-        cTA   = cTA.168
-        r1    = r1.172
-        z     = decaps(cTA.168, ~skT.166)
-        z.1   = z.178
-        z.2   = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328)
-        z.3   = z.181
+     8. ~skT  = ~skT.158
+        cCA   = senc(<cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312), 
+                      z.172>,
+                     kdf(<'TENC', r1.163>, decaps(cTA.160, ~skT.158)))
+        cTA   = cTA.160
+        r1    = r1.163
+        z     = decaps(cTA.160, ~skT.158)
+        z.1   = z.169
+        z.2   = cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312)
+        z.3   = z.172
         z.4   = true
     
-     9. ~skT  = ~skT.167
-        cCA   = senc(<cert(z.179, x.329, x.330), z.182>,
-                     kdf(<'TENC', r1.173>, z.178))
-        cTA   = encaps(z.178, pk(~skT.167))
-        r1    = r1.173
-        z     = z.178
-        z.1   = z.179
-        z.2   = cert(z.179, x.329, x.330)
-        z.3   = z.182
-        z.4   = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk))
-    
-    10. ~skT  = ~skT.167
-        cCA   = senc(<cert(z.179, x.329, x.330), z.182>,
-                     kdf(<'TENC', r1.173>, decaps(cTA.169, ~skT.167)))
-        cTA   = cTA.169
-        r1    = r1.173
-        z     = decaps(cTA.169, ~skT.167)
-        z.1   = z.179
-        z.2   = cert(z.179, x.329, x.330)
-        z.3   = z.182
-        z.4   = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk))
+     9. ~skT  = ~skT.159
+        cCA   = senc(<cert(z.170, x.313, x.314), z.173>,
+                     kdf(<'TENC', r1.164>, z.169))
+        cTA   = encaps(z.169, pk(~skT.159))
+        r1    = r1.164
+        z     = z.169
+        z.1   = z.170
+        z.2   = cert(z.170, x.313, x.314)
+        z.3   = z.173
+        z.4   = verify(x.313, <z.170, x.314, 'chip'>, pk(ca_sk))
+    
+    10. ~skT  = ~skT.159
+        cCA   = senc(<cert(z.170, x.313, x.314), z.173>,
+                     kdf(<'TENC', r1.164>, decaps(cTA.161, ~skT.159)))
+        cTA   = cTA.161
+        r1    = r1.164
+        z     = decaps(cTA.161, ~skT.159)
+        z.1   = z.170
+        z.2   = cert(z.170, x.313, x.314)
+        z.3   = z.173
+        z.4   = verify(x.313, <z.170, x.314, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
    In( <kTCNF_T, cip, s, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ),
+   TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
   Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
-  CompletedTA( $C, iid, cert_id(certT) ),
   Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)),
              <certT, certC, r2, cip>, $C, 'chip', cert_id(certT)
   ),
@@ -313,23 +310,18 @@ rule (modulo E) TA_COMPLETE_C:
   )
   ]->
    [
-   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'>
-   ),
-   TACompleteC( <$C, iid>,
-                kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC))
-   )
+   Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> )
    ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
      [
      In( <kTCNF_T, cip, s, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ),
+     TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
     Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ),
-    CompletedTA( $C, iid, z.1 ),
     Completed( kdf(<'KEY', certT, certC, r2, cip>, z),
                <certT, certC, r2, cip>, $C, 'chip', z.1
     ),
@@ -337,40 +329,36 @@ rule (modulo E) TA_COMPLETE_C:
                <certT, certC, r2, cip>, $C, 'chip', z.1
     )
     ]->
-     [
-     Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ),
-     TACompleteC( <$C, iid>, kdf(<'KEY', certT, certC, r2, cip>, z) )
-     ]
+     [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ) ]
     variants (modulo AC)
-    1. ~skC  = ~skC.28
-       certT = certT.30
-       cip   = cip.31
-       z     = decaps(cip.31, ~skC.28)
-       z.1   = cert_id(certT.30)
-    
-    2. ~skC  = ~skC.41
-       certT = certT.43
-       cip   = encaps(z.57, pk(~skC.41))
-       z     = z.57
-       z.1   = cert_id(certT.43)
-    
-    3. ~skC  = ~skC.180
-       certT = cert(x.356, x.357, z.201)
-       cip   = cip.183
-       z     = decaps(cip.183, ~skC.180)
-       z.1   = z.201
-    
-    4. ~skC  = ~skC.182
-       certT = cert(x.360, x.361, z.203)
-       cip   = encaps(z.198, pk(~skC.182))
-       z     = z.198
-       z.1   = z.203
+    1. ~skC  = ~skC.27
+       certT = certT.29
+       cip   = cip.30
+       z     = decaps(cip.30, ~skC.27)
+       z.1   = cert_id(certT.29)
+    
+    2. ~skC  = ~skC.39
+       certT = certT.41
+       cip   = encaps(z.54, pk(~skC.39))
+       z     = z.54
+       z.1   = cert_id(certT.41)
+    
+    3. ~skC  = ~skC.172
+       certT = cert(x.340, x.341, z.192)
+       cip   = cip.175
+       z     = decaps(cip.175, ~skC.172)
+       z.1   = z.192
+    
+    4. ~skC  = ~skC.174
+       certT = cert(x.344, x.345, z.194)
+       cip   = encaps(z.189, pk(~skC.174))
+       z     = z.189
+       z.1   = z.194
   */
 
 rule (modulo E) CA_FINISH_T:
    [
-   In( <kCNF_C, '4', 'c'> ),
-   TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+   In( <kCNF_C, '4', 'c'> ), TAResponseT( $T, id_c, certC, r2, <k, cip> ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -381,7 +369,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
    !SessionReveal( <certT, certC, r2, cip>,
                    kdf(<'KEY', certT, certC, r2, cip>, k)
    )
@@ -390,8 +377,7 @@ rule (modulo E) CA_FINISH_T:
   /*
   rule (modulo AC) CA_FINISH_T:
      [
-     In( <kCNF_C, '4', 'c'> ),
-     TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ),
+     In( <kCNF_C, '4', 'c'> ), TAResponseT( $T, id_c, certC, r2, <k, cip> ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -402,17 +388,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip> )
     ]->
      [
-     CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ),
      !SessionReveal( <certT, certC, r2, cip>,
                      kdf(<'KEY', certT, certC, r2, cip>, k)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.15
-       z     = cert_id(certC.15)
+    1. certC = certC.16
+       z     = cert_id(certC.16)
     
-    2. certC = cert(x.41, x.42, z.28)
-       z     = z.28
+    2. certC = cert(x.26, x.27, z.21)
+       z     = z.21
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -1478,8 +1463,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -1494,7 +1478,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -1583,8 +1567,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -1599,7 +1582,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -1609,8 +1592,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case TA_COMPLETE_C_case_1
-                solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1,
-                                     kTMAC, kTCNF
+                solve( TAChallengeC( $C, cert(x, x.1, $T), id_c.1, r1.1, r2.1, kTMAC,
+                                     kTCNF
                        ) ▶₁ #i2 )
                   case TA_CHALLENGE_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -1628,7 +1611,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( TAResponseT( <$T, iid.3>, id_c.3,
+                        solve( TAResponseT( $T, id_c.3,
                                             cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
                                             ~r2.1, <z, cip>
                                ) ▶₁ #j2 )
@@ -1848,103 +1831,40 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma weak_agreement_C:
-  all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
-  case TA_RESPONSE_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      C, 'chip', T.1
-           ) @ #i )
-      case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>,
-                           cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
-                           r2, kTMAC, kTCNF
-             ) ▶₁ #i )
-        case TA_CHALLENGE_C
-        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-          case Generate_chip_key_pair
-          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
-                 ) ▶₃ #i )
-            case CA_Sign_ltk
-            by contradiction /* from formulas */
-          qed
-        qed
-      qed
-    next
-      case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>,
-                           cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
-                           r2, kTMAC, kTCNF
-             ) ▶₁ #i )
-        case TA_CHALLENGE_C
-        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-          case Generate_chip_key_pair
-          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
-                 ) ▶₃ #i )
-            case CA_Sign_ltk
-            by contradiction /* from formulas */
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma weak_agreement_T:
+lemma aliveness:
   all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
     solve( Completed( k.1,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      T.1, 'terminal', C
+                      A, role, B
            ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                          r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( splitEqs(1) )
           case split_case_1
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case TA_COMPLETE_C
@@ -1953,11 +1873,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
             case c_kdf
             solve( !KU( ~k ) @ #vk.16 )
               case TA_RESPONSE_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
                                kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                      ) @ #vk.14 )
                 case c_senc
-                solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                        ) @ #vk.22 )
                   case CA_Sign_ltk
                   solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -1972,7 +1892,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   qed
                 next
                   case c_cert
-                  solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 )
+                  solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.29 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.27 )
                       case Corrupt_ltk
@@ -1996,7 +1916,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           case split_case_2
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case TA_COMPLETE_C
@@ -2005,7 +1925,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
             case c_kdf
             solve( !KU( ~k ) @ #vk.16 )
               case TA_RESPONSE_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
                                kdf(<'TENC', r1>, z))
                      ) @ #vk.14 )
                 case TA_CHALLENGE_C
@@ -2020,7 +1940,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                 case c_senc
                 solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 )
                   case TA_CHALLENGE_C
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                          ) @ #vk.23 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -2035,7 +1955,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 )
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.34 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.27 )
                         case Corrupt_ltk
@@ -2056,7 +1976,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   case TA_RESPONSE_T
                   solve( splitEqs(6) )
                     case split_case_1
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                            ) @ #vk.25 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.29 )
@@ -2071,7 +1991,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
                         case CA_Sign_ltk
                         solve( !KU( ~ltk.1 ) @ #vk.31 )
                           case Corrupt_ltk
@@ -2090,7 +2010,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case split_case_2
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                            ) @ #vk.25 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.29 )
@@ -2105,7 +2025,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
+                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
                         case CA_Sign_ltk
                         solve( !KU( ~ltk.1 ) @ #vk.31 )
                           case Corrupt_ltk
@@ -2125,7 +2045,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   qed
                 next
                   case c_encaps
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                          ) @ #vk.23 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -2140,7 +2060,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 )
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.31 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.27 )
                         case Corrupt_ltk
@@ -2163,15 +2083,21 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           qed
         qed
       qed
+    next
+      case TA_COMPLETE_C_case_1
+      by contradiction /* from formulas */
+    next
+      case TA_COMPLETE_C_case_2
+      by contradiction /* from formulas */
     qed
   qed
 qed
 
-lemma agreement_C:
+lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -2179,12 +2105,12 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2194,7 +2120,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -2204,65 +2130,13 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
                  ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( splitEqs(1) )
-              case split_case_1
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.31 )
-                    case TA_RESPONSE_T
-                    solve( !KU( ~r2 ) @ #vk.35 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk ) @ #vk.36 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            next
-              case split_case_2
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.31 )
-                    case TA_RESPONSE_T
-                    solve( !KU( ~r2 ) @ #vk.35 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk ) @ #vk.36 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
+            by contradiction /* from formulas */
           qed
         qed
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -2272,59 +2146,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
                  ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( splitEqs(1) )
-              case split_case_1
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.31 )
-                    case TA_RESPONSE_T
-                    solve( !KU( ~r2 ) @ #vk.35 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk ) @ #vk.36 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            next
-              case split_case_2
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk))>,
-                                ~k)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~k ) @ #vk.31 )
-                    case TA_RESPONSE_T
-                    solve( !KU( ~r2 ) @ #vk.35 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk ) @ #vk.36 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
+            by contradiction /* from formulas */
           qed
         qed
       qed
@@ -2332,11 +2154,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   qed
 qed
 
-lemma agreement_T:
+lemma weak_agreement_T:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -2344,12 +2166,12 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -2359,8 +2181,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C),
+                          r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( splitEqs(1) )
@@ -2590,40 +2412,207 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   qed
 qed
 
-lemma aliveness:
+lemma agreement_C:
   all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+"∃ k sid C T #i #t.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
     solve( Completed( k.1,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
-                      A, role, B
+                      C, 'chip', T.1
+           ) @ #i )
+      case TA_COMPLETE_C_case_1
+      solve( TAChallengeC( $C,
+                           cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+                           r2, kTMAC, kTCNF
+             ) ▶₁ #i )
+        case TA_CHALLENGE_C
+        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+          case Generate_chip_key_pair
+          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+                 ) ▶₃ #i )
+            case CA_Sign_ltk
+            solve( splitEqs(1) )
+              case split_case_1
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.31 )
+                    case TA_RESPONSE_T
+                    solve( !KU( ~r2 ) @ #vk.35 )
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk ) @ #vk.36 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            next
+              case split_case_2
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.31 )
+                    case TA_RESPONSE_T
+                    solve( !KU( ~r2 ) @ #vk.35 )
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk ) @ #vk.36 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    next
+      case TA_COMPLETE_C_case_2
+      solve( TAChallengeC( $C,
+                           cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+                           r2, kTMAC, kTCNF
+             ) ▶₁ #i )
+        case TA_CHALLENGE_C
+        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+          case Generate_chip_key_pair
+          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+                 ) ▶₃ #i )
+            case CA_Sign_ltk
+            solve( splitEqs(1) )
+              case split_case_1
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.31 )
+                    case TA_RESPONSE_T
+                    solve( !KU( ~r2 ) @ #vk.35 )
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk ) @ #vk.36 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            next
+              case split_case_2
+              solve( splitEqs(2) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk))>,
+                                ~k)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~k ) @ #vk.31 )
+                    case TA_RESPONSE_T
+                    solve( !KU( ~r2 ) @ #vk.35 )
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk ) @ #vk.36 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma agreement_T:
+  all-traces
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t )
+  case TA_RESPONSE_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>,
+                      T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C),
+                          r2, <k.1, encaps(~k, z)>
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( splitEqs(1) )
           case split_case_1
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case TA_COMPLETE_C
@@ -2632,11 +2621,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
             case c_kdf
             solve( !KU( ~k ) @ #vk.16 )
               case TA_RESPONSE_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
                                kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                      ) @ #vk.14 )
                 case c_senc
-                solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                        ) @ #vk.22 )
                   case CA_Sign_ltk
                   solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -2651,7 +2640,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   qed
                 next
                   case c_cert
-                  solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.29 )
+                  solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.27 )
                       case Corrupt_ltk
@@ -2675,7 +2664,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           case split_case_2
           solve( !KU( kdf(<'CNF', 
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                           cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>,
+                           cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>,
                           ~k)
                  ) @ #vk.1 )
             case TA_COMPLETE_C
@@ -2684,7 +2673,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
             case c_kdf
             solve( !KU( ~k ) @ #vk.16 )
               case TA_RESPONSE_T
-              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>,
+              solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>,
                                kdf(<'TENC', r1>, z))
                      ) @ #vk.14 )
                 case TA_CHALLENGE_C
@@ -2699,7 +2688,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                 case c_senc
                 solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 )
                   case TA_CHALLENGE_C
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                          ) @ #vk.23 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -2714,7 +2703,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.34 )
+                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.27 )
                         case Corrupt_ltk
@@ -2735,7 +2724,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   case TA_RESPONSE_T
                   solve( splitEqs(6) )
                     case split_case_1
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.25 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.29 )
@@ -2750,7 +2739,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
                         case CA_Sign_ltk
                         solve( !KU( ~ltk.1 ) @ #vk.31 )
                           case Corrupt_ltk
@@ -2769,7 +2758,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case split_case_2
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.25 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.29 )
@@ -2784,7 +2773,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 )
                         case CA_Sign_ltk
                         solve( !KU( ~ltk.1 ) @ #vk.31 )
                           case Corrupt_ltk
@@ -2804,7 +2793,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                   qed
                 next
                   case c_encaps
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                          ) @ #vk.23 )
                     case CA_Sign_ltk
                     solve( !KU( ~ltk.1 ) @ #vk.26 )
@@ -2819,7 +2808,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
                     qed
                   next
                     case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.31 )
+                    solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 )
                       case CA_Sign_ltk
                       solve( !KU( ~ltk.1 ) @ #vk.27 )
                         case Corrupt_ltk
@@ -2842,12 +2831,6 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t )
           qed
         qed
       qed
-    next
-      case TA_COMPLETE_C_case_1
-      by contradiction /* from formulas */
-    next
-      case TA_COMPLETE_C_case_2
-      by contradiction /* from formulas */
     qed
   qed
 qed
@@ -2873,7 +2856,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2884,8 +2867,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( TAResponseT( <$T, iid.1>, id_c.1,
-                                cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                                r2, <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -2895,8 +2878,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -2909,18 +2891,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -2931,8 +2911,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -2945,18 +2924,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -2970,7 +2947,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+      solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -2981,8 +2958,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( TAResponseT( <$T, iid.1>, id_c.1,
-                                cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>
+            solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                                r2, <~k, encaps(~k, z)>
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -2992,8 +2969,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -3006,18 +2982,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3028,8 +3002,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-             ) ▶₁ #i )
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -3042,18 +3015,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC,
-                                   kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3068,7 +3039,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_T
-    solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i )
+    solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i )
       case TA_RESPONSE_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -3085,8 +3056,7 @@ next
     qed
   next
     case TA_COMPLETE_C_case_1
-    solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-           ) ▶₁ #i )
+    solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
@@ -3109,8 +3079,7 @@ next
     qed
   next
     case TA_COMPLETE_C_case_2
-    solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-           ) ▶₁ #i )
+    solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
@@ -3139,20 +3108,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3164,7 +3134,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3211,21 +3181,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.41 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.21 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.43 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ltk ) @ #vk.45 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3285,21 +3241,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.41 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.21 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.43 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ltk ) @ #vk.45 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3315,8 +3257,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 next
   case TA_COMPLETE_C_case_2
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3328,7 +3269,7 @@ next
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3375,21 +3316,7 @@ next
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.41 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.21 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.43 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ltk ) @ #vk.45 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3449,21 +3376,7 @@ next
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.41 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk))>,
-                                            ~k)
-                                   ) @ #vk.21 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.43 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ltk ) @ #vk.45 )
-                                  case Corrupt_ltk
-                                  by contradiction /* from formulas */
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -3484,8 +3397,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -3494,13 +3408,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3515,7 +3429,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3578,8 +3492,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 next
   case TA_COMPLETE_C_case_2
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3594,7 +3507,7 @@ next
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -3657,83 +3570,7 @@ next
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-       ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-    case Generate_chip_key_pair
-    solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
-      case CA_Sign_ltk
-      solve( !KU( ~iid ) @ #vk.11 )
-        case TA_CHALLENGE_C
-        solve( splitEqs(0) )
-          case split_case_1
-          solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>,
-                          kdf(<'TMAC', ~r1>, ~kTA))
-                 ) @ #vk.6 )
-            case TA_RESPONSE_T
-            solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.14 )
-              case c_kdf
-              solve( !KU( ~kTA ) @ #vk.27 )
-                case TA_CHALLENGE_C
-                solve( !KU( ~ltk.1 ) @ #vk.29 )
-                  case Corrupt_ltk
-                  solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.23 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( senc(<
-                                      cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>,
-                                     kdf(<'TENC', ~r1>, ~kTA))
-                           ) @ #vk.25 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~r1 ) @ #vk.23 )
-                        case TA_CHALLENGE_C
-                        solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
-                               ) @ #vk.21 )
-                          case CA_Sign_ltk
-                          solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
-                            case TA_RESPONSE_T
-                            solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.35 )
-                              case TA_CHALLENGE_C
-                              solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), z.1>,
-                                               kdf(<'TENC', ~r1>, ~kTA))
-                                     ) @ #vk.35 )
-                                case TA_CHALLENGE_C
-                                solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.20 )
-                                  case TA_RESPONSE_T
-                                  SOLVED // trace found
-                                qed
-                              qed
-                            qed
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3802,7 +3639,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -3869,7 +3706,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -3891,8 +3728,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF
-         ) ▶₁ #i )
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -3907,7 +3743,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>
                  ) ▶₁ #j )
             case TA_RESPONSE_T
@@ -4060,21 +3896,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 1594.74s
+  processing time: 760.62s
   
   session_exist (exists-trace): verified (20 steps)
   two_session_exist (exists-trace): verified (46 steps)
+  aliveness (all-traces): verified (76 steps)
   weak_agreement_C (all-traces): verified (12 steps)
   weak_agreement_T (all-traces): verified (74 steps)
   agreement_C (all-traces): verified (40 steps)
   agreement_T (all-traces): verified (74 steps)
-  aliveness (all-traces): verified (76 steps)
   session_uniqueness (all-traces): verified (64 steps)
-  consistency (all-traces): verified (82 steps)
+  consistency (all-traces): verified (70 steps)
   key_secrecy (all-traces): verified (40 steps)
-  chip_hiding (all-traces): falsified - found trace (19 steps)
-  nonRepudiation_terminal (exists-trace): verified (15 steps)
-  nonRepudiation_chip (exists-trace): verified (15 steps)
-  pfs (all-traces): falsified - found trace (28 steps)
+  notNonRepudiation_C (exists-trace): verified (15 steps)
+  notNonRepudiation_T (exists-trace): verified (15 steps)
+  forward_secrecy (all-traces): falsified - found trace (28 steps)
 
 ==============================================================================
diff --git a/results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN b/results/46092873.err.ForwardSecrecy_SigPQEAC
similarity index 100%
rename from results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN
rename to results/46092873.err.ForwardSecrecy_SigPQEAC
diff --git a/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN b/results/46092873.out.ForwardSecrecy_SigPQEAC
similarity index 90%
rename from results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN
rename to results/46092873.out.ForwardSecrecy_SigPQEAC
index 244e433..e8667e9 100644
--- a/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN
+++ b/results/46092873.out.ForwardSecrecy_SigPQEAC
@@ -71,98 +71,83 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
-   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
-   [
-   Out( <~id_c, ~r1, '2', 'c'> ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
-   ]
+   [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
-     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
     --[ Eq( z, true ), Started( ) ]->
-     [
-     Out( <~id_c, ~r1, '2', 'c'> ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 )
-     ]
+     [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ]
     variants (modulo AC)
-    1. certT = certT.12
-       z     = verify(cert_sig(certT.12),
-                      <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk))
+    1. certT = certT.11
+       z     = verify(cert_sig(certT.11),
+                      <cert_pk(certT.11), cert_id(certT.11), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14)
+    2. certT = cert(x.12, sign(<x.12, x.13, 'terminal'>, ca_sk), x.13)
        z     = true
     
-    3. certT = cert(x.14, x.15, x.16)
-       z     = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk))
+    3. certT = cert(x.13, x.14, x.15)
+       z     = verify(x.14, <x.13, x.15, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
-   [
-   In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ),
-   !Ltk( $T, ~skT, 'terminal' )
+   [ In( <id_c, r1, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' )
    ]
   -->
    [
-   Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ),
-   TAResponseT( <$T, iid>, id_c )
+   Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), TAResponseT( $T, id_c )
    ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_COMPLETE_C:
-   [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
-  --[
-  Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ),
-  CompletedTA( $C, iid, cert_id(certT) )
-  ]->
-   [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+   [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ]
+  --[ Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ) ]->
+   [ TACompleteC( $C, certT, id_c, r1 ) ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
-     [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ]
-    --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
-     [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ]
+     [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ]
+    --[ Eq( z, true ) ]->
+     [ TACompleteC( $C, certT, id_c, r1 ) ]
     variants (modulo AC)
-    1. certT = certT.16
-       id_c  = id_c.17
+    1. certT = certT.13
+       id_c  = id_c.14
+       r1    = r1.15
+       s     = s.16
+       z     = verify(s.16, <'TA', id_c.14, r1.15>, cert_pk(certT.13))
+    
+    2. certT = cert(x.30, x.31, x.32)
+       id_c  = id_c.18
        r1    = r1.19
        s     = s.20
-       z     = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16))
-       z.1   = cert_id(certT.16)
-    
-    2. certT = cert(x.37, x.38, z.28)
-       id_c  = id_c.21
-       r1    = r1.23
-       s     = s.24
-       z     = verify(s.24, <'TA', id_c.21, r1.23>, x.37)
-       z.1   = z.28
-    
-    3. certT = cert(pk(x.37), x.38, z.28)
-       id_c  = id_c.21
-       r1    = r1.23
-       s     = sign(<'TA', id_c.21, r1.23>, x.37)
+       z     = verify(s.20, <'TA', id_c.18, r1.19>, x.30)
+    
+    3. certT = cert(pk(x.30), x.31, x.32)
+       id_c  = id_c.18
+       r1    = r1.19
+       s     = sign(<'TA', id_c.18, r1.19>, x.30)
        z     = true
-       z.1   = z.28
   */
 
 rule (modulo E) CA_INIT_C:
    [
-   Fr( ~r2 ), Fr( ~skCe ), TACompleteC( <$C, iid>, certT, id_c, r1 ),
+   Fr( ~r2 ), Fr( ~skCe ), TACompleteC( $C, certT, id_c, r1 ),
    !Cert( $C, certC, 'chip' )
    ]
   -->
    [
-   Out( <certC, ~r2, pk(~skCe), '4', 'c'> ), Out( iid ),
-   CAInitC( <$C, iid>, certT, id_c, r1, ~r2, ~skCe )
+   Out( <certC, ~r2, pk(~skCe), '4', 'c'> ),
+   CAInitC( $C, certT, id_c, r1, ~r2, ~skCe )
    ]
 
   /* has exactly the trivial AC variant */
@@ -170,7 +155,7 @@ rule (modulo E) CA_INIT_C:
 rule (modulo E) CA_INIT_T:
    [
    In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ),
-   TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ),
+   TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[ Eq( verify_cert(certC, 'chip'), true ) ]->
@@ -181,7 +166,7 @@ rule (modulo E) CA_INIT_T:
               ~skT), 
          encaps(~ke, pkCe), '5', 't'>
    ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
+   CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
             <~ke, encaps(~ke, pkCe)>, pkCe
    )
    ]
@@ -190,7 +175,7 @@ rule (modulo E) CA_INIT_T:
   rule (modulo AC) CA_INIT_T:
      [
      In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ),
-     TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ),
+     TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[ Eq( z.1, true ) ]->
@@ -200,29 +185,28 @@ rule (modulo E) CA_INIT_T:
                 ~skT), 
            encaps(~ke, pkCe), '5', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>,
+     CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)>,
               <~ke, encaps(~ke, pkCe)>, pkCe
      )
      ]
     variants (modulo AC)
-    1. certC = certC.20
-       z     = cert_pk(certC.20)
-       z.1   = verify(cert_sig(certC.20),
-                      <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk))
+    1. certC = certC.19
+       z     = cert_pk(certC.19)
+       z.1   = verify(cert_sig(certC.19),
+                      <cert_pk(certC.19), cert_id(certC.19), 'chip'>, pk(ca_sk))
     
-    2. certC = cert(z.46, sign(<z.46, x.77, 'chip'>, ca_sk), x.77)
-       z     = z.46
+    2. certC = cert(z.45, sign(<z.45, x.76, 'chip'>, ca_sk), x.76)
+       z     = z.45
        z.1   = true
     
-    3. certC = cert(z.47, x.78, x.79)
-       z     = z.47
-       z.1   = verify(x.78, <z.47, x.79, 'chip'>, pk(ca_sk))
+    3. certC = cert(z.46, x.77, x.78)
+       z     = z.46
+       z.1   = verify(x.77, <z.46, x.78, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) CA_FINISH_C:
    [
-   In( <cip, s, cipe, '5', 't'> ),
-   CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ),
+   In( <cip, s, cipe, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2, skCe ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
@@ -240,227 +224,219 @@ rule (modulo E) CA_FINISH_C:
          kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
              <decaps(cip, ~skC), decaps(cipe, skCe)>), 
          '6', 'c'>
-   ),
-   CAFinishC( $C, cert_id(certT),
-              kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
-                  <decaps(cip, ~skC), decaps(cipe, skCe)>)
    )
    ]
 
   /*
   rule (modulo AC) CA_FINISH_C:
      [
-     In( <cip, s, cipe, '5', 't'> ),
-     CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ),
+     In( <cip, s, cipe, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2, skCe ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
-    Eq( z.3, true ),
+    Eq( z.2, true ),
     Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
-               <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
+               <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.3
     )
     ]->
      [
      Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), 
            '6', 'c'>
-     ),
-     CAFinishC( $C, z.2,
-                kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
      )
      ]
     variants (modulo AC)
-     1. ~skC  = ~skC.35
-        certC = certC.36
-        certT = certT.37
-        cip   = cip.38
-        cipe  = cipe.39
-        r2    = r2.43
-        s     = s.44
-        skCe  = skCe.45
-        z     = decaps(cip.38, ~skC.35)
-        z.1   = decaps(cipe.39, skCe.45)
-        z.2   = cert_id(certT.37)
-        z.3   = verify(s.44,
-                       <'CA', certT.37, certC.36, r2.43, cip.38, pk(skCe.45), cipe.39>,
-                       cert_pk(certT.37))
-    
-     2. ~skC  = ~skC.40
-        certC = certC.41
-        certT = certT.42
-        cip   = encaps(z.55, pk(~skC.40))
-        cipe  = cipe.44
-        r2    = r2.48
-        s     = s.49
-        skCe  = skCe.50
-        z     = z.55
-        z.1   = decaps(cipe.44, skCe.50)
-        z.2   = cert_id(certT.42)
-        z.3   = verify(s.49,
-                       <'CA', certT.42, certC.41, r2.48, encaps(z.55, pk(~skC.40)), 
-                        pk(skCe.50), cipe.44>,
-                       cert_pk(certT.42))
-    
-     3. ~skC  = ~skC.41
-        certC = certC.42
-        certT = certT.43
-        cip   = cip.44
-        cipe  = encaps(z.57, pk(skCe.51))
-        r2    = r2.49
-        s     = s.50
-        skCe  = skCe.51
-        z     = decaps(cip.44, ~skC.41)
-        z.1   = z.57
-        z.2   = cert_id(certT.43)
-        z.3   = verify(s.50,
-                       <'CA', certT.43, certC.42, r2.49, cip.44, pk(skCe.51), 
-                        encaps(z.57, pk(skCe.51))>,
-                       cert_pk(certT.43))
-    
-     4. ~skC  = ~skC.41
-        certC = certC.42
-        certT = certT.43
-        cip   = encaps(z.56, pk(~skC.41))
-        cipe  = encaps(z.57, pk(skCe.51))
-        r2    = r2.49
-        s     = s.50
-        skCe  = skCe.51
-        z     = z.56
-        z.1   = z.57
-        z.2   = cert_id(certT.43)
-        z.3   = verify(s.50,
-                       <'CA', certT.43, certC.42, r2.49, encaps(z.56, pk(~skC.41)), 
-                        pk(skCe.51), encaps(z.57, pk(skCe.51))>,
-                       cert_pk(certT.43))
-    
-     5. ~skC  = ~skC.158
-        certC = certC.159
-        certT = cert(x.312, x.313, z.177)
-        cip   = cip.161
-        cipe  = cipe.162
-        r2    = r2.166
-        s     = s.167
-        skCe  = skCe.168
-        z     = decaps(cip.161, ~skC.158)
-        z.1   = decaps(cipe.162, skCe.168)
-        z.2   = z.177
-        z.3   = verify(s.167,
-                       <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161, 
-                        pk(skCe.168), cipe.162>,
-                       x.312)
-    
-     6. ~skC  = ~skC.158
-        certC = certC.159
-        certT = cert(x.312, x.313, z.177)
-        cip   = cip.161
-        cipe  = encaps(z.174, pk(skCe.168))
-        r2    = r2.166
-        s     = s.167
-        skCe  = skCe.168
-        z     = decaps(cip.161, ~skC.158)
-        z.1   = z.174
-        z.2   = z.177
-        z.3   = verify(s.167,
-                       <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161, 
-                        pk(skCe.168), encaps(z.174, pk(skCe.168))>,
-                       x.312)
-    
-     7. ~skC  = ~skC.159
-        certC = certC.160
-        certT = cert(pk(x.314), x.315, z.178)
-        cip   = cip.162
-        cipe  = cipe.163
-        r2    = r2.167
-        s     = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167, 
-                      cip.162, pk(skCe.169), cipe.163>,
-                     x.314)
-        skCe  = skCe.169
-        z     = decaps(cip.162, ~skC.159)
-        z.1   = decaps(cipe.163, skCe.169)
-        z.2   = z.178
-        z.3   = true
-    
-     8. ~skC  = ~skC.159
-        certC = certC.160
-        certT = cert(pk(x.314), x.315, z.178)
-        cip   = cip.162
-        cipe  = encaps(z.175, pk(skCe.169))
-        r2    = r2.167
-        s     = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167, 
-                      cip.162, pk(skCe.169), encaps(z.175, pk(skCe.169))>,
-                     x.314)
-        skCe  = skCe.169
-        z     = decaps(cip.162, ~skC.159)
-        z.1   = z.175
-        z.2   = z.178
-        z.3   = true
-    
-     9. ~skC  = ~skC.160
-        certC = certC.161
-        certT = cert(x.316, x.317, z.179)
-        cip   = encaps(z.175, pk(~skC.160))
-        cipe  = cipe.164
-        r2    = r2.168
-        s     = s.169
-        skCe  = skCe.170
-        z     = z.175
-        z.1   = decaps(cipe.164, skCe.170)
-        z.2   = z.179
-        z.3   = verify(s.169,
-                       <'CA', cert(x.316, x.317, z.179), certC.161, r2.168, 
-                        encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>,
-                       x.316)
-    
-    10. ~skC  = ~skC.160
-        certC = certC.161
-        certT = cert(x.316, x.317, z.179)
-        cip   = encaps(z.175, pk(~skC.160))
-        cipe  = encaps(z.176, pk(skCe.170))
-        r2    = r2.168
-        s     = s.169
-        skCe  = skCe.170
-        z     = z.175
-        z.1   = z.176
-        z.2   = z.179
-        z.3   = verify(s.169,
-                       <'CA', cert(x.316, x.317, z.179), certC.161, r2.168, 
-                        encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>,
-                       x.316)
-    
-    11. ~skC  = ~skC.160
-        certC = certC.161
-        certT = cert(pk(x.316), x.317, z.179)
-        cip   = encaps(z.175, pk(~skC.160))
-        cipe  = cipe.164
-        r2    = r2.168
-        s     = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168, 
-                      encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>,
-                     x.316)
-        skCe  = skCe.170
-        z     = z.175
-        z.1   = decaps(cipe.164, skCe.170)
-        z.2   = z.179
-        z.3   = true
-    
-    12. ~skC  = ~skC.160
-        certC = certC.161
-        certT = cert(pk(x.316), x.317, z.179)
-        cip   = encaps(z.175, pk(~skC.160))
-        cipe  = encaps(z.176, pk(skCe.170))
-        r2    = r2.168
-        s     = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168, 
-                      encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>,
-                     x.316)
-        skCe  = skCe.170
-        z     = z.175
-        z.1   = z.176
-        z.2   = z.179
-        z.3   = true
+     1. ~skC  = ~skC.33
+        certC = certC.34
+        certT = certT.35
+        cip   = cip.36
+        cipe  = cipe.37
+        r2    = r2.40
+        s     = s.41
+        skCe  = skCe.42
+        z     = decaps(cip.36, ~skC.33)
+        z.1   = decaps(cipe.37, skCe.42)
+        z.2   = verify(s.41,
+                       <'CA', certT.35, certC.34, r2.40, cip.36, pk(skCe.42), cipe.37>,
+                       cert_pk(certT.35))
+        z.3   = cert_id(certT.35)
+    
+     2. ~skC  = ~skC.38
+        certC = certC.39
+        certT = certT.40
+        cip   = encaps(z.52, pk(~skC.38))
+        cipe  = cipe.42
+        r2    = r2.45
+        s     = s.46
+        skCe  = skCe.47
+        z     = z.52
+        z.1   = decaps(cipe.42, skCe.47)
+        z.2   = verify(s.46,
+                       <'CA', certT.40, certC.39, r2.45, encaps(z.52, pk(~skC.38)), 
+                        pk(skCe.47), cipe.42>,
+                       cert_pk(certT.40))
+        z.3   = cert_id(certT.40)
+    
+     3. ~skC  = ~skC.39
+        certC = certC.40
+        certT = certT.41
+        cip   = cip.42
+        cipe  = encaps(z.54, pk(skCe.48))
+        r2    = r2.46
+        s     = s.47
+        skCe  = skCe.48
+        z     = decaps(cip.42, ~skC.39)
+        z.1   = z.54
+        z.2   = verify(s.47,
+                       <'CA', certT.41, certC.40, r2.46, cip.42, pk(skCe.48), 
+                        encaps(z.54, pk(skCe.48))>,
+                       cert_pk(certT.41))
+        z.3   = cert_id(certT.41)
+    
+     4. ~skC  = ~skC.39
+        certC = certC.40
+        certT = certT.41
+        cip   = encaps(z.53, pk(~skC.39))
+        cipe  = encaps(z.54, pk(skCe.48))
+        r2    = r2.46
+        s     = s.47
+        skCe  = skCe.48
+        z     = z.53
+        z.1   = z.54
+        z.2   = verify(s.47,
+                       <'CA', certT.41, certC.40, r2.46, encaps(z.53, pk(~skC.39)), 
+                        pk(skCe.48), encaps(z.54, pk(skCe.48))>,
+                       cert_pk(certT.41))
+        z.3   = cert_id(certT.41)
+    
+     5. ~skC  = ~skC.151
+        certC = certC.152
+        certT = cert(x.298, x.299, z.171)
+        cip   = cip.154
+        cipe  = cipe.155
+        r2    = r2.158
+        s     = s.159
+        skCe  = skCe.160
+        z     = decaps(cip.154, ~skC.151)
+        z.1   = decaps(cipe.155, skCe.160)
+        z.2   = verify(s.159,
+                       <'CA', cert(x.298, x.299, z.171), certC.152, r2.158, cip.154, 
+                        pk(skCe.160), cipe.155>,
+                       x.298)
+        z.3   = z.171
+    
+     6. ~skC  = ~skC.151
+        certC = certC.152
+        certT = cert(x.298, x.299, z.171)
+        cip   = cip.154
+        cipe  = encaps(z.166, pk(skCe.160))
+        r2    = r2.158
+        s     = s.159
+        skCe  = skCe.160
+        z     = decaps(cip.154, ~skC.151)
+        z.1   = z.166
+        z.2   = verify(s.159,
+                       <'CA', cert(x.298, x.299, z.171), certC.152, r2.158, cip.154, 
+                        pk(skCe.160), encaps(z.166, pk(skCe.160))>,
+                       x.298)
+        z.3   = z.171
+    
+     7. ~skC  = ~skC.152
+        certC = certC.153
+        certT = cert(pk(x.300), x.301, z.172)
+        cip   = cip.155
+        cipe  = cipe.156
+        r2    = r2.159
+        s     = sign(<'CA', cert(pk(x.300), x.301, z.172), certC.153, r2.159, 
+                      cip.155, pk(skCe.161), cipe.156>,
+                     x.300)
+        skCe  = skCe.161
+        z     = decaps(cip.155, ~skC.152)
+        z.1   = decaps(cipe.156, skCe.161)
+        z.2   = true
+        z.3   = z.172
+    
+     8. ~skC  = ~skC.152
+        certC = certC.153
+        certT = cert(pk(x.300), x.301, z.172)
+        cip   = cip.155
+        cipe  = encaps(z.167, pk(skCe.161))
+        r2    = r2.159
+        s     = sign(<'CA', cert(pk(x.300), x.301, z.172), certC.153, r2.159, 
+                      cip.155, pk(skCe.161), encaps(z.167, pk(skCe.161))>,
+                     x.300)
+        skCe  = skCe.161
+        z     = decaps(cip.155, ~skC.152)
+        z.1   = z.167
+        z.2   = true
+        z.3   = z.172
+    
+     9. ~skC  = ~skC.153
+        certC = certC.154
+        certT = cert(x.302, x.303, z.173)
+        cip   = encaps(z.167, pk(~skC.153))
+        cipe  = cipe.157
+        r2    = r2.160
+        s     = s.161
+        skCe  = skCe.162
+        z     = z.167
+        z.1   = decaps(cipe.157, skCe.162)
+        z.2   = verify(s.161,
+                       <'CA', cert(x.302, x.303, z.173), certC.154, r2.160, 
+                        encaps(z.167, pk(~skC.153)), pk(skCe.162), cipe.157>,
+                       x.302)
+        z.3   = z.173
+    
+    10. ~skC  = ~skC.153
+        certC = certC.154
+        certT = cert(x.302, x.303, z.173)
+        cip   = encaps(z.167, pk(~skC.153))
+        cipe  = encaps(z.168, pk(skCe.162))
+        r2    = r2.160
+        s     = s.161
+        skCe  = skCe.162
+        z     = z.167
+        z.1   = z.168
+        z.2   = verify(s.161,
+                       <'CA', cert(x.302, x.303, z.173), certC.154, r2.160, 
+                        encaps(z.167, pk(~skC.153)), pk(skCe.162), encaps(z.168, pk(skCe.162))>,
+                       x.302)
+        z.3   = z.173
+    
+    11. ~skC  = ~skC.153
+        certC = certC.154
+        certT = cert(pk(x.302), x.303, z.173)
+        cip   = encaps(z.167, pk(~skC.153))
+        cipe  = cipe.157
+        r2    = r2.160
+        s     = sign(<'CA', cert(pk(x.302), x.303, z.173), certC.154, r2.160, 
+                      encaps(z.167, pk(~skC.153)), pk(skCe.162), cipe.157>,
+                     x.302)
+        skCe  = skCe.162
+        z     = z.167
+        z.1   = decaps(cipe.157, skCe.162)
+        z.2   = true
+        z.3   = z.173
+    
+    12. ~skC  = ~skC.153
+        certC = certC.154
+        certT = cert(pk(x.302), x.303, z.173)
+        cip   = encaps(z.167, pk(~skC.153))
+        cipe  = encaps(z.168, pk(skCe.162))
+        r2    = r2.160
+        s     = sign(<'CA', cert(pk(x.302), x.303, z.173), certC.154, r2.160, 
+                      encaps(z.167, pk(~skC.153)), pk(skCe.162), encaps(z.168, pk(skCe.162))>,
+                     x.302)
+        skCe  = skCe.162
+        z     = z.167
+        z.1   = z.168
+        z.2   = true
+        z.3   = z.173
   */
 
 rule (modulo E) CA_FINISH_T:
    [
    In( <kCNF_C, '6', 'c'> ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+   CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -471,9 +447,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip, pkCe, cipe> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T,
-              kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-   ),
    !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                    kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
    )
@@ -483,7 +456,7 @@ rule (modulo E) CA_FINISH_T:
   rule (modulo AC) CA_FINISH_T:
      [
      In( <kCNF_C, '6', 'c'> ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+     CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -494,19 +467,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip, pkCe, cipe> )
     ]->
      [
-     CAFinishT( z, $T,
-                kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-     ),
      !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                      kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.18
-       z     = cert_id(certC.18)
+    1. certC = certC.19
+       z     = cert_id(certC.19)
     
-    2. certC = cert(x.44, x.45, z.31)
-       z     = z.31
+    2. certC = cert(x.29, x.30, z.24)
+       z     = z.24
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -4045,8 +4015,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
-         ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -4063,7 +4032,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4102,7 +4071,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                               case CA_INIT_C
                               solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.42 )
                                 case TA_RESPONSE_T
-                                solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z)
+                                solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk), x)
                                        ) @ #vk.44 )
                                   case CA_Sign_ltk
                                   solve( !KU( ~id_c.2 ) @ #vk.46 )
@@ -4162,8 +4131,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
-         ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -4180,7 +4148,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4191,8 +4159,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case CA_FINISH_C
-                solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1,
-                                skCe.1
+                solve( CAInitC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1, skCe.1
                        ) ▶₁ #i2 )
                   case CA_INIT_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -4210,7 +4177,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3,
+                        solve( CAInitT( $T, id_c.3,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>, <z.1, cipe>, pk(~skCe.1)
                                ) ▶₁ #j2 )
@@ -4276,9 +4243,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                       solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.68 )
                                                         case TA_RESPONSE_T
                                                         solve( !KU( cert(pk(~skT.3),
-                                                                         sign(<pk(~skT.3), z, 'terminal'>,
+                                                                         sign(<pk(~skT.3), x, 'terminal'>,
                                                                               ca_sk),
-                                                                         z)
+                                                                         x)
                                                                ) @ #vk.70 )
                                                           case CA_Sign_ltk
                                                           solve( !KU( ~id_c.4 ) @ #vk.72 )
@@ -4336,11 +4303,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                                             solve( !KU( cert(pk(~skT.4),
                                                                                              sign(<
                                                                                                    pk(~skT.4), 
-                                                                                                   z, 
+                                                                                                   x, 
                                                                                                    'terminal'
                                                                                                   >,
                                                                                                   ca_sk),
-                                                                                             z)
+                                                                                             x)
                                                                                    ) @ #vk.78 )
                                                                               case CA_Sign_ltk
                                                                               solve( !KU( ~id_c.5 ) @ #vk.80 )
@@ -4404,6 +4371,93 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma aliveness:
+  all-traces
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
+  case CA_INIT_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
+                       encaps(~ke, pkCe)>,
+                      A, role, B
+           ) @ #i )
+      case CA_FINISH_C
+      by contradiction /* from formulas */
+    next
+      case CA_FINISH_T
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
+             ) ▶₁ #i )
+        case CA_INIT_T
+        solve( !KU( kdf(<'CNF', 
+                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
+                         encaps(~ke, pkCe)>,
+                        <~k, ~ke>)
+               ) @ #vk.1 )
+          case CA_FINISH_C
+          by contradiction /* from formulas */
+        next
+          case c_kdf
+          solve( !KU( ~k ) @ #vk.30 )
+            case CA_INIT_T
+            solve( !KU( ~ke ) @ #vk.31 )
+              case CA_INIT_T
+              solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                     ) @ #vk.16 )
+                case CA_INIT_C
+                solve( !KU( ~ltk.1 ) @ #vk.32 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case CA_Sign_ltk
+                solve( !KU( ~ltk.1 ) @ #vk.32 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case c_cert
+                solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
+                  case CA_INIT_C
+                  solve( !KU( ~ltk.1 ) @ #vk.33 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case CA_Sign_ltk
+                  solve( !KU( ~ltk.1 ) @ #vk.33 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case c_sign
+                  by solve( !KU( ca_sk ) @ #vk.39 )
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
 lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
@@ -4421,8 +4475,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4433,7 +4486,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                       r2, skCe
              ) ▶₁ #i )
@@ -4468,8 +4521,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4480,9 +4532,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( kdf(<'CNF', 
@@ -4556,8 +4607,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4568,7 +4618,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                       r2, skCe
              ) ▶₁ #i )
@@ -4649,8 +4699,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4661,9 +4710,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( kdf(<'CNF', 
@@ -4720,95 +4768,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
   qed
 qed
 
-lemma aliveness:
-  all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
-  case CA_INIT_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
-                       encaps(~ke, pkCe)>,
-                      A, role, B
-           ) @ #i )
-      case CA_FINISH_C
-      by contradiction /* from formulas */
-    next
-      case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
-             ) ▶₁ #i )
-        case CA_INIT_T
-        solve( !KU( kdf(<'CNF', 
-                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
-                         encaps(~ke, pkCe)>,
-                        <~k, ~ke>)
-               ) @ #vk.1 )
-          case CA_FINISH_C
-          by contradiction /* from formulas */
-        next
-          case c_kdf
-          solve( !KU( ~k ) @ #vk.30 )
-            case CA_INIT_T
-            solve( !KU( ~ke ) @ #vk.31 )
-              case CA_INIT_T
-              solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                     ) @ #vk.16 )
-                case CA_INIT_C
-                solve( !KU( ~ltk.1 ) @ #vk.32 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case CA_Sign_ltk
-                solve( !KU( ~ltk.1 ) @ #vk.32 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case c_cert
-                solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 )
-                  case CA_INIT_C
-                  solve( !KU( ~ltk.1 ) @ #vk.33 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case CA_Sign_ltk
-                  solve( !KU( ~ltk.1 ) @ #vk.33 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case c_sign
-                  by solve( !KU( ca_sk ) @ #vk.39 )
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
 lemma session_uniqueness:
   all-traces
   "∀ A B k sid sid2 role #i #j.
@@ -4830,8 +4789,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
-             ) ▶₁ #i )
+      solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -4845,9 +4803,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>,
-                              cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2,
-                              ~skCe
+              solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+                              id_c.1, r1.1, ~r2, ~skCe
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -4858,8 +4815,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -4871,9 +4827,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                            <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case CA_INIT_T
               by contradiction /* cyclic */
@@ -4886,8 +4841,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
-             ) ▶₁ #i )
+      solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
@@ -4901,9 +4855,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>,
-                              cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2,
-                              ~skCe
+              solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B),
+                              id_c.1, r1.1, ~r2, ~skCe
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -4914,8 +4867,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -4927,9 +4879,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                            <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case CA_INIT_T
               by contradiction /* cyclic */
@@ -4943,8 +4894,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_C
-    solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe
-           ) ▶₁ #i )
+    solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i )
       case CA_INIT_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
@@ -4965,8 +4915,7 @@ next
     qed
   next
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-           ) ▶₁ #i )
+    solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
       case CA_INIT_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -4990,20 +4939,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
-         ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -5016,7 +4966,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
                           <ke, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5061,71 +5011,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                     case c_sign
                     solve( !KU( ~skT ) @ #vk.37 )
                       case Corrupt_ltk
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.19 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.50 )
-                          case CA_INIT_T
-                          solve( !KU( ~ke ) @ #vk.51 )
-                            case CA_INIT_T
-                            solve( !KU( ~ltk ) @ #vk.52 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
+                      by contradiction /* from formulas */
                     qed
                   qed
                 next
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.42 )
                     case Corrupt_ltk
-                    solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.17 )
-                      case TA_RESPONSE_T
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.25 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.51 )
-                          case CA_INIT_T
-                          solve( !KU( ~ke ) @ #vk.52 )
-                            case CA_INIT_T
-                            solve( !KU( ~ltk ) @ #vk.53 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
-                    next
-                      case c_sign
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.25 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.52 )
-                          case CA_INIT_T
-                          solve( !KU( ~ke ) @ #vk.53 )
-                            case CA_INIT_T
-                            solve( !KU( ~ltk ) @ #vk.54 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               qed
@@ -5142,8 +5035,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -5152,13 +5046,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
-         ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -5175,7 +5069,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5218,80 +5112,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   case c_sign
                   solve( !KU( ~skT ) @ #vk.38 )
                     case Corrupt_ltk
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.6 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.51 )
-                        case CA_INIT_T
-                        solve( !KU( ~ke ) @ #vk.52 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.53 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               next
                 case c_sign
                 solve( !KU( ~ltk.1 ) @ #vk.43 )
                   case Corrupt_ltk
-                  solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 )
-                    case TA_RESPONSE_T
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.52 )
-                        case CA_INIT_T
-                        solve( !KU( ~ke ) @ #vk.53 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.54 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
-                  next
-                    case c_sign
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.53 )
-                        case CA_INIT_T
-                        solve( !KU( ~ke ) @ #vk.54 )
-                          case CA_INIT_T
-                          solve( !KU( ~ltk ) @ #vk.55 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
+                  by contradiction /* from formulas */
                 qed
               qed
             qed
@@ -5302,28 +5130,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !KU( ~iid ) @ #vk.6 )
-    case CA_INIT_C
-    by contradiction /* cyclic */
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5387,7 +5194,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5420,7 +5227,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -5442,8 +5249,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe
-         ) ▶₁ #i )
+  solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -5460,7 +5266,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5594,21 +5400,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 138.92s
+  processing time: 115.06s
   
   session_exist (exists-trace): verified (24 steps)
   two_session_exist (exists-trace): verified (46 steps)
+  aliveness (all-traces): verified (21 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): verified (20 steps)
   agreement_C (all-traces): verified (20 steps)
   agreement_T (all-traces): verified (20 steps)
-  aliveness (all-traces): verified (21 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (35 steps)
-  key_secrecy (all-traces): verified (37 steps)
-  chip_hiding (all-traces): verified (4 steps)
-  nonRepudiation_terminal (exists-trace): verified (14 steps)
-  nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
-  pfs (all-traces): verified (27 steps)
+  consistency (all-traces): verified (21 steps)
+  key_secrecy (all-traces): verified (20 steps)
+  notNonRepudiation_C (exists-trace): verified (14 steps)
+  notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps)
+  forward_secrecy (all-traces): verified (27 steps)
 
 ==============================================================================
diff --git a/results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN b/results/46092874.err.ForwardSecrecy_FastSigPQEAC
similarity index 100%
rename from results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN
rename to results/46092874.err.ForwardSecrecy_FastSigPQEAC
diff --git a/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN b/results/46092874.out.ForwardSecrecy_FastSigPQEAC
similarity index 87%
rename from results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN
rename to results/46092874.out.ForwardSecrecy_FastSigPQEAC
index 03861b1..5beeefb 100644
--- a/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN
+++ b/results/46092874.out.ForwardSecrecy_FastSigPQEAC
@@ -71,49 +71,49 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
    [
-   In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ),
-   Fr( ~r2 ), !Cert( $C, certC, 'chip' )
+   In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~skCe ), Fr( ~r2 ),
+   !Cert( $C, certC, 'chip' )
    ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
-   Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 )
+   Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ),
+   TAChallengeC( $C, certT, ~id_c, ~r1, ~skCe, ~r2 )
    ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
      [
-     In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ),
-     Fr( ~r2 ), !Cert( $C, certC, 'chip' )
+     In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~skCe ), Fr( ~r2 ),
+     !Cert( $C, certC, 'chip' )
      ]
     --[ Eq( z, true ), Started( ) ]->
      [
-     Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 )
+     Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ),
+     TAChallengeC( $C, certT, ~id_c, ~r1, ~skCe, ~r2 )
      ]
     variants (modulo AC)
-    1. certT = certT.16
-       z     = verify(cert_sig(certT.16),
-                      <cert_pk(certT.16), cert_id(certT.16), 'terminal'>, pk(ca_sk))
+    1. certT = certT.15
+       z     = verify(cert_sig(certT.15),
+                      <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(x.17, sign(<x.17, x.18, 'terminal'>, ca_sk), x.18)
+    2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17)
        z     = true
     
-    3. certT = cert(x.18, x.19, x.20)
-       z     = verify(x.19, <x.18, x.20, 'terminal'>, pk(ca_sk))
+    3. certT = cert(x.17, x.18, x.19)
+       z     = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ),
+   In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( $T ),
    !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ),
    Fr( ~ke )
    ]
@@ -126,7 +126,7 @@ rule (modulo E) TA_RESPONSE_T:
               ~skT), 
          '3', 't'>
    ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
+   CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>,
             <~ke, encaps(~ke, pkCe)>, pkCe
    )
    ]
@@ -134,7 +134,7 @@ rule (modulo E) TA_RESPONSE_T:
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ),
+     In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( $T ),
      !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ),
      Fr( ~ke )
      ]
@@ -145,30 +145,30 @@ rule (modulo E) TA_RESPONSE_T:
                 ~skT), 
            '3', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>,
+     CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)>,
               <~ke, encaps(~ke, pkCe)>, pkCe
      )
      ]
     variants (modulo AC)
-    1. certC = certC.22
-       z     = cert_pk(certC.22)
-       z.1   = verify(cert_sig(certC.22),
-                      <cert_pk(certC.22), cert_id(certC.22), 'chip'>, pk(ca_sk))
+    1. certC = certC.21
+       z     = cert_pk(certC.21)
+       z.1   = verify(cert_sig(certC.21),
+                      <cert_pk(certC.21), cert_id(certC.21), 'chip'>, pk(ca_sk))
     
-    2. certC = cert(z.59, sign(<z.59, x.102, 'chip'>, ca_sk), x.102)
-       z     = z.59
+    2. certC = cert(z.58, sign(<z.58, x.101, 'chip'>, ca_sk), x.101)
+       z     = z.58
        z.1   = true
     
-    3. certC = cert(z.60, x.103, x.104)
-       z     = z.60
-       z.1   = verify(x.103, <z.60, x.104, 'chip'>, pk(ca_sk))
+    3. certC = cert(z.59, x.102, x.103)
+       z     = z.59
+       z.1   = verify(x.102, <z.59, x.103, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
    In( <cip, cipe, s1, s2, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ),
-   !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+   TAChallengeC( $C, certT, id_c, r1, skCe, r2 ), !Ltk( $C, ~skC, 'chip' ),
+   !Cert( $C, certC, 'chip' )
    ]
   --[
   Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ),
@@ -176,7 +176,6 @@ rule (modulo E) TA_COMPLETE_C:
              cert_pk(certT)),
       true
   ),
-  CompletedTA( $C, iid, cert_id(certT) ),
   Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
                  <decaps(cip, ~skC), decaps(cipe, skCe)>),
              <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
@@ -187,19 +186,18 @@ rule (modulo E) TA_COMPLETE_C:
          kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
              <decaps(cip, ~skC), decaps(cipe, skCe)>), 
          '4', 'c'>
-   ),
-   TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 )
+   )
    ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
      [
      In( <cip, cipe, s1, s2, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ),
-     !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
+     TAChallengeC( $C, certT, id_c, r1, skCe, r2 ), !Ltk( $C, ~skC, 'chip' ),
+     !Cert( $C, certC, 'chip' )
      ]
     --[
-    Eq( z.2, true ), Eq( z.3, true ), CompletedTA( $C, iid, z.4 ),
+    Eq( z.2, true ), Eq( z.3, true ),
     Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
                <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.4
     )
@@ -207,406 +205,405 @@ rule (modulo E) TA_COMPLETE_C:
      [
      Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), 
            '4', 'c'>
-     ),
-     TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 )
+     )
      ]
     variants (modulo AC)
-     1. ~skC  = ~skC.37
-        certC = certC.38
-        certT = certT.39
-        cip   = cip.40
-        cipe  = cipe.41
-        id_c  = id_c.42
-        r1    = r1.44
-        r2    = r2.45
-        s1    = s1.46
-        s2    = s2.47
-        skCe  = skCe.48
-        z     = decaps(cip.40, ~skC.37)
-        z.1   = decaps(cipe.41, skCe.48)
-        z.2   = verify(s1.46, <'TA', id_c.42, r1.44>, cert_pk(certT.39))
-        z.3   = verify(s2.47,
-                       <'CA', certT.39, certC.38, r2.45, cip.40, pk(skCe.48), cipe.41>,
-                       cert_pk(certT.39))
-        z.4   = cert_id(certT.39)
-    
-     2. ~skC  = ~skC.42
+     1. ~skC  = ~skC.36
+        certC = certC.37
+        certT = certT.38
+        cip   = cip.39
+        cipe  = cipe.40
+        id_c  = id_c.41
+        r1    = r1.42
+        r2    = r2.43
+        s1    = s1.44
+        s2    = s2.45
+        skCe  = skCe.46
+        z     = decaps(cip.39, ~skC.36)
+        z.1   = decaps(cipe.40, skCe.46)
+        z.2   = verify(s1.44, <'TA', id_c.41, r1.42>, cert_pk(certT.38))
+        z.3   = verify(s2.45,
+                       <'CA', certT.38, certC.37, r2.43, cip.39, pk(skCe.46), cipe.40>,
+                       cert_pk(certT.38))
+        z.4   = cert_id(certT.38)
+    
+     2. ~skC  = ~skC.41
+        certC = certC.42
+        certT = certT.43
+        cip   = encaps(z.56, pk(~skC.41))
+        cipe  = cipe.45
+        id_c  = id_c.46
+        r1    = r1.47
+        r2    = r2.48
+        s1    = s1.49
+        s2    = s2.50
+        skCe  = skCe.51
+        z     = z.56
+        z.1   = decaps(cipe.45, skCe.51)
+        z.2   = verify(s1.49, <'TA', id_c.46, r1.47>, cert_pk(certT.43))
+        z.3   = verify(s2.50,
+                       <'CA', certT.43, certC.42, r2.48, encaps(z.56, pk(~skC.41)), 
+                        pk(skCe.51), cipe.45>,
+                       cert_pk(certT.43))
+        z.4   = cert_id(certT.43)
+    
+     3. ~skC  = ~skC.42
         certC = certC.43
         certT = certT.44
-        cip   = encaps(z.58, pk(~skC.42))
-        cipe  = cipe.46
+        cip   = cip.45
+        cipe  = encaps(z.58, pk(skCe.52))
         id_c  = id_c.47
-        r1    = r1.49
-        r2    = r2.50
-        s1    = s1.51
-        s2    = s2.52
-        skCe  = skCe.53
-        z     = z.58
-        z.1   = decaps(cipe.46, skCe.53)
-        z.2   = verify(s1.51, <'TA', id_c.47, r1.49>, cert_pk(certT.44))
-        z.3   = verify(s2.52,
-                       <'CA', certT.44, certC.43, r2.50, encaps(z.58, pk(~skC.42)), 
-                        pk(skCe.53), cipe.46>,
+        r1    = r1.48
+        r2    = r2.49
+        s1    = s1.50
+        s2    = s2.51
+        skCe  = skCe.52
+        z     = decaps(cip.45, ~skC.42)
+        z.1   = z.58
+        z.2   = verify(s1.50, <'TA', id_c.47, r1.48>, cert_pk(certT.44))
+        z.3   = verify(s2.51,
+                       <'CA', certT.44, certC.43, r2.49, cip.45, pk(skCe.52), 
+                        encaps(z.58, pk(skCe.52))>,
                        cert_pk(certT.44))
         z.4   = cert_id(certT.44)
     
-     3. ~skC  = ~skC.43
-        certC = certC.44
-        certT = certT.45
-        cip   = cip.46
-        cipe  = encaps(z.60, pk(skCe.54))
-        id_c  = id_c.48
-        r1    = r1.50
-        r2    = r2.51
-        s1    = s1.52
-        s2    = s2.53
-        skCe  = skCe.54
-        z     = decaps(cip.46, ~skC.43)
-        z.1   = z.60
-        z.2   = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45))
-        z.3   = verify(s2.53,
-                       <'CA', certT.45, certC.44, r2.51, cip.46, pk(skCe.54), 
-                        encaps(z.60, pk(skCe.54))>,
-                       cert_pk(certT.45))
-        z.4   = cert_id(certT.45)
-    
-     4. ~skC  = ~skC.43
-        certC = certC.44
-        certT = certT.45
-        cip   = encaps(z.59, pk(~skC.43))
-        cipe  = encaps(z.60, pk(skCe.54))
-        id_c  = id_c.48
-        r1    = r1.50
-        r2    = r2.51
-        s1    = s1.52
-        s2    = s2.53
-        skCe  = skCe.54
-        z     = z.59
-        z.1   = z.60
-        z.2   = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45))
-        z.3   = verify(s2.53,
-                       <'CA', certT.45, certC.44, r2.51, encaps(z.59, pk(~skC.43)), 
-                        pk(skCe.54), encaps(z.60, pk(skCe.54))>,
-                       cert_pk(certT.45))
-        z.4   = cert_id(certT.45)
-    
-     5. ~skC  = ~skC.171
-        certC = certC.172
-        certT = cert(x.338, x.339, z.193)
-        cip   = cip.174
-        cipe  = cipe.175
-        id_c  = id_c.176
-        r1    = r1.178
-        r2    = r2.179
-        s1    = s1.180
-        s2    = s2.181
-        skCe  = skCe.182
-        z     = decaps(cip.174, ~skC.171)
-        z.1   = decaps(cipe.175, skCe.182)
-        z.2   = verify(s1.180, <'TA', id_c.176, r1.178>, x.338)
-        z.3   = verify(s2.181,
-                       <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174, 
-                        pk(skCe.182), cipe.175>,
-                       x.338)
-        z.4   = z.193
-    
-     6. ~skC  = ~skC.171
-        certC = certC.172
-        certT = cert(x.338, x.339, z.193)
-        cip   = cip.174
-        cipe  = encaps(z.188, pk(skCe.182))
-        id_c  = id_c.176
-        r1    = r1.178
-        r2    = r2.179
-        s1    = s1.180
-        s2    = s2.181
-        skCe  = skCe.182
-        z     = decaps(cip.174, ~skC.171)
-        z.1   = z.188
-        z.2   = verify(s1.180, <'TA', id_c.176, r1.178>, x.338)
-        z.3   = verify(s2.181,
-                       <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174, 
-                        pk(skCe.182), encaps(z.188, pk(skCe.182))>,
-                       x.338)
-        z.4   = z.193
-    
-     7. ~skC  = ~skC.171
-        certC = certC.172
-        certT = cert(pk(x.338), x.339, z.193)
-        cip   = cip.174
-        cipe  = cipe.175
-        id_c  = id_c.176
-        r1    = r1.178
-        r2    = r2.179
-        s1    = sign(<'TA', id_c.176, r1.178>, x.338)
-        s2    = s2.181
-        skCe  = skCe.182
-        z     = decaps(cip.174, ~skC.171)
-        z.1   = decaps(cipe.175, skCe.182)
+     4. ~skC  = ~skC.42
+        certC = certC.43
+        certT = certT.44
+        cip   = encaps(z.57, pk(~skC.42))
+        cipe  = encaps(z.58, pk(skCe.52))
+        id_c  = id_c.47
+        r1    = r1.48
+        r2    = r2.49
+        s1    = s1.50
+        s2    = s2.51
+        skCe  = skCe.52
+        z     = z.57
+        z.1   = z.58
+        z.2   = verify(s1.50, <'TA', id_c.47, r1.48>, cert_pk(certT.44))
+        z.3   = verify(s2.51,
+                       <'CA', certT.44, certC.43, r2.49, encaps(z.57, pk(~skC.42)), 
+                        pk(skCe.52), encaps(z.58, pk(skCe.52))>,
+                       cert_pk(certT.44))
+        z.4   = cert_id(certT.44)
+    
+     5. ~skC  = ~skC.165
+        certC = certC.166
+        certT = cert(x.326, x.327, z.187)
+        cip   = cip.168
+        cipe  = cipe.169
+        id_c  = id_c.170
+        r1    = r1.171
+        r2    = r2.172
+        s1    = s1.173
+        s2    = s2.174
+        skCe  = skCe.175
+        z     = decaps(cip.168, ~skC.165)
+        z.1   = decaps(cipe.169, skCe.175)
+        z.2   = verify(s1.173, <'TA', id_c.170, r1.171>, x.326)
+        z.3   = verify(s2.174,
+                       <'CA', cert(x.326, x.327, z.187), certC.166, r2.172, cip.168, 
+                        pk(skCe.175), cipe.169>,
+                       x.326)
+        z.4   = z.187
+    
+     6. ~skC  = ~skC.165
+        certC = certC.166
+        certT = cert(x.326, x.327, z.187)
+        cip   = cip.168
+        cipe  = encaps(z.181, pk(skCe.175))
+        id_c  = id_c.170
+        r1    = r1.171
+        r2    = r2.172
+        s1    = s1.173
+        s2    = s2.174
+        skCe  = skCe.175
+        z     = decaps(cip.168, ~skC.165)
+        z.1   = z.181
+        z.2   = verify(s1.173, <'TA', id_c.170, r1.171>, x.326)
+        z.3   = verify(s2.174,
+                       <'CA', cert(x.326, x.327, z.187), certC.166, r2.172, cip.168, 
+                        pk(skCe.175), encaps(z.181, pk(skCe.175))>,
+                       x.326)
+        z.4   = z.187
+    
+     7. ~skC  = ~skC.165
+        certC = certC.166
+        certT = cert(pk(x.326), x.327, z.187)
+        cip   = cip.168
+        cipe  = cipe.169
+        id_c  = id_c.170
+        r1    = r1.171
+        r2    = r2.172
+        s1    = sign(<'TA', id_c.170, r1.171>, x.326)
+        s2    = s2.174
+        skCe  = skCe.175
+        z     = decaps(cip.168, ~skC.165)
+        z.1   = decaps(cipe.169, skCe.175)
         z.2   = true
-        z.3   = verify(s2.181,
-                       <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174, 
-                        pk(skCe.182), cipe.175>,
-                       pk(x.338))
-        z.4   = z.193
-    
-     8. ~skC  = ~skC.171
-        certC = certC.172
-        certT = cert(pk(x.338), x.339, z.193)
-        cip   = cip.174
-        cipe  = encaps(z.188, pk(skCe.182))
-        id_c  = id_c.176
-        r1    = r1.178
-        r2    = r2.179
-        s1    = sign(<'TA', id_c.176, r1.178>, x.338)
-        s2    = s2.181
-        skCe  = skCe.182
-        z     = decaps(cip.174, ~skC.171)
-        z.1   = z.188
+        z.3   = verify(s2.174,
+                       <'CA', cert(pk(x.326), x.327, z.187), certC.166, r2.172, cip.168, 
+                        pk(skCe.175), cipe.169>,
+                       pk(x.326))
+        z.4   = z.187
+    
+     8. ~skC  = ~skC.165
+        certC = certC.166
+        certT = cert(pk(x.326), x.327, z.187)
+        cip   = cip.168
+        cipe  = encaps(z.181, pk(skCe.175))
+        id_c  = id_c.170
+        r1    = r1.171
+        r2    = r2.172
+        s1    = sign(<'TA', id_c.170, r1.171>, x.326)
+        s2    = s2.174
+        skCe  = skCe.175
+        z     = decaps(cip.168, ~skC.165)
+        z.1   = z.181
         z.2   = true
-        z.3   = verify(s2.181,
-                       <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174, 
-                        pk(skCe.182), encaps(z.188, pk(skCe.182))>,
-                       pk(x.338))
-        z.4   = z.193
-    
-     9. ~skC  = ~skC.172
-        certC = certC.173
-        certT = cert(pk(x.340), x.341, z.194)
-        cip   = cip.175
-        cipe  = cipe.176
-        id_c  = id_c.177
-        r1    = r1.179
-        r2    = r2.180
-        s1    = s1.181
-        s2    = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, 
-                      cip.175, pk(skCe.183), cipe.176>,
-                     x.340)
-        skCe  = skCe.183
-        z     = decaps(cip.175, ~skC.172)
-        z.1   = decaps(cipe.176, skCe.183)
-        z.2   = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340))
+        z.3   = verify(s2.174,
+                       <'CA', cert(pk(x.326), x.327, z.187), certC.166, r2.172, cip.168, 
+                        pk(skCe.175), encaps(z.181, pk(skCe.175))>,
+                       pk(x.326))
+        z.4   = z.187
+    
+     9. ~skC  = ~skC.166
+        certC = certC.167
+        certT = cert(pk(x.328), x.329, z.188)
+        cip   = cip.169
+        cipe  = cipe.170
+        id_c  = id_c.171
+        r1    = r1.172
+        r2    = r2.173
+        s1    = s1.174
+        s2    = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, 
+                      cip.169, pk(skCe.176), cipe.170>,
+                     x.328)
+        skCe  = skCe.176
+        z     = decaps(cip.169, ~skC.166)
+        z.1   = decaps(cipe.170, skCe.176)
+        z.2   = verify(s1.174, <'TA', id_c.171, r1.172>, pk(x.328))
         z.3   = true
-        z.4   = z.194
-    
-    10. ~skC  = ~skC.172
-        certC = certC.173
-        certT = cert(pk(x.340), x.341, z.194)
-        cip   = cip.175
-        cipe  = cipe.176
-        id_c  = id_c.177
-        r1    = r1.179
-        r2    = r2.180
-        s1    = sign(<'TA', id_c.177, r1.179>, x.340)
-        s2    = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, 
-                      cip.175, pk(skCe.183), cipe.176>,
-                     x.340)
-        skCe  = skCe.183
-        z     = decaps(cip.175, ~skC.172)
-        z.1   = decaps(cipe.176, skCe.183)
+        z.4   = z.188
+    
+    10. ~skC  = ~skC.166
+        certC = certC.167
+        certT = cert(pk(x.328), x.329, z.188)
+        cip   = cip.169
+        cipe  = cipe.170
+        id_c  = id_c.171
+        r1    = r1.172
+        r2    = r2.173
+        s1    = sign(<'TA', id_c.171, r1.172>, x.328)
+        s2    = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, 
+                      cip.169, pk(skCe.176), cipe.170>,
+                     x.328)
+        skCe  = skCe.176
+        z     = decaps(cip.169, ~skC.166)
+        z.1   = decaps(cipe.170, skCe.176)
         z.2   = true
         z.3   = true
-        z.4   = z.194
-    
-    11. ~skC  = ~skC.172
-        certC = certC.173
-        certT = cert(pk(x.340), x.341, z.194)
-        cip   = cip.175
-        cipe  = encaps(z.189, pk(skCe.183))
-        id_c  = id_c.177
-        r1    = r1.179
-        r2    = r2.180
-        s1    = s1.181
-        s2    = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, 
-                      cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>,
-                     x.340)
-        skCe  = skCe.183
-        z     = decaps(cip.175, ~skC.172)
-        z.1   = z.189
-        z.2   = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340))
+        z.4   = z.188
+    
+    11. ~skC  = ~skC.166
+        certC = certC.167
+        certT = cert(pk(x.328), x.329, z.188)
+        cip   = cip.169
+        cipe  = encaps(z.182, pk(skCe.176))
+        id_c  = id_c.171
+        r1    = r1.172
+        r2    = r2.173
+        s1    = s1.174
+        s2    = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, 
+                      cip.169, pk(skCe.176), encaps(z.182, pk(skCe.176))>,
+                     x.328)
+        skCe  = skCe.176
+        z     = decaps(cip.169, ~skC.166)
+        z.1   = z.182
+        z.2   = verify(s1.174, <'TA', id_c.171, r1.172>, pk(x.328))
         z.3   = true
-        z.4   = z.194
-    
-    12. ~skC  = ~skC.172
-        certC = certC.173
-        certT = cert(pk(x.340), x.341, z.194)
-        cip   = cip.175
-        cipe  = encaps(z.189, pk(skCe.183))
-        id_c  = id_c.177
-        r1    = r1.179
-        r2    = r2.180
-        s1    = sign(<'TA', id_c.177, r1.179>, x.340)
-        s2    = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, 
-                      cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>,
-                     x.340)
-        skCe  = skCe.183
-        z     = decaps(cip.175, ~skC.172)
-        z.1   = z.189
+        z.4   = z.188
+    
+    12. ~skC  = ~skC.166
+        certC = certC.167
+        certT = cert(pk(x.328), x.329, z.188)
+        cip   = cip.169
+        cipe  = encaps(z.182, pk(skCe.176))
+        id_c  = id_c.171
+        r1    = r1.172
+        r2    = r2.173
+        s1    = sign(<'TA', id_c.171, r1.172>, x.328)
+        s2    = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, 
+                      cip.169, pk(skCe.176), encaps(z.182, pk(skCe.176))>,
+                     x.328)
+        skCe  = skCe.176
+        z     = decaps(cip.169, ~skC.166)
+        z.1   = z.182
         z.2   = true
         z.3   = true
-        z.4   = z.194
-    
-    13. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(x.342, x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = cipe.177
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = s1.182
-        s2    = s2.183
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = decaps(cipe.177, skCe.184)
-        z.2   = verify(s1.182, <'TA', id_c.178, r1.180>, x.342)
-        z.3   = verify(s2.183,
-                       <'CA', cert(x.342, x.343, z.195), certC.174, r2.181, 
-                        encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
-                       x.342)
-        z.4   = z.195
-    
-    14. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(x.342, x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = encaps(z.190, pk(skCe.184))
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = s1.182
-        s2    = s2.183
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = z.190
-        z.2   = verify(s1.182, <'TA', id_c.178, r1.180>, x.342)
-        z.3   = verify(s2.183,
-                       <'CA', cert(x.342, x.343, z.195), certC.174, r2.181, 
-                        encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
-                       x.342)
-        z.4   = z.195
-    
-    15. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = cipe.177
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = s1.182
-        s2    = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                      encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
-                     x.342)
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = decaps(cipe.177, skCe.184)
-        z.2   = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342))
+        z.4   = z.188
+    
+    13. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(x.330, x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = cipe.171
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = s1.175
+        s2    = s2.176
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = decaps(cipe.171, skCe.177)
+        z.2   = verify(s1.175, <'TA', id_c.172, r1.173>, x.330)
+        z.3   = verify(s2.176,
+                       <'CA', cert(x.330, x.331, z.189), certC.168, r2.174, 
+                        encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>,
+                       x.330)
+        z.4   = z.189
+    
+    14. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(x.330, x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = encaps(z.183, pk(skCe.177))
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = s1.175
+        s2    = s2.176
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = z.183
+        z.2   = verify(s1.175, <'TA', id_c.172, r1.173>, x.330)
+        z.3   = verify(s2.176,
+                       <'CA', cert(x.330, x.331, z.189), certC.168, r2.174, 
+                        encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>,
+                       x.330)
+        z.4   = z.189
+    
+    15. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = cipe.171
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = s1.175
+        s2    = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                      encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>,
+                     x.330)
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = decaps(cipe.171, skCe.177)
+        z.2   = verify(s1.175, <'TA', id_c.172, r1.173>, pk(x.330))
         z.3   = true
-        z.4   = z.195
-    
-    16. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = cipe.177
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = sign(<'TA', id_c.178, r1.180>, x.342)
-        s2    = s2.183
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = decaps(cipe.177, skCe.184)
+        z.4   = z.189
+    
+    16. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = cipe.171
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = sign(<'TA', id_c.172, r1.173>, x.330)
+        s2    = s2.176
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = decaps(cipe.171, skCe.177)
         z.2   = true
-        z.3   = verify(s2.183,
-                       <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                        encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
-                       pk(x.342))
-        z.4   = z.195
-    
-    17. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = cipe.177
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = sign(<'TA', id_c.178, r1.180>, x.342)
-        s2    = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                      encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>,
-                     x.342)
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = decaps(cipe.177, skCe.184)
+        z.3   = verify(s2.176,
+                       <'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                        encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>,
+                       pk(x.330))
+        z.4   = z.189
+    
+    17. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = cipe.171
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = sign(<'TA', id_c.172, r1.173>, x.330)
+        s2    = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                      encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>,
+                     x.330)
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = decaps(cipe.171, skCe.177)
         z.2   = true
         z.3   = true
-        z.4   = z.195
-    
-    18. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = encaps(z.190, pk(skCe.184))
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = s1.182
-        s2    = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                      encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
-                     x.342)
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = z.190
-        z.2   = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342))
+        z.4   = z.189
+    
+    18. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = encaps(z.183, pk(skCe.177))
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = s1.175
+        s2    = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                      encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>,
+                     x.330)
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = z.183
+        z.2   = verify(s1.175, <'TA', id_c.172, r1.173>, pk(x.330))
         z.3   = true
-        z.4   = z.195
-    
-    19. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = encaps(z.190, pk(skCe.184))
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = sign(<'TA', id_c.178, r1.180>, x.342)
-        s2    = s2.183
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = z.190
+        z.4   = z.189
+    
+    19. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = encaps(z.183, pk(skCe.177))
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = sign(<'TA', id_c.172, r1.173>, x.330)
+        s2    = s2.176
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = z.183
         z.2   = true
-        z.3   = verify(s2.183,
-                       <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                        encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
-                       pk(x.342))
-        z.4   = z.195
-    
-    20. ~skC  = ~skC.173
-        certC = certC.174
-        certT = cert(pk(x.342), x.343, z.195)
-        cip   = encaps(z.189, pk(~skC.173))
-        cipe  = encaps(z.190, pk(skCe.184))
-        id_c  = id_c.178
-        r1    = r1.180
-        r2    = r2.181
-        s1    = sign(<'TA', id_c.178, r1.180>, x.342)
-        s2    = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, 
-                      encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>,
-                     x.342)
-        skCe  = skCe.184
-        z     = z.189
-        z.1   = z.190
+        z.3   = verify(s2.176,
+                       <'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                        encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>,
+                       pk(x.330))
+        z.4   = z.189
+    
+    20. ~skC  = ~skC.167
+        certC = certC.168
+        certT = cert(pk(x.330), x.331, z.189)
+        cip   = encaps(z.182, pk(~skC.167))
+        cipe  = encaps(z.183, pk(skCe.177))
+        id_c  = id_c.172
+        r1    = r1.173
+        r2    = r2.174
+        s1    = sign(<'TA', id_c.172, r1.173>, x.330)
+        s2    = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, 
+                      encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>,
+                     x.330)
+        skCe  = skCe.177
+        z     = z.182
+        z.1   = z.183
         z.2   = true
         z.3   = true
-        z.4   = z.195
+        z.4   = z.189
   */
 
 rule (modulo E) CA_FINISH_T:
    [
    In( <kCNF_C, '4', 'c'> ),
-   CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+   CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -617,9 +614,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip, pkCe, cipe> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T,
-              kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-   ),
    !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                    kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
    )
@@ -629,7 +623,7 @@ rule (modulo E) CA_FINISH_T:
   rule (modulo AC) CA_FINISH_T:
      [
      In( <kCNF_C, '4', 'c'> ),
-     CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+     CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -640,19 +634,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip, pkCe, cipe> )
     ]->
      [
-     CAFinishT( z, $T,
-                kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-     ),
      !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                      kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.18
-       z     = cert_id(certC.18)
+    1. certC = certC.19
+       z     = cert_id(certC.19)
     
-    2. certC = cert(x.44, x.45, z.31)
-       z     = z.31
+    2. certC = cert(x.29, x.30, z.24)
+       z     = z.24
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -4191,7 +4182,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4209,7 +4200,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4298,7 +4289,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4316,7 +4307,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4327,8 +4318,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case TA_COMPLETE_C
-                solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1,
-                                     skCe.1, r2.1
+                solve( TAChallengeC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, skCe.1, r2.1
                        ) ▶₁ #i2 )
                   case TA_CHALLENGE_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -4346,7 +4336,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3,
+                        solve( CAInitT( $T, id_c.3,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>, <z.1, cipe>, pk(~skCe.1)
                                ) ▶₁ #j2 )
@@ -4504,6 +4494,93 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma aliveness:
+  all-traces
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
+  case TA_RESPONSE_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
+                       encaps(~ke, pkCe)>,
+                      A, role, B
+           ) @ #i )
+      case CA_FINISH_T
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
+             ) ▶₁ #i )
+        case TA_RESPONSE_T
+        solve( !KU( kdf(<'CNF', 
+                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
+                         encaps(~ke, pkCe)>,
+                        <~k, ~ke>)
+               ) @ #vk.1 )
+          case TA_COMPLETE_C
+          by contradiction /* from formulas */
+        next
+          case c_kdf
+          solve( !KU( ~k ) @ #vk.28 )
+            case TA_RESPONSE_T
+            solve( !KU( ~ke ) @ #vk.29 )
+              case TA_RESPONSE_T
+              solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                     ) @ #vk.17 )
+                case CA_Sign_ltk
+                solve( !KU( ~ltk.1 ) @ #vk.30 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case TA_CHALLENGE_C
+                solve( !KU( ~ltk.1 ) @ #vk.30 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case c_cert
+                solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
+                  case CA_Sign_ltk
+                  solve( !KU( ~ltk.1 ) @ #vk.31 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case TA_CHALLENGE_C
+                  solve( !KU( ~ltk.1 ) @ #vk.31 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case c_sign
+                  by solve( !KU( ca_sk ) @ #vk.37 )
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    next
+      case TA_COMPLETE_C
+      by contradiction /* from formulas */
+    qed
+  qed
+qed
+
 lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
@@ -4521,8 +4598,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4533,7 +4609,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            skCe, r2
              ) ▶₁ #i )
@@ -4568,8 +4644,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4580,9 +4655,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -4656,8 +4730,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4668,7 +4741,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            skCe, r2
              ) ▶₁ #i )
@@ -4749,8 +4822,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
+solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -4761,9 +4833,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2,
+                      <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -4820,95 +4891,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
   qed
 qed
 
-lemma aliveness:
-  all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-       ) ▶₁ #t )
-  case TA_RESPONSE_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
-                       encaps(~ke, pkCe)>,
-                      A, role, B
-           ) @ #i )
-      case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
-                      <ke.1, encaps(~ke, pkCe)>, pkCe
-             ) ▶₁ #i )
-        case TA_RESPONSE_T
-        solve( !KU( kdf(<'CNF', 
-                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
-                         encaps(~ke, pkCe)>,
-                        <~k, ~ke>)
-               ) @ #vk.1 )
-          case TA_COMPLETE_C
-          by contradiction /* from formulas */
-        next
-          case c_kdf
-          solve( !KU( ~k ) @ #vk.28 )
-            case TA_RESPONSE_T
-            solve( !KU( ~ke ) @ #vk.29 )
-              case TA_RESPONSE_T
-              solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                     ) @ #vk.17 )
-                case CA_Sign_ltk
-                solve( !KU( ~ltk.1 ) @ #vk.30 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case TA_CHALLENGE_C
-                solve( !KU( ~ltk.1 ) @ #vk.30 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case c_cert
-                solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 )
-                  case CA_Sign_ltk
-                  solve( !KU( ~ltk.1 ) @ #vk.31 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case TA_CHALLENGE_C
-                  solve( !KU( ~ltk.1 ) @ #vk.31 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case c_sign
-                  by solve( !KU( ca_sk ) @ #vk.37 )
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    next
-      case TA_COMPLETE_C
-      by contradiction /* from formulas */
-    qed
-  qed
-qed
-
 lemma session_uniqueness:
   all-traces
   "∀ A B k sid sid2 role #i #j.
@@ -4930,8 +4912,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -4943,9 +4924,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                            <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -4955,7 +4935,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+      solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4970,7 +4950,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C
-              solve( TAChallengeC( <$C, iid.1>,
+              solve( TAChallengeC( $C,
                                    cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe,
                                    ~r2
                      ) ▶₁ #j )
@@ -4986,8 +4966,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-             ) ▶₁ #i )
+      solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
@@ -4999,9 +4978,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1,
-                            cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                            <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2,
+                            <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -5011,7 +4989,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C
-      solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+      solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5026,7 +5004,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C
-              solve( TAChallengeC( <$C, iid.1>,
+              solve( TAChallengeC( $C,
                                    cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe,
                                    ~r2
                      ) ▶₁ #j )
@@ -5043,8 +5021,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
-           ) ▶₁ #i )
+    solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i )
       case TA_RESPONSE_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
@@ -5062,7 +5039,7 @@ next
     qed
   next
     case TA_COMPLETE_C
-    solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2
+    solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2
            ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5090,19 +5067,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5116,7 +5095,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
                           <ke, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5161,76 +5140,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                     case c_sign
                     solve( !KU( ~ltk.1 ) @ #vk.48 )
                       case Corrupt_ltk
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.22 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.53 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ke ) @ #vk.54 )
-                            case TA_RESPONSE_T
-                            solve( !KU( ~ltk ) @ #vk.55 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
+                      by contradiction /* from formulas */
                     qed
                   qed
                 next
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.33 )
                     case Corrupt_ltk
-                    solve( !KU( sign(<'CA', 
-                                      cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                      cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                      encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                     ~ltk.1)
-                           ) @ #vk.8 )
-                      case TA_RESPONSE_T
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.17 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.46 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ke ) @ #vk.47 )
-                            case TA_RESPONSE_T
-                            solve( !KU( ~ltk ) @ #vk.48 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
-                    next
-                      case c_sign
-                      solve( !KU( kdf(<'CNF', 
-                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                      <~k, ~ke>)
-                             ) @ #vk.20 )
-                        case c_kdf
-                        solve( !KU( ~k ) @ #vk.48 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ke ) @ #vk.49 )
-                            case TA_RESPONSE_T
-                            solve( !KU( ~ltk ) @ #vk.50 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               qed
@@ -5247,8 +5164,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -5257,12 +5175,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5280,7 +5199,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5323,150 +5242,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   case c_sign
                   solve( !KU( ~ltk.1 ) @ #vk.49 )
                     case Corrupt_ltk
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.6 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.54 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ke ) @ #vk.55 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.56 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
+                    by contradiction /* from formulas */
                   qed
                 qed
               next
                 case c_sign
                 solve( !KU( ~ltk.1 ) @ #vk.34 )
                   case Corrupt_ltk
-                  solve( !KU( sign(<'CA', 
-                                    cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                    encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                   ~ltk.1)
-                         ) @ #vk.9 )
-                    case TA_RESPONSE_T
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.47 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ke ) @ #vk.48 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.49 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
-                  next
-                    case c_sign
-                    solve( !KU( kdf(<'KEY', 
-                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                    <~k, ~ke>)
-                           ) @ #vk.5 )
-                      case Reveal_session
-                      by contradiction /* from formulas */
-                    next
-                      case c_kdf
-                      solve( !KU( ~k ) @ #vk.49 )
-                        case TA_RESPONSE_T
-                        solve( !KU( ~ke ) @ #vk.50 )
-                          case TA_RESPONSE_T
-                          solve( !KU( ~ltk ) @ #vk.51 )
-                            case Corrupt_ltk
-                            by contradiction /* from formulas */
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
-       ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-    case Generate_chip_key_pair
-    solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
-      case CA_Sign_ltk
-      solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.5 )
-        case c_sign
-        solve( !KU( sign(<'CA', 
-                          cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
-                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                          pk(~skCe), cipe>,
-                         x)
-               ) @ #vk.7 )
-          case c_sign
-          solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T)
-                 ) @ #vk.16 )
-            case CA_Sign_ltk
-            solve( !KU( ~ltk ) @ #vk.22 )
-              case Corrupt_ltk
-              solve( splitEqs(0) )
-                case split_case_1
-                solve( !KU( ~iid ) @ #vk.21 )
-                  case TA_CHALLENGE_C
-                  solve( !KU( ~id_c ) @ #vk.26 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~r1 ) @ #vk.27 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~r2 ) @ #vk.30 )
-                        case TA_CHALLENGE_C
-                        solve( !KU( cert(pk(~ltk.1), sign(<pk(~ltk.1), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.30 )
-                          case CA_Sign_ltk
-                          solve( !KU( pk(~skCe) ) @ #vk.31 )
-                            case TA_CHALLENGE_C
-                            SOLVED // trace found
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
+                  by contradiction /* from formulas */
                 qed
               qed
             qed
@@ -5477,7 +5260,7 @@ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
   qed
 qed
 
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5541,7 +5324,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5574,7 +5357,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -5596,7 +5379,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C
-  solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2
+  solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5614,7 +5397,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1,
+          solve( CAInitT( $T, id_c.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
                           <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5793,21 +5576,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 981.75s
+  processing time: 830.37s
   
   session_exist (exists-trace): verified (21 steps)
   two_session_exist (exists-trace): verified (40 steps)
+  aliveness (all-traces): verified (21 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): verified (20 steps)
   agreement_C (all-traces): verified (20 steps)
   agreement_T (all-traces): verified (20 steps)
-  aliveness (all-traces): verified (21 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (35 steps)
-  key_secrecy (all-traces): verified (37 steps)
-  chip_hiding (all-traces): falsified - found trace (16 steps)
-  nonRepudiation_terminal (exists-trace): verified (14 steps)
-  nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps)
-  pfs (all-traces): verified (37 steps)
+  consistency (all-traces): verified (21 steps)
+  key_secrecy (all-traces): verified (20 steps)
+  notNonRepudiation_C (exists-trace): verified (14 steps)
+  notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps)
+  forward_secrecy (all-traces): verified (37 steps)
 
 ==============================================================================
diff --git a/results/45991793.err.ALL_KemPQEAC_TAMARIN b/results/46092875.err.ForwardSecrecy_KemPQEAC
similarity index 100%
rename from results/45991793.err.ALL_KemPQEAC_TAMARIN
rename to results/46092875.err.ForwardSecrecy_KemPQEAC
diff --git a/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN b/results/46092875.out.ForwardSecrecy_KemPQEAC
similarity index 79%
rename from results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN
rename to results/46092875.out.ForwardSecrecy_KemPQEAC
index 2221843..9f4c872 100644
--- a/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN
+++ b/results/46092875.out.ForwardSecrecy_KemPQEAC
@@ -74,56 +74,53 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
-   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
-   ]
+   [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
    Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1,
-                 <~kTA, encaps(~kTA, cert_pk(certT))>
+   TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, cert_pk(certT))>
    )
    ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
-     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid )
-     ]
+     [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ]
     --[ Eq( z.1, true ), Started( ) ]->
      [
      Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
+     TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> )
      ]
     variants (modulo AC)
-    1. certT = certT.14
-       z     = cert_pk(certT.14)
-       z.1   = verify(cert_sig(certT.14),
-                      <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk))
+    1. certT = certT.13
+       z     = cert_pk(certT.13)
+       z.1   = verify(cert_sig(certT.13),
+                      <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44)
-       z     = z.27
+    2. certT = cert(z.26, sign(<z.26, x.43, 'terminal'>, ca_sk), x.43)
+       z     = z.26
        z.1   = true
     
-    3. certT = cert(z.28, x.45, x.46)
-       z     = z.28
-       z.1   = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk))
+    3. certT = cert(z.27, x.44, x.45)
+       z     = z.27
+       z.1   = verify(x.44, <z.27, x.45, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+   In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ),
    !Ltk( $T, ~skT, 'terminal' )
    ]
   -->
    [
    Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ),
-   TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
+   TAResponseT( $T, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)),
                 kdf(<'TENC', r1>, decaps(cTA, ~skT))
    )
    ]
@@ -131,78 +128,51 @@ rule (modulo E) TA_RESPONSE_T:
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ),
+     In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ),
      !Ltk( $T, ~skT, 'terminal' )
      ]
     -->
      [
      Out( <kdf(<'TCNF', r1>, z), '3', 't'> ),
-     TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z)
-     )
+     TAResponseT( $T, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) )
      ]
     variants (modulo AC)
-    1. ~skT  = ~skT.14
-       cTA   = cTA.15
-       z     = decaps(cTA.15, ~skT.14)
+    1. ~skT  = ~skT.13
+       cTA   = cTA.14
+       z     = decaps(cTA.14, ~skT.13)
     
-    2. ~skT  = ~skT.22
-       cTA   = encaps(z.31, pk(~skT.22))
-       z     = z.31
+    2. ~skT  = ~skT.20
+       cTA   = encaps(z.28, pk(~skT.20))
+       z     = z.28
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
    In( <kTCNF_T, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
+   TAChallengeC( $C, certT, id_c, r1, <kTA, cTA> )
    ]
-  --[
-  Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ),
-  CompletedTA( $C, iid, cert_id(certT) )
-  ]->
+  --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ) ]->
    [
-   TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
-                kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
+   TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kdf(<'TMAC', r1>, kTA),
+                kdf(<'TENC', r1>, kTA)
    )
    ]
 
-  /*
-  rule (modulo AC) TA_COMPLETE_C:
-     [
-     In( <kTCNF_T, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> )
-     ]
-    --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]->
-     [
-     TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>,
-                  kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA)
-     )
-     ]
-    variants (modulo AC)
-    1. certT = certT.16
-       z     = cert_id(certT.16)
-    
-    2. certT = cert(x.26, x.27, z.21)
-       z     = z.21
-  */
+  /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_C:
-   [
-   !Cert( $C, certC, 'chip' ), Fr( ~r2 ), Fr( ~skCe ),
-   TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC )
-   ]
+   [ !Cert( $C, certC, 'chip' ), Fr( ~r2 ), Fr( ~skCe ) ]
   -->
    [
    Out( <senc(<certC, ~r2, pk(~skCe)>, kTENC), '4', 'c'> ),
-   Out( senc(iid, kTENC) ),
-   CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe
-   )
+   CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe )
    ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_T:
    [
-   In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+   In( <cCA, '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ),
    !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke )
    ]
   --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]->
@@ -214,7 +184,7 @@ rule (modulo E) CA_INIT_T:
              kTMAC), 
          encaps(~ke, snd(snd(sdec(cCA, kTENC)))), '5', 't'>
    ),
-   CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
+   CAInitT( $T, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)),
             fst(snd(sdec(cCA, kTENC))),
             <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>,
             <~ke, encaps(~ke, snd(snd(sdec(cCA, kTENC))))>,
@@ -225,7 +195,7 @@ rule (modulo E) CA_INIT_T:
   /*
   rule (modulo AC) CA_INIT_T:
      [
-     In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ),
+     In( <cCA, '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ),
      !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke )
      ]
     --[ Eq( z.4, true ) ]->
@@ -235,91 +205,90 @@ rule (modulo E) CA_INIT_T:
                kTMAC), 
            encaps(~ke, z.3), '5', 't'>
      ),
-     CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)>,
+     CAInitT( $T, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)>,
               <~ke, encaps(~ke, z.3)>, z.3
      )
      ]
     variants (modulo AC)
-    1. cCA   = cCA.26
+    1. cCA   = cCA.24
+       kTENC = kTENC.27
+       z     = cert_pk(fst(sdec(cCA.24, kTENC.27)))
+       z.1   = fst(sdec(cCA.24, kTENC.27))
+       z.2   = fst(snd(sdec(cCA.24, kTENC.27)))
+       z.3   = snd(snd(sdec(cCA.24, kTENC.27)))
+       z.4   = verify(cert_sig(fst(sdec(cCA.24, kTENC.27))),
+                      <cert_pk(fst(sdec(cCA.24, kTENC.27))), 
+                       cert_id(fst(sdec(cCA.24, kTENC.27))), 'chip'>,
+                      pk(ca_sk))
+    
+    2. cCA   = senc(x.164, kTENC.86)
+       kTENC = kTENC.86
+       z     = cert_pk(fst(x.164))
+       z.1   = fst(x.164)
+       z.2   = fst(snd(x.164))
+       z.3   = snd(snd(x.164))
+       z.4   = verify(cert_sig(fst(x.164)),
+                      <cert_pk(fst(x.164)), cert_id(fst(x.164)), 'chip'>, pk(ca_sk))
+    
+    3. cCA   = senc(<z.37, z.38, z.39>, kTENC.30)
        kTENC = kTENC.30
-       z     = cert_pk(fst(sdec(cCA.26, kTENC.30)))
-       z.1   = fst(sdec(cCA.26, kTENC.30))
-       z.2   = fst(snd(sdec(cCA.26, kTENC.30)))
-       z.3   = snd(snd(sdec(cCA.26, kTENC.30)))
-       z.4   = verify(cert_sig(fst(sdec(cCA.26, kTENC.30))),
-                      <cert_pk(fst(sdec(cCA.26, kTENC.30))), 
-                       cert_id(fst(sdec(cCA.26, kTENC.30))), 'chip'>,
+       z     = cert_pk(z.37)
+       z.1   = z.37
+       z.2   = z.38
+       z.3   = z.39
+       z.4   = verify(cert_sig(z.37), <cert_pk(z.37), cert_id(z.37), 'chip'>,
                       pk(ca_sk))
     
-    2. cCA   = senc(x.165, kTENC.87)
+    4. cCA   = senc(<z.94, x.166>, kTENC.87)
        kTENC = kTENC.87
-       z     = cert_pk(fst(x.165))
-       z.1   = fst(x.165)
-       z.2   = fst(snd(x.165))
-       z.3   = snd(snd(x.165))
-       z.4   = verify(cert_sig(fst(x.165)),
-                      <cert_pk(fst(x.165)), cert_id(fst(x.165)), 'chip'>, pk(ca_sk))
-    
-    3. cCA   = senc(<z.38, z.39, z.40>, kTENC.31)
-       kTENC = kTENC.31
-       z     = cert_pk(z.38)
-       z.1   = z.38
-       z.2   = z.39
-       z.3   = z.40
-       z.4   = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>,
+       z     = cert_pk(z.94)
+       z.1   = z.94
+       z.2   = fst(x.166)
+       z.3   = snd(x.166)
+       z.4   = verify(cert_sig(z.94), <cert_pk(z.94), cert_id(z.94), 'chip'>,
                       pk(ca_sk))
     
-    4. cCA   = senc(<z.95, x.167>, kTENC.88)
+    5. cCA   = senc(<cert(z.92, sign(<z.92, x.166, 'chip'>, ca_sk), x.166), 
+                     z.95, z.96>,
+                    kTENC.87)
+       kTENC = kTENC.87
+       z     = z.92
+       z.1   = cert(z.92, sign(<z.92, x.166, 'chip'>, ca_sk), x.166)
+       z.2   = z.95
+       z.3   = z.96
+       z.4   = true
+    
+    6. cCA   = senc(<cert(z.93, x.167, x.168), z.96, z.97>, kTENC.88)
        kTENC = kTENC.88
-       z     = cert_pk(z.95)
-       z.1   = z.95
-       z.2   = fst(x.167)
-       z.3   = snd(x.167)
-       z.4   = verify(cert_sig(z.95), <cert_pk(z.95), cert_id(z.95), 'chip'>,
-                      pk(ca_sk))
+       z     = z.93
+       z.1   = cert(z.93, x.167, x.168)
+       z.2   = z.96
+       z.3   = z.97
+       z.4   = verify(x.167, <z.93, x.168, 'chip'>, pk(ca_sk))
     
-    5. cCA   = senc(<cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167), 
-                     z.96, z.97>,
+    7. cCA   = senc(<cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167), 
+                     x.168>,
                     kTENC.88)
        kTENC = kTENC.88
        z     = z.93
        z.1   = cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167)
-       z.2   = z.96
-       z.3   = z.97
+       z.2   = fst(x.168)
+       z.3   = snd(x.168)
        z.4   = true
     
-    6. cCA   = senc(<cert(z.94, x.168, x.169), z.97, z.98>, kTENC.89)
+    8. cCA   = senc(<cert(z.94, x.168, x.169), x.170>, kTENC.89)
        kTENC = kTENC.89
        z     = z.94
        z.1   = cert(z.94, x.168, x.169)
-       z.2   = z.97
-       z.3   = z.98
+       z.2   = fst(x.170)
+       z.3   = snd(x.170)
        z.4   = verify(x.168, <z.94, x.169, 'chip'>, pk(ca_sk))
-    
-    7. cCA   = senc(<cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168), 
-                     x.169>,
-                    kTENC.89)
-       kTENC = kTENC.89
-       z     = z.94
-       z.1   = cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168)
-       z.2   = fst(x.169)
-       z.3   = snd(x.169)
-       z.4   = true
-    
-    8. cCA   = senc(<cert(z.95, x.169, x.170), x.171>, kTENC.90)
-       kTENC = kTENC.90
-       z     = z.95
-       z.1   = cert(z.95, x.169, x.170)
-       z.2   = fst(x.171)
-       z.3   = snd(x.171)
-       z.4   = verify(x.169, <z.95, x.170, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) CA_FINISH_C:
    [
    In( <cip, s, cipe, '5', 't'> ),
-   CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
-   ),
+   CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
@@ -334,10 +303,6 @@ rule (modulo E) CA_FINISH_C:
          kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
              <decaps(cip, ~skC), decaps(cipe, skCe)>), 
          '6', 'c'>
-   ),
-   CAFinishC( $C, cert_id(certT),
-              kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
-                  <decaps(cip, ~skC), decaps(cipe, skCe)>)
    )
    ]
 
@@ -345,8 +310,7 @@ rule (modulo E) CA_FINISH_C:
   rule (modulo AC) CA_FINISH_C:
      [
      In( <cip, s, cipe, '5', 't'> ),
-     CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
-     ),
+     CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
@@ -358,9 +322,6 @@ rule (modulo E) CA_FINISH_C:
      [
      Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), 
            '6', 'c'>
-     ),
-     CAFinishC( $C, z.2,
-                kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
      )
      ]
     variants (modulo AC)
@@ -368,81 +329,79 @@ rule (modulo E) CA_FINISH_C:
        certT = certT.44
        cip   = cip.45
        cipe  = cipe.46
-       skCe  = skCe.55
+       skCe  = skCe.54
        z     = decaps(cip.45, ~skC.41)
-       z.1   = decaps(cipe.46, skCe.55)
+       z.1   = decaps(cipe.46, skCe.54)
        z.2   = cert_id(certT.44)
     
     2. ~skC  = ~skC.46
        certT = certT.49
-       cip   = encaps(z.65, pk(~skC.46))
+       cip   = encaps(z.64, pk(~skC.46))
        cipe  = cipe.51
-       skCe  = skCe.60
-       z     = z.65
-       z.1   = decaps(cipe.51, skCe.60)
+       skCe  = skCe.59
+       z     = z.64
+       z.1   = decaps(cipe.51, skCe.59)
        z.2   = cert_id(certT.49)
     
     3. ~skC  = ~skC.47
        certT = certT.50
        cip   = cip.51
-       cipe  = encaps(z.67, pk(skCe.61))
-       skCe  = skCe.61
+       cipe  = encaps(z.66, pk(skCe.60))
+       skCe  = skCe.60
        z     = decaps(cip.51, ~skC.47)
-       z.1   = z.67
+       z.1   = z.66
        z.2   = cert_id(certT.50)
     
     4. ~skC  = ~skC.47
        certT = certT.50
-       cip   = encaps(z.66, pk(~skC.47))
-       cipe  = encaps(z.67, pk(skCe.61))
-       skCe  = skCe.61
-       z     = z.66
-       z.1   = z.67
+       cip   = encaps(z.65, pk(~skC.47))
+       cipe  = encaps(z.66, pk(skCe.60))
+       skCe  = skCe.60
+       z     = z.65
+       z.1   = z.66
        z.2   = cert_id(certT.50)
     
-    5. ~skC  = ~skC.210
-       certT = cert(x.416, x.417, z.233)
-       cip   = cip.214
-       cipe  = cipe.215
-       skCe  = skCe.224
-       z     = decaps(cip.214, ~skC.210)
-       z.1   = decaps(cipe.215, skCe.224)
-       z.2   = z.233
+    5. ~skC  = ~skC.204
+       certT = cert(x.404, x.405, z.228)
+       cip   = cip.208
+       cipe  = cipe.209
+       skCe  = skCe.217
+       z     = decaps(cip.208, ~skC.204)
+       z.1   = decaps(cipe.209, skCe.217)
+       z.2   = z.228
     
-    6. ~skC  = ~skC.210
-       certT = cert(x.416, x.417, z.233)
-       cip   = cip.214
-       cipe  = encaps(z.230, pk(skCe.224))
-       skCe  = skCe.224
-       z     = decaps(cip.214, ~skC.210)
-       z.1   = z.230
-       z.2   = z.233
+    6. ~skC  = ~skC.204
+       certT = cert(x.404, x.405, z.228)
+       cip   = cip.208
+       cipe  = encaps(z.223, pk(skCe.217))
+       skCe  = skCe.217
+       z     = decaps(cip.208, ~skC.204)
+       z.1   = z.223
+       z.2   = z.228
     
-    7. ~skC  = ~skC.213
-       certT = cert(x.422, x.423, z.236)
-       cip   = encaps(z.232, pk(~skC.213))
-       cipe  = cipe.218
-       skCe  = skCe.227
-       z     = z.232
-       z.1   = decaps(cipe.218, skCe.227)
-       z.2   = z.236
+    7. ~skC  = ~skC.207
+       certT = cert(x.410, x.411, z.231)
+       cip   = encaps(z.225, pk(~skC.207))
+       cipe  = cipe.212
+       skCe  = skCe.220
+       z     = z.225
+       z.1   = decaps(cipe.212, skCe.220)
+       z.2   = z.231
     
-    8. ~skC  = ~skC.213
-       certT = cert(x.422, x.423, z.236)
-       cip   = encaps(z.232, pk(~skC.213))
-       cipe  = encaps(z.233, pk(skCe.227))
-       skCe  = skCe.227
-       z     = z.232
-       z.1   = z.233
-       z.2   = z.236
+    8. ~skC  = ~skC.207
+       certT = cert(x.410, x.411, z.231)
+       cip   = encaps(z.225, pk(~skC.207))
+       cipe  = encaps(z.226, pk(skCe.220))
+       skCe  = skCe.220
+       z     = z.225
+       z.1   = z.226
+       z.2   = z.231
   */
 
 rule (modulo E) CA_FINISH_T:
    [
    In( <kCNF_c, '6', 'c'> ),
-   CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
-            pkCe
-   ),
+   CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -453,9 +412,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip, pkCe, cipe> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T,
-              kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-   ),
    !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                    kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
    )
@@ -465,9 +421,7 @@ rule (modulo E) CA_FINISH_T:
   rule (modulo AC) CA_FINISH_T:
      [
      In( <kCNF_c, '6', 'c'> ),
-     CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
-              pkCe
-     ),
+     CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -478,19 +432,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip, pkCe, cipe> )
     ]->
      [
-     CAFinishT( z, $T,
-                kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-     ),
      !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                      kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.20
-       z     = cert_id(certC.20)
+    1. certC = certC.21
+       z     = cert_id(certC.21)
     
-    2. certC = cert(x.46, x.47, z.33)
-       z     = z.33
+    2. certC = cert(x.31, x.32, z.26)
+       z     = z.26
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -2544,33 +2495,28 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                  skCe
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( kdf(<'KEY', 
-                               cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
+        solve( Completed( kdf(<'KEY', certT, 
                                cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                pk(~skCe), cipe>,
-                              <z.1, z.2>),
-                          <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                           pk(~skCe), cipe>,
+                              <z, z.1>),
+                          <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                           cip, pk(~skCe), cipe>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
-                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
-                          <z.2, cipe>, pk(~skCe)
+          solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1,
+                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+                          <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
             case CA_INIT_T
-            solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
-                          'terminal'
-                   ) ▶₂ #j )
+            solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
               solve( splitEqs(2) )
                 case split_case_1
@@ -2578,77 +2524,26 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                  cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
                                  cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
                                  encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                kdf(<'TMAC', ~r1>, ~kTA))
+                                kTMAC)
                        ) @ #vk.3 )
-                  case c_mac
-                  solve( !KU( ~r2 ) @ #vk.43 )
+                  case CA_INIT_T
+                  solve( !KU( senc(<
+                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe)>,
+                                   kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+                         ) @ #vk.20 )
                     case CA_INIT_C
-                    solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
-                      case TA_RESPONSE_T
-                      solve( !KU( senc(<
-                                        cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                        pk(~skCe)>,
-                                       kdf(<'TENC', r1.1>, decaps(cTA, ~skT)))
-                             ) @ #vk.36 )
-                        case c_senc
-                        solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.44 )
-                          case c_kdf
-                          solve( !KU( ~kTA ) @ #vk.56 )
-                            case TA_CHALLENGE_C
-                            solve( !KU( ~ltk.1 ) @ #vk.58 )
-                              case Corrupt_ltk
-                              solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.52 )
-                                case c_kdf
-                                solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.57 )
-                                  case TA_CHALLENGE_C
-                                  solve( !KU( kdf(<'TENC', r1.1>, decaps(cTA, ~skT)) ) @ #vk.58 )
-                                    case c_kdf
-                                    solve( !KU( decaps(cTA, ~skT) ) @ #vk.62 )
-                                      case c_decaps
-                                      solve( !KU( ~skT ) @ #vk.63 )
-                                        case Corrupt_ltk
-                                        solve( !KU( ~r1 ) @ #vk.59 )
-                                          case TA_CHALLENGE_C
-                                          solve( !KU( cert(pk(~ltk.1),
-                                                           sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T)
-                                                 ) @ #vk.38 )
-                                            case CA_Sign_ltk
-                                            solve( !KU( kdf(<'CNF', 
-                                                             cert(pk(~ltk.1),
-                                                                  sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk),
-                                                                  $T), 
-                                                             cert(pk(~ltk),
-                                                                  sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), 
-                                                             ~r2, encaps(~k, pk(~ltk)), pk(~skCe), 
-                                                             encaps(~ke, pk(~skCe))>,
-                                                            <~k, ~ke>)
-                                                   ) @ #vk.43 )
-                                              case CA_FINISH_C
-                                              solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.31 )
-                                                case CA_INIT_T
-                                                solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.35 )
-                                                  case CA_INIT_T
-                                                  solve( !KU( cert(pk(~ltk),
-                                                                   sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C)
-                                                         ) @ #vk.59 )
-                                                    case CA_Sign_ltk
-                                                    solve( !KU( pk(~skCe) ) @ #vk.60 )
-                                                      case CA_INIT_C
-                                                      SOLVED // trace found
-                                                    qed
-                                                  qed
-                                                qed
-                                              qed
-                                            qed
-                                          qed
-                                        qed
-                                      qed
-                                    qed
-                                  qed
-                                qed
-                              qed
-                            qed
-                          qed
+                    solve( !KU( kdf(<'CNF', 
+                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                    <~k, ~ke>)
+                           ) @ #vk.11 )
+                      case CA_FINISH_C
+                      solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.6 )
+                        case CA_INIT_T
+                        solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.9 )
+                          case CA_INIT_T
+                          SOLVED // trace found
                         qed
                       qed
                     qed
@@ -2686,63 +2581,55 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                  skCe
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( kdf(<'KEY', 
-                               cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
+        solve( Completed( kdf(<'KEY', certT, 
                                cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                pk(~skCe), cipe>,
-                              <z.1, z.2>),
-                          <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                           pk(~skCe), cipe>,
+                              <z, z.1>),
+                          <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                           cip, pk(~skCe), cipe>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
-                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
-                          <z.2, cipe>, pk(~skCe)
+          solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1,
+                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+                          <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
             case CA_INIT_T
-            solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
-                          'terminal'
-                   ) ▶₂ #j )
+            solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case CA_FINISH_C
-                solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1,
-                                <kTA.1, cTA>, kTMAC, kTENC, r2.1, skCe.1
+                solve( CAInitC( $C, cert(x, x.1, $T), id_c.1, r1.1, <kTA.1, cTA.1>,
+                                kTMAC.1, kTENC.1, r2.1, skCe.1
                        ) ▶₁ #i2 )
                   case CA_INIT_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
                     case Generate_chip_key_pair
                     solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
                       case CA_Sign_ltk
-                      solve( Completed( kdf(<'KEY', 
-                                             cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T), 
+                      solve( Completed( kdf(<'KEY', cert(x, x.1, $T), 
                                              cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), 
                                              ~r2.1, cip, pk(~skCe.1), cipe>,
                                             <z, z.1>),
-                                        <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T), 
+                                        <cert(x, x.1, $T), 
                                          cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, 
                                          cip, pk(~skCe.1), cipe>,
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC,
+                        solve( CAInitT( $T, id_c.3, kTMAC.2, kTENC.2,
                                         cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1,
                                         <z, cip>, <z.1, cipe>, pk(~skCe.1)
                                ) ▶₁ #j2 )
                           case CA_INIT_T
-                          solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T),
-                                        'terminal'
-                                 ) ▶₂ #j2 )
+                          solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j2 )
                             case CA_Sign_ltk
                             solve( splitEqs(2) )
                               case split_case_1
@@ -2754,218 +2641,80 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                                  cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), 
                                                  ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))
                                                 >,
-                                                kdf(<'TMAC', ~r1>, ~kTA))
+                                                kTMAC)
                                        ) @ #vk.3 )
-                                  case c_mac
-                                  solve( !KU( ~r2 ) @ #vk.63 )
+                                  case CA_INIT_T
+                                  solve( !KU( senc(<
+                                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), 
+                                                    ~r2, pk(~skCe)>,
+                                                   kdf(<'TENC', r1>, z))
+                                         ) @ #vk.28 )
                                     case CA_INIT_C
-                                    solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.22 )
-                                      case TA_RESPONSE_T
+                                    solve( !KU( mac(<'CA', 
+                                                     cert(pk(~ltk.2),
+                                                          sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T), 
+                                                     cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C), 
+                                                     ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1), 
+                                                     encaps(~ke.1, pk(~skCe.1))>,
+                                                    kTMAC)
+                                           ) @ #vk.35 )
+                                      case CA_INIT_T
                                       solve( !KU( senc(<
-                                                        cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+                                                        cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
                                                              $C), 
-                                                        ~r2, pk(~skCe)>,
-                                                       kdf(<'TENC', r1.2>, decaps(cTA, ~skT)))
-                                             ) @ #vk.46 )
-                                        case c_senc
-                                        solve( !KU( mac(<'CA', 
-                                                         cert(pk(~ltk.2),
-                                                              sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T), 
-                                                         cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk),
-                                                              $C), 
-                                                         ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1), 
-                                                         encaps(~ke.1, pk(~skCe.1))>,
-                                                        kdf(<'TMAC', ~r1.1>, ~kTA.1))
-                                               ) @ #vk.55 )
-                                          case CA_INIT_T
-                                          solve( !KU( senc(<
-                                                            cert(pk(~skC),
-                                                                 sign(<pk(~skC), $C, 'chip'>, ca_sk), $C), 
-                                                            ~r2.1, pk(~skCe.1)>,
-                                                           kdf(<'TENC', ~r1.1>, ~kTA.1))
-                                                 ) @ #vk.62 )
-                                            case CA_INIT_C
-                                            solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.65 )
-                                              case TA_CHALLENGE_C
-                                              solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.66 )
-                                                case c_kdf
-                                                solve( !KU( ~kTA ) @ #vk.76 )
-                                                  case TA_CHALLENGE_C
-                                                  solve( !KU( ~ltk.1 ) @ #vk.78 )
-                                                    case Corrupt_ltk
-                                                    solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.72 )
-                                                      case c_kdf
-                                                      solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.77 )
-                                                        case TA_CHALLENGE_C
-                                                        solve( !KU( kdf(<'TENC', r1.2>, decaps(cTA, ~skT.1))
-                                                               ) @ #vk.78 )
-                                                          case c_kdf
-                                                          solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.82 )
-                                                            case c_decaps
-                                                            solve( !KU( ~skT.1 ) @ #vk.83 )
-                                                              case Corrupt_ltk
-                                                              solve( !KU( ~r1 ) @ #vk.79 )
-                                                                case TA_CHALLENGE_C
-                                                                solve( !KU( ~r1.1 ) @ #vk.75 )
-                                                                  case TA_CHALLENGE_C
-                                                                  solve( !KU( cert(pk(~ltk.1),
-                                                                                   sign(<pk(~ltk.1), $T, 
-                                                                                         'terminal'>,
-                                                                                        ca_sk),
-                                                                                   $T)
-                                                                         ) @ #vk.53 )
-                                                                    case CA_Sign_ltk
-                                                                    solve( !KU( kdf(<'CNF', 
-                                                                                     cert(pk(~ltk.1),
-                                                                                          sign(<pk(~ltk.1), 
-                                                                                                $T, 'terminal'
-                                                                                               >,
-                                                                                               ca_sk),
-                                                                                          $T), 
-                                                                                     cert(pk(~ltk),
-                                                                                          sign(<pk(~ltk), $C, 
-                                                                                                'chip'>,
-                                                                                               ca_sk),
-                                                                                          $C), 
-                                                                                     ~r2, 
-                                                                                     encaps(~k, pk(~ltk)), 
-                                                                                     pk(~skCe), 
-                                                                                     encaps(~ke, pk(~skCe))>,
-                                                                                    <~k, ~ke>)
-                                                                           ) @ #vk.56 )
-                                                                      case CA_FINISH_C
-                                                                      solve( !KU( encaps(~k, pk(~ltk))
-                                                                             ) @ #vk.41 )
-                                                                        case CA_INIT_T
-                                                                        solve( !KU( encaps(~ke, pk(~skCe))
-                                                                               ) @ #vk.45 )
-                                                                          case CA_INIT_T
-                                                                          solve( !KU( kdf(<'TCNF', ~r1.1>,
-                                                                                          ~kTA.1)
-                                                                                 ) @ #vk.74 )
-                                                                            case TA_RESPONSE_T
-                                                                            solve( !KU( encaps(~kTA.1,
-                                                                                               pk(~skT.2))
-                                                                                   ) @ #vk.88 )
-                                                                              case TA_CHALLENGE_C
-                                                                              solve( !KU( cert(pk(~skT),
-                                                                                               sign(<
-                                                                                                     pk(~skT), 
-                                                                                                     $T, 
-                                                                                                     'terminal'
-                                                                                                    >,
-                                                                                                    ca_sk),
-                                                                                               $T)
-                                                                                     ) @ #vk.76 )
-                                                                                case CA_Sign_ltk
-                                                                                solve( !KU( kdf(<'CNF', 
-                                                                                                 cert(pk(~skT),
-                                                                                                      sign(<
-                                                                                                            pk(~skT), 
-                                                                                                            $T, 
-                                                                                                            'terminal'
-                                                                                                           >,
-                                                                                                           ca_sk),
-                                                                                                      $T), 
-                                                                                                 cert(pk(~skC),
-                                                                                                      sign(<
-                                                                                                            pk(~skC), 
-                                                                                                            $C, 
-                                                                                                            'chip'
-                                                                                                           >,
-                                                                                                           ca_sk),
-                                                                                                      $C), 
-                                                                                                 ~r2.1, 
-                                                                                                 encaps(~k.1,
-                                                                                                        pk(~skC)), 
-                                                                                                 pk(~skCe.1), 
-                                                                                                 encaps(~ke.1,
-                                                                                                        pk(~skCe.1))
-                                                                                                >,
-                                                                                                <~k.1, ~ke.1>)
-                                                                                       ) @ #vk.77 )
-                                                                                  case CA_FINISH_C
-                                                                                  solve( !KU( encaps(~k.1,
-                                                                                                     pk(~skC))
-                                                                                         ) @ #vk.76 )
-                                                                                    case CA_INIT_T
-                                                                                    solve( !KU( encaps(~ke.1,
-                                                                                                       pk(~skCe.1))
-                                                                                           ) @ #vk.77 )
-                                                                                      case CA_INIT_T
-                                                                                      solve( !KU( cert(pk(~ltk),
-                                                                                                       sign(<
-                                                                                                             pk(~ltk), 
-                                                                                                             $C, 
-                                                                                                             'chip'
-                                                                                                            >,
-                                                                                                            ca_sk),
-                                                                                                       $C)
-                                                                                             ) @ #vk.80 )
-                                                                                        case CA_INIT_C
-                                                                                        solve( !KU( kdf(<
-                                                                                                         'TENC', 
-                                                                                                         ~r1.3
-                                                                                                        >,
-                                                                                                        ~kTA.2)
-                                                                                               ) @ #vk.88 )
-                                                                                          case c_kdf
-                                                                                          solve( !KU( ~kTA.2
-                                                                                                 ) @ #vk.92 )
-                                                                                            case TA_CHALLENGE_C
-                                                                                            solve( !KU( kdf(<
-                                                                                                             'TCNF', 
-                                                                                                             ~r1.3
-                                                                                                            >,
-                                                                                                            ~kTA.2)
-                                                                                                   ) @ #vk.91 )
-                                                                                              case TA_RESPONSE_T
-                                                                                              solve( !KU( cert(pk(sk),
-                                                                                                               sign(<
-                                                                                                                     pk(sk), 
-                                                                                                                     z, 
-                                                                                                                     'terminal'
-                                                                                                                    >,
-                                                                                                                    ca_sk),
-                                                                                                               z)
-                                                                                                     ) @ #vk.93 )
-                                                                                                case CA_Sign_ltk
-                                                                                                solve( !KU( ~ltk.5
-                                                                                                       ) @ #vk.97 )
-                                                                                                  case Corrupt_ltk
-                                                                                                  solve( !KU( encaps(~kTA.2,
-                                                                                                                     pk(~skT.2))
-                                                                                                         ) @ #vk.99 )
-                                                                                                    case TA_CHALLENGE_C
-                                                                                                    solve( !KU( ~r1.3
-                                                                                                           ) @ #vk.98 )
-                                                                                                      case TA_CHALLENGE_C
-                                                                                                      solve( !KU( pk(~skCe)
-                                                                                                             ) @ #vk.93 )
-                                                                                                        case CA_INIT_C
-                                                                                                        SOLVED // trace found
-                                                                                                      qed
-                                                                                                    qed
-                                                                                                  qed
-                                                                                                qed
-                                                                                              qed
-                                                                                            qed
-                                                                                          qed
-                                                                                        qed
-                                                                                      qed
-                                                                                    qed
-                                                                                  qed
-                                                                                qed
-                                                                              qed
-                                                                            qed
-                                                                          qed
-                                                                        qed
-                                                                      qed
-                                                                    qed
-                                                                  qed
-                                                                qed
-                                                              qed
-                                                            qed
+                                                        ~r2.1, pk(~skCe.1)>,
+                                                       kdf(<'TENC', r1.2>, z.1))
+                                             ) @ #vk.38 )
+                                        case CA_INIT_C
+                                        solve( !KU( encaps(z, pk(~skT)) ) @ #vk.34 )
+                                          case TA_CHALLENGE_C
+                                          solve( !KU( encaps(z, pk(~skT.1)) ) @ #vk.42 )
+                                            case TA_CHALLENGE_C
+                                            solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk),
+                                                             x)
+                                                   ) @ #vk.45 )
+                                              case CA_Sign_ltk
+                                              solve( !KU( cert(pk(~skT.1),
+                                                               sign(<pk(~skT.1), x, 'terminal'>, ca_sk), x)
+                                                     ) @ #vk.47 )
+                                                case CA_Sign_ltk
+                                                solve( !KU( kdf(<'CNF', 
+                                                                 cert(pk(~ltk.1),
+                                                                      sign(<pk(~ltk.1), $T, 'terminal'>,
+                                                                           ca_sk),
+                                                                      $T), 
+                                                                 cert(pk(~ltk),
+                                                                      sign(<pk(~ltk), $C, 'chip'>, ca_sk),
+                                                                      $C), 
+                                                                 ~r2, encaps(~k, pk(~ltk)), pk(~skCe), 
+                                                                 encaps(~ke, pk(~skCe))>,
+                                                                <~k, ~ke>)
+                                                       ) @ #vk.30 )
+                                                  case CA_FINISH_C
+                                                  solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.23 )
+                                                    case CA_INIT_T
+                                                    solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.26 )
+                                                      case CA_INIT_T
+                                                      solve( !KU( kdf(<'CNF', 
+                                                                       cert(pk(~ltk.2),
+                                                                            sign(<pk(~ltk.2), $T, 'terminal'>,
+                                                                                 ca_sk),
+                                                                            $T), 
+                                                                       cert(pk(~skC),
+                                                                            sign(<pk(~skC), $C, 'chip'>,
+                                                                                 ca_sk),
+                                                                            $C), 
+                                                                       ~r2.1, encaps(~k.1, pk(~skC)), 
+                                                                       pk(~skCe.1), encaps(~ke.1, pk(~skCe.1))
+                                                                      >,
+                                                                      <~k.1, ~ke.1>)
+                                                             ) @ #vk.44 )
+                                                        case CA_FINISH_C
+                                                        solve( !KU( encaps(~k.1, pk(~skC)) ) @ #vk.43 )
+                                                          case CA_INIT_T
+                                                          solve( !KU( encaps(~ke.1, pk(~skCe.1)) ) @ #vk.44 )
+                                                            case CA_INIT_T
+                                                            SOLVED // trace found
                                                           qed
                                                         qed
                                                       qed
@@ -2997,25 +2746,23 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma weak_agreement_C:
+lemma aliveness:
   all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                <ke, cipe>, pkCe
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                pkCe
        ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3024,59 +2771,14 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
                        encaps(~ke, pkCe)>,
-                      C, 'chip', T.1
+                      A, role, B
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
-                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
-                      <kTA, cTA>, kTMAC, kTENC, r2, skCe
-             ) ▶₁ #i )
-        case CA_INIT_C
-        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-          case Generate_chip_key_pair
-          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
-                 ) ▶₃ #i )
-            case CA_Sign_ltk
-            by contradiction /* from formulas */
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma weak_agreement_T:
-  all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                <ke, cipe>, pkCe
-       ) ▶₁ #t )
-  case CA_INIT_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
-                       encaps(~ke, pkCe)>,
-                      T.1, 'terminal', C
-           ) @ #i )
+      by contradiction /* from formulas */
+    next
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
-                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
+                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
                       <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case CA_INIT_T
@@ -3086,7 +2788,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_1
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, 
+                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
                              encaps(~ke, pkCe)>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -3098,12 +2800,21 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                 case CA_INIT_T
                 solve( !KU( ~ke ) @ #vk.32 )
                   case CA_INIT_T
-                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, 
+                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
                                     pk(sk.1)>,
                                    kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                          ) @ #vk.15 )
+                    case CA_INIT_C
+                    solve( !KU( ~r2 ) @ #vk.30 )
+                      case CA_INIT_C
+                      solve( !KU( ~ltk.1 ) @ #vk.33 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  next
                     case c_senc
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                            ) @ #vk.28 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -3118,7 +2829,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 )
+                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.39 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.36 )
                           case Corrupt_ltk
@@ -3143,7 +2854,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_2
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), 
+                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), 
                              encaps(~ke, snd(x))>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -3160,7 +2871,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_1
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, 
+                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
                              encaps(~ke, pkCe)>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -3172,7 +2883,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                 case CA_INIT_T
                 solve( !KU( ~ke ) @ #vk.32 )
                   case CA_INIT_T
-                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, 
+                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
                                     pk(sk.1)>,
                                    kdf(<'TENC', r1>, z))
                          ) @ #vk.15 )
@@ -3192,7 +2903,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         case split_case_1
                         solve( splitEqs(12) )
                           case split_case_1
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3207,7 +2918,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -3226,7 +2937,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case split_case_2
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3241,7 +2952,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -3263,7 +2974,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         case split_case_2
                         solve( splitEqs(12) )
                           case split_case_1
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3278,7 +2989,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -3297,7 +3008,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case split_case_2
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3312,7 +3023,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -3335,7 +3046,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       case CA_INIT_T_case_2
                       solve( splitEqs(11) )
                         case split_case_1
-                        solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                        solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                ) @ #vk.33 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3350,7 +3061,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case c_cert
-                          solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                          solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.40 )
                               case Corrupt_ltk
@@ -3369,7 +3080,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case split_case_2
-                        solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                        solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                                ) @ #vk.33 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -3384,7 +3095,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case c_cert
-                          solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
+                          solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.40 )
                               case Corrupt_ltk
@@ -3404,7 +3115,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case TA_CHALLENGE_C
-                      solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                      solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                              ) @ #vk.30 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -3419,7 +3130,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case c_cert
-                        solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 )
+                        solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.44 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.36 )
                             case Corrupt_ltk
@@ -3438,7 +3149,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case c_encaps
-                      solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
+                      solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
                              ) @ #vk.30 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -3453,7 +3164,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case c_cert
-                        solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
+                        solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.36 )
                             case Corrupt_ltk
@@ -3479,7 +3190,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_2
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), 
+                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), 
                              encaps(~ke, snd(x))>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -3496,11 +3207,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
   qed
 qed
 
-lemma agreement_C:
+lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -3508,13 +3219,13 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                <ke, cipe>, pkCe
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                pkCe
        ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3526,7 +3237,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                       <kTA, cTA>, kTMAC, kTENC, r2, skCe
              ) ▶₁ #i )
@@ -3536,65 +3247,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
           solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
                  ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( splitEqs(1) )
-              case split_case_1
-              solve( splitEqs(3) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                <~k, ~ke>)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.43 )
-                    case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.45 )
-                      case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.46 )
-                        case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.48 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            next
-              case split_case_2
-              solve( splitEqs(3) )
-                case split_case_1
-                by contradiction /* from formulas */
-              next
-                case split_case_2
-                solve( !KU( kdf(<'CNF', 
-                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                 encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                <~k, ~ke>)
-                       ) @ #vk.1 )
-                  case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.43 )
-                    case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.45 )
-                      case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.46 )
-                        case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.48 )
-                          case Corrupt_ltk
-                          by contradiction /* from formulas */
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
+            by contradiction /* from formulas */
           qed
         qed
       qed
@@ -3602,11 +3255,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
   qed
 qed
 
-lemma agreement_T:
+lemma weak_agreement_T:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -3614,13 +3267,13 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                <ke, cipe>, pkCe
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                pkCe
        ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3632,7 +3285,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
                       cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
                       <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
@@ -3659,6 +3312,15 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                                     pk(sk.1)>,
                                    kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                          ) @ #vk.15 )
+                    case CA_INIT_C
+                    solve( !KU( ~r2 ) @ #vk.30 )
+                      case CA_INIT_C
+                      solve( !KU( ~ltk.1 ) @ #vk.33 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  next
                     case c_senc
                     solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.28 )
@@ -4053,23 +3715,25 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
   qed
 qed
 
-lemma aliveness:
+lemma agreement_C:
   all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid C T #i #t.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                <ke, cipe>, pkCe
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                pkCe
        ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -4078,14 +3742,117 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
                        encaps(~ke, pkCe)>,
-                      A, role, B
+                      C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      by contradiction /* from formulas */
-    next
+      solve( CAInitC( $C,
+                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
+                      <kTA, cTA>, kTMAC, kTENC, r2, skCe
+             ) ▶₁ #i )
+        case CA_INIT_C
+        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+          case Generate_chip_key_pair
+          solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip'
+                 ) ▶₃ #i )
+            case CA_Sign_ltk
+            solve( splitEqs(1) )
+              case split_case_1
+              solve( splitEqs(3) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                <~k, ~ke>)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~r2 ) @ #vk.36 )
+                    case CA_INIT_C
+                    solve( !KU( ~k ) @ #vk.38 )
+                      case CA_INIT_T
+                      solve( !KU( ~ke ) @ #vk.39 )
+                        case CA_INIT_T
+                        solve( !KU( ~ltk ) @ #vk.41 )
+                          case Corrupt_ltk
+                          by contradiction /* from formulas */
+                        qed
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            next
+              case split_case_2
+              solve( splitEqs(3) )
+                case split_case_1
+                by contradiction /* from formulas */
+              next
+                case split_case_2
+                solve( !KU( kdf(<'CNF', 
+                                 cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                 cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                 encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                <~k, ~ke>)
+                       ) @ #vk.1 )
+                  case c_kdf
+                  solve( !KU( ~r2 ) @ #vk.36 )
+                    case CA_INIT_C
+                    solve( !KU( ~k ) @ #vk.38 )
+                      case CA_INIT_T
+                      solve( !KU( ~ke ) @ #vk.39 )
+                        case CA_INIT_T
+                        solve( !KU( ~ltk ) @ #vk.41 )
+                          case Corrupt_ltk
+                          by contradiction /* from formulas */
+                        qed
+                      qed
+                    qed
+                  qed
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma agreement_T:
+  all-traces
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                pkCe
+       ) ▶₁ #t )
+  case CA_INIT_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
+                       encaps(~ke, pkCe)>,
+                      T.1, 'terminal', C
+           ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC,
-                      cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
+      solve( CAInitT( $T.1, id_c, kTMAC, kTENC,
+                      cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
                       <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case CA_INIT_T
@@ -4095,7 +3862,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_1
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
+                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, 
                              encaps(~ke, pkCe)>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -4107,12 +3874,21 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                 case CA_INIT_T
                 solve( !KU( ~ke ) @ #vk.32 )
                   case CA_INIT_T
-                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
+                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, 
                                     pk(sk.1)>,
                                    kdf(<'TENC', r1>, decaps(cTA, ~skT)))
                          ) @ #vk.15 )
+                    case CA_INIT_C
+                    solve( !KU( ~r2 ) @ #vk.30 )
+                      case CA_INIT_C
+                      solve( !KU( ~ltk.1 ) @ #vk.33 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    qed
+                  next
                     case c_senc
-                    solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                    solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                            ) @ #vk.28 )
                       case CA_INIT_C
                       solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -4127,7 +3903,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case c_cert
-                      solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.39 )
+                      solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.36 )
                           case Corrupt_ltk
@@ -4152,7 +3928,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_2
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), 
+                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), 
                              encaps(~ke, snd(x))>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -4169,7 +3945,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_1
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
+                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, 
                              encaps(~ke, pkCe)>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -4181,7 +3957,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                 case CA_INIT_T
                 solve( !KU( ~ke ) @ #vk.32 )
                   case CA_INIT_T
-                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
+                  solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, 
                                     pk(sk.1)>,
                                    kdf(<'TENC', r1>, z))
                          ) @ #vk.15 )
@@ -4201,7 +3977,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         case split_case_1
                         solve( splitEqs(12) )
                           case split_case_1
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4216,7 +3992,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -4235,7 +4011,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case split_case_2
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4250,7 +4026,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -4272,7 +4048,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         case split_case_2
                         solve( splitEqs(12) )
                           case split_case_1
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4287,7 +4063,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -4306,7 +4082,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case split_case_2
-                          solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                          solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                  ) @ #vk.34 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4321,7 +4097,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                             qed
                           next
                             case c_cert
-                            solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                            solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                               case CA_INIT_C
                               solve( !KU( ~ltk.1 ) @ #vk.40 )
                                 case Corrupt_ltk
@@ -4344,7 +4120,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       case CA_INIT_T_case_2
                       solve( splitEqs(11) )
                         case split_case_1
-                        solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                        solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                ) @ #vk.33 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4359,7 +4135,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case c_cert
-                          solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                          solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.40 )
                               case Corrupt_ltk
@@ -4378,7 +4154,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case split_case_2
-                        solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                        solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                                ) @ #vk.33 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.39 )
@@ -4393,7 +4169,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                           qed
                         next
                           case c_cert
-                          solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 )
+                          solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 )
                             case CA_INIT_C
                             solve( !KU( ~ltk.1 ) @ #vk.40 )
                               case Corrupt_ltk
@@ -4413,7 +4189,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case TA_CHALLENGE_C
-                      solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                      solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                              ) @ #vk.30 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -4428,7 +4204,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case c_cert
-                        solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.44 )
+                        solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.36 )
                             case Corrupt_ltk
@@ -4447,7 +4223,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                       qed
                     next
                       case c_encaps
-                      solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                      solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C)
                              ) @ #vk.30 )
                         case CA_INIT_C
                         solve( !KU( ~ltk.1 ) @ #vk.35 )
@@ -4462,7 +4238,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
                         qed
                       next
                         case c_cert
-                        solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 )
+                        solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 )
                           case CA_INIT_C
                           solve( !KU( ~ltk.1 ) @ #vk.36 )
                             case Corrupt_ltk
@@ -4488,7 +4264,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
             case split_case_2
             solve( !KU( kdf(<'CNF', 
                              cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), 
+                             cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), 
                              encaps(~ke, snd(x))>,
                             <~k, ~ke>)
                    ) @ #vk.1 )
@@ -4526,24 +4302,22 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                      skCe
+      solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
              ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
           solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( Completed( kdf(<'KEY', 
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), 
+            solve( Completed( kdf(<'KEY', certT, 
                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                    pk(~skCe), cipe>,
-                                  <z.1, z.2>),
+                                  <z, z.1>),
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
-                              id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe
+              solve( CAInitC( $C, certT, id_c.1, r1.1, <kTA.1, cTA.1>, kTMAC.1,
+                              kTENC.1, ~r2, ~skCe
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -4554,8 +4328,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                      <ke, cipe>, pkCe
+      solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                      pkCe
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -4568,7 +4342,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+            solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
                             <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
@@ -4583,24 +4357,22 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                      skCe
+      solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
              ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
           solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( Completed( kdf(<'KEY', 
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), 
+            solve( Completed( kdf(<'KEY', certT, 
                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                    pk(~skCe), cipe>,
-                                  <z.1, z.2>),
+                                  <z, z.1>),
                               sid2, $C, 'chip', B
                    ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
-                              id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe
+              solve( CAInitC( $C, certT, id_c.1, r1.1, <kTA.1, cTA.1>, kTMAC.1,
+                              kTENC.1, ~r2, ~skCe
                      ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
@@ -4611,8 +4383,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                      <ke, cipe>, pkCe
+      solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                      pkCe
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -4625,7 +4397,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+            solve( CAInitT( $T, id_c.1, kTMAC, kTENC,
                             cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
                             <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
@@ -4641,19 +4413,17 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_C
-    solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                    skCe
+    solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
            ) ▶₁ #i )
       case CA_INIT_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
         solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
           case CA_Sign_ltk
-          solve( Completed( kdf(<'KEY', 
-                                 cert(z, sign(<z, B, 'terminal'>, ca_sk), B), 
+          solve( Completed( kdf(<'KEY', certT, 
                                  cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                  pk(~skCe), cipe>,
-                                <z.1, z.2>),
+                                <z, z.1>),
                             sid2, $C, 'chip', B
                  ) @ #j )
             case CA_FINISH_C
@@ -4664,8 +4434,8 @@ next
     qed
   next
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>,
-                    <ke, cipe>, pkCe
+    solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>,
+                    pkCe
            ) ▶₁ #i )
       case CA_INIT_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -4690,20 +4460,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                  skCe
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4711,20 +4482,17 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
         solve( Completed( k2,
-                          <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                           pk(~skCe), cipe>,
+                          <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                           cip, pk(~skCe), cipe>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
+          solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1,
                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
                           <ke, cipe>, pk(~skCe)
                  ) ▶₁ #j )
             case CA_INIT_T
-            solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
-                          'terminal'
-                   ) ▶₂ #j )
+            solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
               solve( splitEqs(0) )
                 case split_case_1
@@ -4737,54 +4505,48 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                    cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
                                    encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                  kdf(<'TMAC', ~r1>, ~kTA))
+                                  kTMAC)
                          ) @ #vk.3 )
-                    case c_mac
-                    solve( !KU( ~r2 ) @ #vk.43 )
-                      case CA_INIT_C
-                      solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
-                        case TA_RESPONSE_T
-                        solve( !KU( kdf(<'CNF', 
-                                         cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                         cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                         encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                        <~k, ~ke>)
-                               ) @ #vk.25 )
-                          case c_kdf
-                          solve( !KU( ~k ) @ #vk.55 )
+                    case CA_INIT_T
+                    solve( !KU( kdf(<'CNF', 
+                                     cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                     cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                     encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                    <~k, ~ke>)
+                           ) @ #vk.10 )
+                      case c_kdf
+                      solve( !KU( ~r2 ) @ #vk.36 )
+                        case CA_INIT_C
+                        solve( !KU( ~k ) @ #vk.38 )
+                          case CA_INIT_T
+                          solve( !KU( ~ke ) @ #vk.39 )
                             case CA_INIT_T
-                            solve( !KU( ~ke ) @ #vk.56 )
-                              case CA_INIT_T
-                              solve( !KU( ~ltk ) @ #vk.57 )
-                                case Corrupt_ltk
-                                by contradiction /* from formulas */
-                              qed
+                            solve( !KU( ~ltk ) @ #vk.41 )
+                              case Corrupt_ltk
+                              by contradiction /* from formulas */
                             qed
                           qed
                         qed
-                      next
+                      qed
+                    qed
+                  next
+                    case c_mac
+                    solve( !KU( ~r2 ) @ #vk.36 )
+                      case CA_INIT_C
+                      solve( !KU( kdf(<'CNF', 
+                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                      <~k, ~ke>)
+                             ) @ #vk.14 )
                         case c_kdf
-                        solve( !KU( ~kTA ) @ #vk.47 )
-                          case TA_CHALLENGE_C
-                          solve( !KU( ~ltk.1 ) @ #vk.50 )
-                            case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.27 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.54 )
-                                case CA_INIT_T
-                                solve( !KU( ~ke ) @ #vk.55 )
-                                  case CA_INIT_T
-                                  solve( !KU( ~ltk ) @ #vk.56 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
+                        solve( !KU( ~k ) @ #vk.42 )
+                          case CA_INIT_T
+                          solve( !KU( ~ke ) @ #vk.43 )
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.44 )
+                              case Corrupt_ltk
+                              by contradiction /* from formulas */
                             qed
                           qed
                         qed
@@ -4797,7 +4559,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                    cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
                                    cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
                                    encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                  kdf(<'TMAC', ~r1>, ~kTA))
+                                  kTMAC)
                          ) @ #vk.3 )
                     case CA_INIT_T
                     solve( !KU( kdf(<'CNF', 
@@ -4805,15 +4567,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                      cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
                                      encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
                                     <~k, ~ke>)
-                           ) @ #vk.18 )
+                           ) @ #vk.10 )
                       case c_kdf
-                      solve( !KU( ~r2 ) @ #vk.43 )
+                      solve( !KU( ~r2 ) @ #vk.36 )
                         case CA_INIT_C
-                        solve( !KU( ~k ) @ #vk.45 )
+                        solve( !KU( ~k ) @ #vk.38 )
                           case CA_INIT_T
-                          solve( !KU( ~ke ) @ #vk.46 )
+                          solve( !KU( ~ke ) @ #vk.39 )
                             case CA_INIT_T
-                            solve( !KU( ~ltk ) @ #vk.48 )
+                            solve( !KU( ~ltk ) @ #vk.41 )
                               case Corrupt_ltk
                               by contradiction /* from formulas */
                             qed
@@ -4823,51 +4585,22 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                     qed
                   next
                     case c_mac
-                    solve( !KU( ~r2 ) @ #vk.43 )
+                    solve( !KU( ~r2 ) @ #vk.36 )
                       case CA_INIT_C
-                      solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
-                        case TA_RESPONSE_T
-                        solve( !KU( kdf(<'CNF', 
-                                         cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                         cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                         encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                        <~k, ~ke>)
-                               ) @ #vk.25 )
-                          case c_kdf
-                          solve( !KU( ~k ) @ #vk.55 )
-                            case CA_INIT_T
-                            solve( !KU( ~ke ) @ #vk.56 )
-                              case CA_INIT_T
-                              solve( !KU( ~ltk ) @ #vk.57 )
-                                case Corrupt_ltk
-                                by contradiction /* from formulas */
-                              qed
-                            qed
-                          qed
-                        qed
-                      next
+                      solve( !KU( kdf(<'CNF', 
+                                       cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
+                                       cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                                       encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
+                                      <~k, ~ke>)
+                             ) @ #vk.14 )
                         case c_kdf
-                        solve( !KU( ~kTA ) @ #vk.47 )
-                          case TA_CHALLENGE_C
-                          solve( !KU( ~ltk.1 ) @ #vk.50 )
-                            case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.27 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.54 )
-                                case CA_INIT_T
-                                solve( !KU( ~ke ) @ #vk.55 )
-                                  case CA_INIT_T
-                                  solve( !KU( ~ltk ) @ #vk.56 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
+                        solve( !KU( ~k ) @ #vk.42 )
+                          case CA_INIT_T
+                          solve( !KU( ~ke ) @ #vk.43 )
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.44 )
+                              case Corrupt_ltk
+                              by contradiction /* from formulas */
                             qed
                           qed
                         qed
@@ -4889,8 +4622,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -4899,38 +4633,34 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                  skCe
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( kdf(<'KEY', 
-                               cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
+        solve( Completed( kdf(<'KEY', certT, 
                                cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                pk(~skCe), cipe>,
-                              <z.1, z.2>),
-                          <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                           pk(~skCe), cipe>,
+                              <z, z.1>),
+                          <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                           cip, pk(~skCe), cipe>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
-                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
-                          <z.2, cipe>, pk(~skCe)
+          solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1,
+                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+                          <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
             case CA_INIT_T
-            solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
-                          'terminal'
-                   ) ▶₂ #j )
+            solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
               solve( splitEqs(2) )
                 case split_case_1
@@ -4944,13 +4674,13 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   by contradiction /* from formulas */
                 next
                   case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.44 )
+                  solve( !KU( ~r2 ) @ #vk.37 )
                     case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.46 )
+                    solve( !KU( ~k ) @ #vk.39 )
                       case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.47 )
+                      solve( !KU( ~ke ) @ #vk.40 )
                         case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.49 )
+                        solve( !KU( ~ltk ) @ #vk.42 )
                           case Corrupt_ltk
                           by contradiction /* from formulas */
                         qed
@@ -4970,13 +4700,13 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   by contradiction /* from formulas */
                 next
                   case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.44 )
+                  solve( !KU( ~r2 ) @ #vk.37 )
                     case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.46 )
+                    solve( !KU( ~k ) @ #vk.39 )
                       case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.47 )
+                      solve( !KU( ~ke ) @ #vk.40 )
                         case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.49 )
+                        solve( !KU( ~ltk ) @ #vk.42 )
                           case Corrupt_ltk
                           by contradiction /* from formulas */
                         qed
@@ -4993,28 +4723,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !KU( ~iid ) @ #vk.6 )
-    case CA_INIT_C
-    by contradiction /* cyclic */
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5039,40 +4748,50 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
       solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>,
                        kdf(<'TENC', r1>, kTA))
              ) @ #vk.11 )
-        case c_senc
+        case CA_INIT_C
         solve( !KU( mac(<'CA', 
                          cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), 
-                         cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
+                         cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), 
+                         <~r2, pk(~skCe)>, cip, pk(skCe.1), cipe>,
                         kdf(<'TMAC', r1>, kTA))
                ) @ #vk.15 )
           case c_mac
-          solve( !KU( kdf(<'CNF', 
-                           cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), 
-                           cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>,
-                          <z.1, z.2>)
-                 ) @ #vk.21 )
-            case c_kdf
-            solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.30 )
-              case CA_Sign_ltk
+          solve( !KU( ~r2 ) @ #vk.32 )
+            case CA_INIT_C
+            solve( !KU( kdf(<'CNF', 
+                             cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), 
+                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), 
+                             <~r2, pk(~skCe)>, cip, pk(skCe.1), cipe>,
+                            <z, z.1>)
+                   ) @ #vk.24 )
+              case c_kdf
               solve( splitEqs(0) )
                 case split_case_3
-                solve( !KU( encaps(z.1, pk(~ltk.2)) ) @ #vk.23 )
+                solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.23 )
                   case c_encaps
-                  solve( !KU( decaps(cipe, skCe) ) @ #vk.39 )
+                  solve( !KU( decaps(cipe, skCe.1) ) @ #vk.40 )
                     case c_decaps
-                    solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.25 )
+                    solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.26 )
                       case c_kdf
-                      solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.34 )
+                      solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.34 )
                         case c_kdf
-                        solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.37 )
-                          case c_kdf
-                          solve( !KU( pk(skCe) ) @ #vk.40 )
-                            case CA_Sign_ltk_case_1
-                            solve( !KU( ~ltk.3 ) @ #vk.38 )
-                              case Corrupt_ltk
-                              solve( !KU( pk(~ltk.2) ) @ #vk.43 )
-                                case CA_Sign_ltk
-                                SOLVED // trace found
+                        solve( !KU( pk(skCe.1) ) @ #vk.39 )
+                          case CA_INIT_C_case_1
+                          solve( !KU( ~ltk.3 ) @ #vk.36 )
+                            case Corrupt_ltk
+                            solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.40 )
+                              case c_kdf
+                              solve( !KU( cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk),
+                                               $A.1)
+                                     ) @ #vk.40 )
+                                case CA_INIT_C
+                                solve( !KU( pk(~skCe) ) @ #vk.41 )
+                                  case CA_INIT_C
+                                  solve( !KU( pk(~ltk.2) ) @ #vk.44 )
+                                    case CA_INIT_C
+                                    SOLVED // trace found
+                                  qed
+                                qed
                               qed
                             qed
                           qed
@@ -5090,7 +4809,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -5129,7 +4848,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
                  ) @ #vk.21 )
             case c_kdf
             solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.30 )
-              case CA_Sign_ltk
+              case CA_INIT_C
               solve( splitEqs(0) )
                 case split_case_4
                 solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.21 )
@@ -5140,7 +4859,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
                       case c_kdf
                       solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.35 )
                         case c_kdf
-                        solve( !KU( pk(~ltk.1) ) @ #vk.42 )
+                        solve( !KU( pk(~ltk.1) ) @ #vk.43 )
                           case CA_Sign_ltk
                           SOLVED // trace found
                         qed
@@ -5157,7 +4876,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -5179,33 +4898,28 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2,
-                  skCe
+  solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe
          ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( kdf(<'KEY', 
-                               cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
+        solve( Completed( kdf(<'KEY', certT, 
                                cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
                                pk(~skCe), cipe>,
-                              <z.1, z.2>),
-                          <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                           cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                           pk(~skCe), cipe>,
+                              <z, z.1>),
+                          <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
+                           cip, pk(~skCe), cipe>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC,
-                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
-                          <z.2, cipe>, pk(~skCe)
+          solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1,
+                          cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>,
+                          <z.1, cipe>, pk(~skCe)
                  ) ▶₁ #j )
             case CA_INIT_T
-            solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T),
-                          'terminal'
-                   ) ▶₂ #j )
+            solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
               solve( splitEqs(2) )
                 case split_case_1
@@ -5219,15 +4933,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   by contradiction /* from formulas */
                 next
                   case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.44 )
+                  solve( !KU( ~r2 ) @ #vk.37 )
                     case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.46 )
+                    solve( !KU( ~k ) @ #vk.39 )
                       case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.47 )
+                      solve( !KU( ~ke ) @ #vk.40 )
                         case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.49 )
+                        solve( !KU( ~ltk ) @ #vk.42 )
                           case Corrupt_ltk
-                          by solve( !KU( ~skCe ) @ #vk.50 )
+                          by solve( !KU( ~skCe ) @ #vk.43 )
                         qed
                       qed
                     qed
@@ -5245,15 +4959,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   by contradiction /* from formulas */
                 next
                   case c_kdf
-                  solve( !KU( ~r2 ) @ #vk.44 )
+                  solve( !KU( ~r2 ) @ #vk.37 )
                     case CA_INIT_C
-                    solve( !KU( ~k ) @ #vk.46 )
+                    solve( !KU( ~k ) @ #vk.39 )
                       case CA_INIT_T
-                      solve( !KU( ~ke ) @ #vk.47 )
+                      solve( !KU( ~ke ) @ #vk.40 )
                         case CA_INIT_T
-                        solve( !KU( ~ltk ) @ #vk.49 )
+                        solve( !KU( ~ltk ) @ #vk.42 )
                           case Corrupt_ltk
-                          by solve( !KU( ~skCe ) @ #vk.50 )
+                          by solve( !KU( ~skCe ) @ #vk.43 )
                         qed
                       qed
                     qed
@@ -5304,7 +5018,23 @@ qed
 
 
 
-/* All wellformedness checks were successful. */
+/*
+WARNING: the following wellformedness checks failed!
+
+Unbound variables
+=================
+
+  rule `CA_INIT_C' has unbound variables: 
+    cTA, certT, id_c, kTA, kTENC, kTMAC, r1
+
+Message Derivation Checks
+=========================
+
+  The variables of the follwing rule(s) are not derivable from their premises, you may be performing unintended pattern matching.
+
+Rule CA_INIT_C: 
+Failed to derive Variable(s): cTA, certT, id_c, kTA, kTENC, kTMAC, r1
+*/
 
 /*
 Generated from:
@@ -5321,21 +5051,23 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 327.25s
+  processing time: 192.97s
+  
+  WARNING: 2 wellformedness check failed!
+           The analysis results might be wrong!
   
-  session_exist (exists-trace): verified (29 steps)
-  two_session_exist (exists-trace): verified (54 steps)
+  session_exist (exists-trace): verified (15 steps)
+  two_session_exist (exists-trace): verified (32 steps)
+  aliveness (all-traces): verified (135 steps)
   weak_agreement_C (all-traces): verified (8 steps)
-  weak_agreement_T (all-traces): verified (131 steps)
+  weak_agreement_T (all-traces): verified (134 steps)
   agreement_C (all-traces): verified (24 steps)
-  agreement_T (all-traces): verified (131 steps)
-  aliveness (all-traces): verified (132 steps)
+  agreement_T (all-traces): verified (134 steps)
   session_uniqueness (all-traces): verified (37 steps)
-  consistency (all-traces): verified (47 steps)
+  consistency (all-traces): verified (37 steps)
   key_secrecy (all-traces): verified (23 steps)
-  chip_hiding (all-traces): verified (4 steps)
-  nonRepudiation_terminal (exists-trace): verified (18 steps)
-  nonRepudiation_chip (exists-trace): verified (15 steps)
-  pfs (all-traces): verified (23 steps)
+  notNonRepudiation_C (exists-trace): verified (20 steps)
+  notNonRepudiation_T (exists-trace): verified (15 steps)
+  forward_secrecy (all-traces): verified (23 steps)
 
 ==============================================================================
diff --git a/results/45991794.err.ALL_FastKemPQEAC_TAMARIN b/results/46092876.err.ForwardSecrecy_FastKemPQEAC
similarity index 100%
rename from results/45991794.err.ALL_FastKemPQEAC_TAMARIN
rename to results/46092876.err.ForwardSecrecy_FastKemPQEAC
diff --git a/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN b/results/46092876.out.ForwardSecrecy_FastKemPQEAC
similarity index 88%
rename from results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN
rename to results/46092876.out.ForwardSecrecy_FastKemPQEAC
index 77c0026..527cf25 100644
--- a/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN
+++ b/results/46092876.out.ForwardSecrecy_FastKemPQEAC
@@ -74,24 +74,23 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ) ]
   --[ Started( ) ]->
-   [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ]
+   [ Out( <certT, '1', 't'> ), TAInitT( $T ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
    [
    In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
-   Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' )
+   Fr( ~skCe ), !Cert( $C, certC, 'chip' )
    ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
    Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), 
          senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
    ),
-   Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
-   TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe,
+   TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, ~skCe,
                  kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
    )
    ]
@@ -100,38 +99,36 @@ rule (modulo E) TA_CHALLENGE_C:
   rule (modulo AC) TA_CHALLENGE_C:
      [
      In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ),
-     Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' )
+     Fr( ~skCe ), !Cert( $C, certC, 'chip' )
      ]
     --[ Eq( z.1, true ), Started( ) ]->
      [
      Out( <~id_c, ~r1, encaps(~kTA, z), 
            senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'>
      ),
-     Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ),
-     TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe,
+     TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, ~skCe,
                    kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA)
      )
      ]
     variants (modulo AC)
-    1. certT = certT.21
-       z     = cert_pk(certT.21)
-       z.1   = verify(cert_sig(certT.21),
-                      <cert_pk(certT.21), cert_id(certT.21), 'terminal'>, pk(ca_sk))
+    1. certT = certT.20
+       z     = cert_pk(certT.20)
+       z.1   = verify(cert_sig(certT.20),
+                      <cert_pk(certT.20), cert_id(certT.20), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(z.71, sign(<z.71, x.128, 'terminal'>, ca_sk), x.128)
-       z     = z.71
+    2. certT = cert(z.70, sign(<z.70, x.127, 'terminal'>, ca_sk), x.127)
+       z     = z.70
        z.1   = true
     
-    3. certT = cert(z.72, x.129, x.130)
-       z     = z.72
-       z.1   = verify(x.129, <z.72, x.130, 'terminal'>, pk(ca_sk))
+    3. certT = cert(z.71, x.128, x.129)
+       z     = z.71
+       z.1   = verify(x.128, <z.71, x.129, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ),
-   TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ),
-   !Cert( $T, certT, 'terminal' )
+   In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), TAInitT( $T ),
+   !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
    ]
   --[
   Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
@@ -153,7 +150,7 @@ rule (modulo E) TA_RESPONSE_T:
          encaps(~ke, snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))), 
          '3', 't'>
    ),
-   TAResponseT( <$T, iid>, id_c,
+   TAResponseT( $T, id_c,
                 fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))),
                 fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))),
                 <~k, 
@@ -168,9 +165,8 @@ rule (modulo E) TA_RESPONSE_T:
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ),
-     TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ),
-     !Cert( $T, certT, 'terminal' )
+     In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), TAInitT( $T ),
+     !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' )
      ]
     --[ Eq( z.5, true ) ]->
      [
@@ -179,232 +175,231 @@ rule (modulo E) TA_RESPONSE_T:
                kdf(<'TMAC', r1>, z)), 
            encaps(~ke, z.4), '3', 't'>
      ),
-     TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)>,
+     TAResponseT( $T, id_c, z.2, z.3, <~k, encaps(~k, z.1)>,
                   <~ke, encaps(~ke, z.4)>, z.4
      )
      ]
     variants (modulo AC)
-     1. ~skT  = ~skT.32
-        cCA   = cCA.33
-        cTA   = cTA.34
-        r1    = r1.38
-        z     = decaps(cTA.34, ~skT.32)
-        z.1   = cert_pk(fst(sdec(cCA.33,
-                                 kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
-        z.2   = fst(sdec(cCA.33, kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))
-        z.3   = fst(snd(sdec(cCA.33,
-                             kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
-        z.4   = snd(snd(sdec(cCA.33,
-                             kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))))
-        z.5   = verify(cert_sig(fst(sdec(cCA.33,
-                                         kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))),
+     1. ~skT  = ~skT.30
+        cCA   = cCA.31
+        cTA   = cTA.32
+        r1    = r1.35
+        z     = decaps(cTA.32, ~skT.30)
+        z.1   = cert_pk(fst(sdec(cCA.31,
+                                 kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30)))))
+        z.2   = fst(sdec(cCA.31, kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))
+        z.3   = fst(snd(sdec(cCA.31,
+                             kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30)))))
+        z.4   = snd(snd(sdec(cCA.31,
+                             kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30)))))
+        z.5   = verify(cert_sig(fst(sdec(cCA.31,
+                                         kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))),
                        <
-                        cert_pk(fst(sdec(cCA.33,
-                                         kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))), 
-                        cert_id(fst(sdec(cCA.33,
-                                         kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))), 
+                        cert_pk(fst(sdec(cCA.31,
+                                         kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))), 
+                        cert_id(fst(sdec(cCA.31,
+                                         kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))), 
                         'chip'>,
                        pk(ca_sk))
     
-     2. ~skT  = ~skT.37
-        cCA   = cCA.38
-        cTA   = encaps(z.48, pk(~skT.37))
-        r1    = r1.43
-        z     = z.48
-        z.1   = cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
-        z.2   = fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))
-        z.3   = fst(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
-        z.4   = snd(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))))
-        z.5   = verify(cert_sig(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))),
-                       <cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), 
-                        cert_id(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), 'chip'>,
+     2. ~skT  = ~skT.35
+        cCA   = cCA.36
+        cTA   = encaps(z.45, pk(~skT.35))
+        r1    = r1.40
+        z     = z.45
+        z.1   = cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45))))
+        z.2   = fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))
+        z.3   = fst(snd(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45))))
+        z.4   = snd(snd(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45))))
+        z.5   = verify(cert_sig(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))),
+                       <cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))), 
+                        cert_id(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))), 'chip'>,
                        pk(ca_sk))
     
-     3. ~skT  = ~skT.42
-        cCA   = senc(<z.56, z.57, z.58>, kdf(<'TENC', r1.48>, z.53))
-        cTA   = encaps(z.53, pk(~skT.42))
-        r1    = r1.48
-        z     = z.53
-        z.1   = cert_pk(z.56)
-        z.2   = z.56
-        z.3   = z.57
-        z.4   = z.58
-        z.5   = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>,
+     3. ~skT  = ~skT.40
+        cCA   = senc(<z.53, z.54, z.55>, kdf(<'TENC', r1.45>, z.50))
+        cTA   = encaps(z.50, pk(~skT.40))
+        r1    = r1.45
+        z     = z.50
+        z.1   = cert_pk(z.53)
+        z.2   = z.53
+        z.3   = z.54
+        z.4   = z.55
+        z.5   = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
                        pk(ca_sk))
     
-     4. ~skT  = ~skT.42
-        cCA   = senc(<z.56, z.57, z.58>,
-                     kdf(<'TENC', r1.48>, decaps(cTA.44, ~skT.42)))
-        cTA   = cTA.44
-        r1    = r1.48
-        z     = decaps(cTA.44, ~skT.42)
-        z.1   = cert_pk(z.56)
-        z.2   = z.56
-        z.3   = z.57
-        z.4   = z.58
-        z.5   = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>,
+     4. ~skT  = ~skT.40
+        cCA   = senc(<z.53, z.54, z.55>,
+                     kdf(<'TENC', r1.45>, decaps(cTA.42, ~skT.40)))
+        cTA   = cTA.42
+        r1    = r1.45
+        z     = decaps(cTA.42, ~skT.40)
+        z.1   = cert_pk(z.53)
+        z.2   = z.53
+        z.3   = z.54
+        z.4   = z.55
+        z.5   = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>,
                        pk(ca_sk))
     
-     5. ~skT  = ~skT.174
-        cCA   = senc(x.343, kdf(<'TENC', r1.180>, z.185))
-        cTA   = encaps(z.185, pk(~skT.174))
-        r1    = r1.180
-        z     = z.185
-        z.1   = cert_pk(fst(x.343))
-        z.2   = fst(x.343)
-        z.3   = fst(snd(x.343))
-        z.4   = snd(snd(x.343))
-        z.5   = verify(cert_sig(fst(x.343)),
-                       <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk))
-    
-     6. ~skT  = ~skT.174
-        cCA   = senc(x.343, kdf(<'TENC', r1.180>, decaps(cTA.176, ~skT.174)))
-        cTA   = cTA.176
-        r1    = r1.180
-        z     = decaps(cTA.176, ~skT.174)
-        z.1   = cert_pk(fst(x.343))
-        z.2   = fst(x.343)
-        z.3   = fst(snd(x.343))
-        z.4   = snd(snd(x.343))
-        z.5   = verify(cert_sig(fst(x.343)),
-                       <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk))
-    
-     7. ~skT  = ~skT.175
-        cCA   = senc(<z.189, x.345>, kdf(<'TENC', r1.181>, z.186))
-        cTA   = encaps(z.186, pk(~skT.175))
-        r1    = r1.181
-        z     = z.186
-        z.1   = cert_pk(z.189)
-        z.2   = z.189
-        z.3   = fst(x.345)
-        z.4   = snd(x.345)
-        z.5   = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>,
+     5. ~skT  = ~skT.166
+        cCA   = senc(x.327, kdf(<'TENC', r1.171>, z.176))
+        cTA   = encaps(z.176, pk(~skT.166))
+        r1    = r1.171
+        z     = z.176
+        z.1   = cert_pk(fst(x.327))
+        z.2   = fst(x.327)
+        z.3   = fst(snd(x.327))
+        z.4   = snd(snd(x.327))
+        z.5   = verify(cert_sig(fst(x.327)),
+                       <cert_pk(fst(x.327)), cert_id(fst(x.327)), 'chip'>, pk(ca_sk))
+    
+     6. ~skT  = ~skT.166
+        cCA   = senc(x.327, kdf(<'TENC', r1.171>, decaps(cTA.168, ~skT.166)))
+        cTA   = cTA.168
+        r1    = r1.171
+        z     = decaps(cTA.168, ~skT.166)
+        z.1   = cert_pk(fst(x.327))
+        z.2   = fst(x.327)
+        z.3   = fst(snd(x.327))
+        z.4   = snd(snd(x.327))
+        z.5   = verify(cert_sig(fst(x.327)),
+                       <cert_pk(fst(x.327)), cert_id(fst(x.327)), 'chip'>, pk(ca_sk))
+    
+     7. ~skT  = ~skT.167
+        cCA   = senc(<z.180, x.329>, kdf(<'TENC', r1.172>, z.177))
+        cTA   = encaps(z.177, pk(~skT.167))
+        r1    = r1.172
+        z     = z.177
+        z.1   = cert_pk(z.180)
+        z.2   = z.180
+        z.3   = fst(x.329)
+        z.4   = snd(x.329)
+        z.5   = verify(cert_sig(z.180), <cert_pk(z.180), cert_id(z.180), 'chip'>,
                        pk(ca_sk))
     
-     8. ~skT  = ~skT.175
-        cCA   = senc(<z.189, x.345>,
-                     kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175)))
-        cTA   = cTA.177
-        r1    = r1.181
-        z     = decaps(cTA.177, ~skT.175)
-        z.1   = cert_pk(z.189)
-        z.2   = z.189
-        z.3   = fst(x.345)
-        z.4   = snd(x.345)
-        z.5   = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>,
+     8. ~skT  = ~skT.167
+        cCA   = senc(<z.180, x.329>,
+                     kdf(<'TENC', r1.172>, decaps(cTA.169, ~skT.167)))
+        cTA   = cTA.169
+        r1    = r1.172
+        z     = decaps(cTA.169, ~skT.167)
+        z.1   = cert_pk(z.180)
+        z.2   = z.180
+        z.3   = fst(x.329)
+        z.4   = snd(x.329)
+        z.5   = verify(cert_sig(z.180), <cert_pk(z.180), cert_id(z.180), 'chip'>,
                        pk(ca_sk))
     
-     9. ~skT  = ~skT.175
-        cCA   = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345), 
-                      z.190, z.191>,
-                     kdf(<'TENC', r1.181>, z.186))
-        cTA   = encaps(z.186, pk(~skT.175))
-        r1    = r1.181
-        z     = z.186
-        z.1   = z.187
-        z.2   = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345)
-        z.3   = z.190
-        z.4   = z.191
+     9. ~skT  = ~skT.167
+        cCA   = senc(<cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329), 
+                      z.181, z.182>,
+                     kdf(<'TENC', r1.172>, z.177))
+        cTA   = encaps(z.177, pk(~skT.167))
+        r1    = r1.172
+        z     = z.177
+        z.1   = z.178
+        z.2   = cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329)
+        z.3   = z.181
+        z.4   = z.182
         z.5   = true
     
-    10. ~skT  = ~skT.175
-        cCA   = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345), 
-                      z.190, z.191>,
-                     kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175)))
-        cTA   = cTA.177
-        r1    = r1.181
-        z     = decaps(cTA.177, ~skT.175)
-        z.1   = z.187
-        z.2   = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345)
-        z.3   = z.190
-        z.4   = z.191
+    10. ~skT  = ~skT.167
+        cCA   = senc(<cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329), 
+                      z.181, z.182>,
+                     kdf(<'TENC', r1.172>, decaps(cTA.169, ~skT.167)))
+        cTA   = cTA.169
+        r1    = r1.172
+        z     = decaps(cTA.169, ~skT.167)
+        z.1   = z.178
+        z.2   = cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329)
+        z.3   = z.181
+        z.4   = z.182
         z.5   = true
     
-    11. ~skT  = ~skT.176
-        cCA   = senc(<cert(z.188, x.346, x.347), z.191, z.192>,
-                     kdf(<'TENC', r1.182>, z.187))
-        cTA   = encaps(z.187, pk(~skT.176))
-        r1    = r1.182
-        z     = z.187
-        z.1   = z.188
-        z.2   = cert(z.188, x.346, x.347)
-        z.3   = z.191
-        z.4   = z.192
-        z.5   = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk))
-    
-    12. ~skT  = ~skT.176
-        cCA   = senc(<cert(z.188, x.346, x.347), z.191, z.192>,
-                     kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176)))
-        cTA   = cTA.178
-        r1    = r1.182
-        z     = decaps(cTA.178, ~skT.176)
-        z.1   = z.188
-        z.2   = cert(z.188, x.346, x.347)
-        z.3   = z.191
-        z.4   = z.192
-        z.5   = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk))
-    
-    13. ~skT  = ~skT.176
-        cCA   = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346), 
-                      x.347>,
-                     kdf(<'TENC', r1.182>, z.187))
-        cTA   = encaps(z.187, pk(~skT.176))
-        r1    = r1.182
-        z     = z.187
-        z.1   = z.188
-        z.2   = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346)
-        z.3   = fst(x.347)
-        z.4   = snd(x.347)
+    11. ~skT  = ~skT.168
+        cCA   = senc(<cert(z.179, x.330, x.331), z.182, z.183>,
+                     kdf(<'TENC', r1.173>, z.178))
+        cTA   = encaps(z.178, pk(~skT.168))
+        r1    = r1.173
+        z     = z.178
+        z.1   = z.179
+        z.2   = cert(z.179, x.330, x.331)
+        z.3   = z.182
+        z.4   = z.183
+        z.5   = verify(x.330, <z.179, x.331, 'chip'>, pk(ca_sk))
+    
+    12. ~skT  = ~skT.168
+        cCA   = senc(<cert(z.179, x.330, x.331), z.182, z.183>,
+                     kdf(<'TENC', r1.173>, decaps(cTA.170, ~skT.168)))
+        cTA   = cTA.170
+        r1    = r1.173
+        z     = decaps(cTA.170, ~skT.168)
+        z.1   = z.179
+        z.2   = cert(z.179, x.330, x.331)
+        z.3   = z.182
+        z.4   = z.183
+        z.5   = verify(x.330, <z.179, x.331, 'chip'>, pk(ca_sk))
+    
+    13. ~skT  = ~skT.168
+        cCA   = senc(<cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330), 
+                      x.331>,
+                     kdf(<'TENC', r1.173>, z.178))
+        cTA   = encaps(z.178, pk(~skT.168))
+        r1    = r1.173
+        z     = z.178
+        z.1   = z.179
+        z.2   = cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330)
+        z.3   = fst(x.331)
+        z.4   = snd(x.331)
         z.5   = true
     
-    14. ~skT  = ~skT.176
-        cCA   = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346), 
-                      x.347>,
-                     kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176)))
-        cTA   = cTA.178
-        r1    = r1.182
-        z     = decaps(cTA.178, ~skT.176)
-        z.1   = z.188
-        z.2   = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346)
-        z.3   = fst(x.347)
-        z.4   = snd(x.347)
+    14. ~skT  = ~skT.168
+        cCA   = senc(<cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330), 
+                      x.331>,
+                     kdf(<'TENC', r1.173>, decaps(cTA.170, ~skT.168)))
+        cTA   = cTA.170
+        r1    = r1.173
+        z     = decaps(cTA.170, ~skT.168)
+        z.1   = z.179
+        z.2   = cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330)
+        z.3   = fst(x.331)
+        z.4   = snd(x.331)
         z.5   = true
     
-    15. ~skT  = ~skT.177
-        cCA   = senc(<cert(z.189, x.347, x.348), x.349>,
-                     kdf(<'TENC', r1.183>, z.188))
-        cTA   = encaps(z.188, pk(~skT.177))
-        r1    = r1.183
-        z     = z.188
-        z.1   = z.189
-        z.2   = cert(z.189, x.347, x.348)
-        z.3   = fst(x.349)
-        z.4   = snd(x.349)
-        z.5   = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk))
-    
-    16. ~skT  = ~skT.177
-        cCA   = senc(<cert(z.189, x.347, x.348), x.349>,
-                     kdf(<'TENC', r1.183>, decaps(cTA.179, ~skT.177)))
-        cTA   = cTA.179
-        r1    = r1.183
-        z     = decaps(cTA.179, ~skT.177)
-        z.1   = z.189
-        z.2   = cert(z.189, x.347, x.348)
-        z.3   = fst(x.349)
-        z.4   = snd(x.349)
-        z.5   = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk))
+    15. ~skT  = ~skT.169
+        cCA   = senc(<cert(z.180, x.331, x.332), x.333>,
+                     kdf(<'TENC', r1.174>, z.179))
+        cTA   = encaps(z.179, pk(~skT.169))
+        r1    = r1.174
+        z     = z.179
+        z.1   = z.180
+        z.2   = cert(z.180, x.331, x.332)
+        z.3   = fst(x.333)
+        z.4   = snd(x.333)
+        z.5   = verify(x.331, <z.180, x.332, 'chip'>, pk(ca_sk))
+    
+    16. ~skT  = ~skT.169
+        cCA   = senc(<cert(z.180, x.331, x.332), x.333>,
+                     kdf(<'TENC', r1.174>, decaps(cTA.171, ~skT.169)))
+        cTA   = cTA.171
+        r1    = r1.174
+        z     = decaps(cTA.171, ~skT.169)
+        z.1   = z.180
+        z.2   = cert(z.180, x.331, x.332)
+        z.3   = fst(x.333)
+        z.4   = snd(x.333)
+        z.5   = verify(x.331, <z.180, x.332, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_COMPLETE_C:
    [
    In( <kTCNF_T, cip, s, cipe, '3', 't'> ),
-   TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
+   TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
   Eq( kTCNF_T, kTCNF ),
   Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
-  CompletedTA( $C, iid, cert_id(certT) ),
   Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
                  <decaps(cip, ~skC), decaps(cipe, skCe)>),
              <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT)
@@ -419,10 +414,6 @@ rule (modulo E) TA_COMPLETE_C:
          kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>,
              <decaps(cip, ~skC), decaps(cipe, skCe)>), 
          '4', 'c'>
-   ),
-   TACompleteC( <$C, iid>,
-                kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>,
-                    <decaps(cip, ~skC), decaps(cipe, skCe)>)
    )
    ]
 
@@ -430,13 +421,12 @@ rule (modulo E) TA_COMPLETE_C:
   rule (modulo AC) TA_COMPLETE_C:
      [
      In( <kTCNF_T, cip, s, cipe, '3', 't'> ),
-     TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
+     TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
     Eq( kTCNF_T, kTCNF ),
     Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ),
-    CompletedTA( $C, iid, z.2 ),
     Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>),
                <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2
     ),
@@ -447,89 +437,86 @@ rule (modulo E) TA_COMPLETE_C:
      [
      Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), 
            '4', 'c'>
-     ),
-     TACompleteC( <$C, iid>,
-                  kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>)
      )
      ]
     variants (modulo AC)
-    1. ~skC  = ~skC.41
-       certT = certT.43
-       cip   = cip.44
-       cipe  = cipe.45
-       skCe  = skCe.54
-       z     = decaps(cip.44, ~skC.41)
-       z.1   = decaps(cipe.45, skCe.54)
-       z.2   = cert_id(certT.43)
-    
-    2. ~skC  = ~skC.46
-       certT = certT.48
-       cip   = encaps(z.64, pk(~skC.46))
-       cipe  = cipe.50
-       skCe  = skCe.59
-       z     = z.64
-       z.1   = decaps(cipe.50, skCe.59)
-       z.2   = cert_id(certT.48)
-    
-    3. ~skC  = ~skC.47
-       certT = certT.49
-       cip   = cip.50
-       cipe  = encaps(z.66, pk(skCe.60))
-       skCe  = skCe.60
-       z     = decaps(cip.50, ~skC.47)
-       z.1   = z.66
-       z.2   = cert_id(certT.49)
-    
-    4. ~skC  = ~skC.47
-       certT = certT.49
-       cip   = encaps(z.65, pk(~skC.47))
-       cipe  = encaps(z.66, pk(skCe.60))
-       skCe  = skCe.60
-       z     = z.65
-       z.1   = z.66
-       z.2   = cert_id(certT.49)
-    
-    5. ~skC  = ~skC.204
-       certT = cert(x.404, x.405, z.228)
-       cip   = cip.207
-       cipe  = cipe.208
-       skCe  = skCe.217
-       z     = decaps(cip.207, ~skC.204)
-       z.1   = decaps(cipe.208, skCe.217)
-       z.2   = z.228
-    
-    6. ~skC  = ~skC.204
-       certT = cert(x.404, x.405, z.228)
-       cip   = cip.207
-       cipe  = encaps(z.223, pk(skCe.217))
-       skCe  = skCe.217
-       z     = decaps(cip.207, ~skC.204)
-       z.1   = z.223
-       z.2   = z.228
-    
-    7. ~skC  = ~skC.206
-       certT = cert(x.408, x.409, z.230)
-       cip   = encaps(z.224, pk(~skC.206))
-       cipe  = cipe.210
-       skCe  = skCe.219
-       z     = z.224
-       z.1   = decaps(cipe.210, skCe.219)
-       z.2   = z.230
-    
-    8. ~skC  = ~skC.206
-       certT = cert(x.408, x.409, z.230)
-       cip   = encaps(z.224, pk(~skC.206))
-       cipe  = encaps(z.225, pk(skCe.219))
-       skCe  = skCe.219
-       z     = z.224
-       z.1   = z.225
-       z.2   = z.230
+    1. ~skC  = ~skC.39
+       certT = certT.41
+       cip   = cip.42
+       cipe  = cipe.43
+       skCe  = skCe.51
+       z     = decaps(cip.42, ~skC.39)
+       z.1   = decaps(cipe.43, skCe.51)
+       z.2   = cert_id(certT.41)
+    
+    2. ~skC  = ~skC.44
+       certT = certT.46
+       cip   = encaps(z.61, pk(~skC.44))
+       cipe  = cipe.48
+       skCe  = skCe.56
+       z     = z.61
+       z.1   = decaps(cipe.48, skCe.56)
+       z.2   = cert_id(certT.46)
+    
+    3. ~skC  = ~skC.45
+       certT = certT.47
+       cip   = cip.48
+       cipe  = encaps(z.63, pk(skCe.57))
+       skCe  = skCe.57
+       z     = decaps(cip.48, ~skC.45)
+       z.1   = z.63
+       z.2   = cert_id(certT.47)
+    
+    4. ~skC  = ~skC.45
+       certT = certT.47
+       cip   = encaps(z.62, pk(~skC.45))
+       cipe  = encaps(z.63, pk(skCe.57))
+       skCe  = skCe.57
+       z     = z.62
+       z.1   = z.63
+       z.2   = cert_id(certT.47)
+    
+    5. ~skC  = ~skC.196
+       certT = cert(x.388, x.389, z.219)
+       cip   = cip.199
+       cipe  = cipe.200
+       skCe  = skCe.208
+       z     = decaps(cip.199, ~skC.196)
+       z.1   = decaps(cipe.200, skCe.208)
+       z.2   = z.219
+    
+    6. ~skC  = ~skC.196
+       certT = cert(x.388, x.389, z.219)
+       cip   = cip.199
+       cipe  = encaps(z.214, pk(skCe.208))
+       skCe  = skCe.208
+       z     = decaps(cip.199, ~skC.196)
+       z.1   = z.214
+       z.2   = z.219
+    
+    7. ~skC  = ~skC.198
+       certT = cert(x.392, x.393, z.221)
+       cip   = encaps(z.215, pk(~skC.198))
+       cipe  = cipe.202
+       skCe  = skCe.210
+       z     = z.215
+       z.1   = decaps(cipe.202, skCe.210)
+       z.2   = z.221
+    
+    8. ~skC  = ~skC.198
+       certT = cert(x.392, x.393, z.221)
+       cip   = encaps(z.215, pk(~skC.198))
+       cipe  = encaps(z.216, pk(skCe.210))
+       skCe  = skCe.210
+       z     = z.215
+       z.1   = z.216
+       z.2   = z.221
   */
 
 rule (modulo E) CA_FINISH_T:
    [
    In( <kCNF_C, '4', 'c'> ),
-   TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+   TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
@@ -540,9 +527,6 @@ rule (modulo E) CA_FINISH_T:
   Finished( <certT, certC, r2, cip, pkCe, cipe> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T,
-              kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-   ),
    !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                    kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
    )
@@ -552,7 +536,7 @@ rule (modulo E) CA_FINISH_T:
   rule (modulo AC) CA_FINISH_T:
      [
      In( <kCNF_C, '4', 'c'> ),
-     TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
+     TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
@@ -563,19 +547,16 @@ rule (modulo E) CA_FINISH_T:
     Finished( <certT, certC, r2, cip, pkCe, cipe> )
     ]->
      [
-     CAFinishT( z, $T,
-                kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
-     ),
      !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>,
                      kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>)
      )
      ]
     variants (modulo AC)
-    1. certC = certC.18
-       z     = cert_id(certC.18)
+    1. certC = certC.19
+       z     = cert_id(certC.19)
     
-    2. certC = cert(x.44, x.45, z.31)
-       z     = z.31
+    2. certC = cert(x.29, x.30, z.24)
+       z     = z.24
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -2629,7 +2610,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2647,7 +2628,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -2758,7 +2739,7 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -2776,7 +2757,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -2787,8 +2768,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case TA_COMPLETE_C_case_1
-                solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1,
-                                     skCe.1, kTMAC, kTCNF
+                solve( TAChallengeC( $C, cert(x, x.1, $T), id_c.1, r1.1, r2.1, skCe.1,
+                                     kTMAC, kTCNF
                        ) ▶₁ #i2 )
                   case TA_CHALLENGE_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
@@ -2806,7 +2787,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( TAResponseT( <$T, iid.3>, id_c.3,
+                        solve( TAResponseT( $T, id_c.3,
                                             cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C),
                                             ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1)
                                ) ▶₁ #j2 )
@@ -3082,6 +3063,155 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma aliveness:
+  all-traces
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
+       ) ▶₁ #t )
+  case TA_RESPONSE_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k.1,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
+                       encaps(~ke, pkCe)>,
+                      A, role, B
+           ) @ #i )
+      case CA_FINISH_T
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                          r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
+             ) ▶₁ #i )
+        case TA_RESPONSE_T
+        solve( !KU( kdf(<'CNF', 
+                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
+                         encaps(~ke, pkCe)>,
+                        <~k, ~ke>)
+               ) @ #vk.1 )
+          case TA_COMPLETE_C
+          by contradiction /* from formulas */
+        next
+          case c_kdf
+          solve( !KU( ~k ) @ #vk.29 )
+            case TA_RESPONSE_T
+            solve( !KU( ~ke ) @ #vk.30 )
+              case TA_RESPONSE_T
+              solve( splitEqs(1) )
+                case split_case_1
+                solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
+                                  pk(sk.1)>,
+                                 kdf(<'TENC', r1>, decaps(cTA, ~skT)))
+                       ) @ #vk.19 )
+                  case c_senc
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                         ) @ #vk.28 )
+                    case CA_Sign_ltk
+                    solve( !KU( ~ltk.1 ) @ #vk.33 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case TA_CHALLENGE_C
+                    solve( !KU( ~ltk.1 ) @ #vk.33 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case c_cert
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+                      case CA_Sign_ltk
+                      solve( !KU( ~ltk.1 ) @ #vk.34 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    next
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk.1 ) @ #vk.34 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    next
+                      case c_sign
+                      by solve( !KU( ca_sk ) @ #vk.41 )
+                    qed
+                  qed
+                qed
+              next
+                case split_case_2
+                solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
+                                  pk(sk.1)>,
+                                 kdf(<'TENC', r1>, z))
+                       ) @ #vk.19 )
+                  case TA_CHALLENGE_C
+                  solve( !KU( ~r2 ) @ #vk.29 )
+                    case TA_CHALLENGE_C
+                    solve( !KU( ~ltk.1 ) @ #vk.31 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  qed
+                next
+                  case c_senc
+                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
+                         ) @ #vk.28 )
+                    case CA_Sign_ltk
+                    solve( !KU( ~ltk.1 ) @ #vk.33 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case TA_CHALLENGE_C
+                    solve( !KU( ~ltk.1 ) @ #vk.33 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case c_cert
+                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
+                      case CA_Sign_ltk
+                      solve( !KU( ~ltk.1 ) @ #vk.34 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    next
+                      case TA_CHALLENGE_C
+                      solve( !KU( ~ltk.1 ) @ #vk.34 )
+                        case Corrupt_ltk
+                        by contradiction /* from formulas */
+                      qed
+                    next
+                      case c_sign
+                      by solve( !KU( ca_sk ) @ #vk.41 )
+                    qed
+                  qed
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    next
+      case TA_COMPLETE_C_case_1
+      by contradiction /* from formulas */
+    next
+      case TA_COMPLETE_C_case_2
+      by contradiction /* from formulas */
+    qed
+  qed
+qed
+
 lemma weak_agreement_C:
   all-traces
   "∀ k sid C T #i #t.
@@ -3099,8 +3229,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                    pkCe
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
        ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3112,7 +3241,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -3128,7 +3257,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -3163,8 +3292,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                    pkCe
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
        ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3176,9 +3304,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                          <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C),
+                          r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -3310,8 +3437,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                    pkCe
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
        ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3323,7 +3449,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
                       C, 'chip', T.1
            ) @ #i )
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -3397,7 +3523,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>,
+      solve( TAChallengeC( $C,
                            cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1,
                            r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
@@ -3490,8 +3616,7 @@ guarded formula characterizing all counter-examples:
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                    pkCe
+solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
        ) ▶₁ #t )
   case TA_RESPONSE_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
@@ -3503,9 +3628,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>,
-                          <ke.1, encaps(~ke, pkCe)>, pkCe
+      solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C),
+                          r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !KU( kdf(<'CNF', 
@@ -3620,157 +3744,6 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
   qed
 qed
 
-lemma aliveness:
-  all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                    pkCe
-       ) ▶₁ #t )
-  case TA_RESPONSE_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k.1,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, 
-                       encaps(~ke, pkCe)>,
-                      A, role, B
-           ) @ #i )
-      case CA_FINISH_T
-      solve( TAResponseT( <$T.1, iid>, id_c,
-                          cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>,
-                          <ke.1, encaps(~ke, pkCe)>, pkCe
-             ) ▶₁ #i )
-        case TA_RESPONSE_T
-        solve( !KU( kdf(<'CNF', 
-                         cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                         cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, 
-                         encaps(~ke, pkCe)>,
-                        <~k, ~ke>)
-               ) @ #vk.1 )
-          case TA_COMPLETE_C
-          by contradiction /* from formulas */
-        next
-          case c_kdf
-          solve( !KU( ~k ) @ #vk.29 )
-            case TA_RESPONSE_T
-            solve( !KU( ~ke ) @ #vk.30 )
-              case TA_RESPONSE_T
-              solve( splitEqs(1) )
-                case split_case_1
-                solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
-                                  pk(sk.1)>,
-                                 kdf(<'TENC', r1>, decaps(cTA, ~skT)))
-                       ) @ #vk.19 )
-                  case c_senc
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                         ) @ #vk.28 )
-                    case CA_Sign_ltk
-                    solve( !KU( ~ltk.1 ) @ #vk.33 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~ltk.1 ) @ #vk.33 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
-                      case CA_Sign_ltk
-                      solve( !KU( ~ltk.1 ) @ #vk.34 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    next
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk.1 ) @ #vk.34 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    next
-                      case c_sign
-                      by solve( !KU( ca_sk ) @ #vk.41 )
-                    qed
-                  qed
-                qed
-              next
-                case split_case_2
-                solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, 
-                                  pk(sk.1)>,
-                                 kdf(<'TENC', r1>, z))
-                       ) @ #vk.19 )
-                  case TA_CHALLENGE_C
-                  solve( !KU( ~r2 ) @ #vk.29 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~ltk.1 ) @ #vk.31 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  qed
-                next
-                  case c_senc
-                  solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B)
-                         ) @ #vk.28 )
-                    case CA_Sign_ltk
-                    solve( !KU( ~ltk.1 ) @ #vk.33 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~ltk.1 ) @ #vk.33 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case c_cert
-                    solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 )
-                      case CA_Sign_ltk
-                      solve( !KU( ~ltk.1 ) @ #vk.34 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    next
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~ltk.1 ) @ #vk.34 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    next
-                      case c_sign
-                      by solve( !KU( ca_sk ) @ #vk.41 )
-                    qed
-                  qed
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    next
-      case TA_COMPLETE_C_case_1
-      by contradiction /* from formulas */
-    next
-      case TA_COMPLETE_C_case_2
-      by contradiction /* from formulas */
-    qed
-  qed
-qed
-
 lemma session_uniqueness:
   all-traces
   "∀ A B k sid sid2 role #i #j.
@@ -3792,8 +3765,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                          pkCe
+      solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -3806,9 +3778,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( TAResponseT( <$T, iid.1>, id_c.1,
-                                cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                                <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                                r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -3818,7 +3789,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3833,18 +3804,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3855,7 +3824,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3870,18 +3839,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3895,8 +3862,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_T
-      solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                          pkCe
+      solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
              ) ▶₁ #i )
         case TA_RESPONSE_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -3909,9 +3875,8 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             sid2, $T, 'terminal', B
                  ) @ #j )
             case CA_FINISH_T
-            solve( TAResponseT( <$T, iid.1>, id_c.1,
-                                cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>,
-                                <~ke, encaps(~ke, pkCe)>, pkCe
+            solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B),
+                                r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe
                    ) ▶₁ #j )
               case TA_RESPONSE_T
               by contradiction /* cyclic */
@@ -3921,7 +3886,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_1
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3936,18 +3901,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3958,7 +3921,7 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case TA_COMPLETE_C_case_2
-      solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+      solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
              ) ▶₁ #i )
         case TA_CHALLENGE_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -3973,18 +3936,16 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                               sid2, $C, 'chip', B
                    ) @ #j )
               case TA_COMPLETE_C_case_1
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
               qed
             next
               case TA_COMPLETE_C_case_2
-              solve( TAChallengeC( <$C, iid.1>,
-                                   cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe,
-                                   kTMAC, kTCNF
+              solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B),
+                                   id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF
                      ) ▶₁ #j )
                 case TA_CHALLENGE_C
                 by contradiction /* cyclic */
@@ -3999,8 +3960,7 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_T
-    solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>,
-                        pkCe
+    solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe
            ) ▶₁ #i )
       case TA_RESPONSE_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
@@ -4019,7 +3979,7 @@ next
     qed
   next
     case TA_COMPLETE_C_case_1
-    solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+    solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
            ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4044,7 +4004,7 @@ next
     qed
   next
     case TA_COMPLETE_C_case_2
-    solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+    solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
            ) ▶₁ #i )
       case TA_CHALLENGE_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4075,19 +4035,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4101,7 +4063,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
                               <ke, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4175,24 +4137,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.46 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.25 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.50 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ke ) @ #vk.51 )
-                                  case TA_RESPONSE_T
-                                  solve( !KU( ~ltk ) @ #vk.52 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -4281,24 +4226,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.46 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.25 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.50 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ke ) @ #vk.51 )
-                                  case TA_RESPONSE_T
-                                  solve( !KU( ~ltk ) @ #vk.52 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -4314,7 +4242,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 next
   case TA_COMPLETE_C_case_2
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4328,7 +4256,7 @@ next
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>,
                               <ke, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4402,24 +4330,7 @@ next
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.46 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.25 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.50 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ke ) @ #vk.51 )
-                                  case TA_RESPONSE_T
-                                  solve( !KU( ~ltk ) @ #vk.52 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -4508,24 +4419,7 @@ next
                           case TA_CHALLENGE_C
                           solve( !KU( ~ltk.1 ) @ #vk.46 )
                             case Corrupt_ltk
-                            solve( !KU( kdf(<'CNF', 
-                                             cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), 
-                                             cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, 
-                                             encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>,
-                                            <~k, ~ke>)
-                                   ) @ #vk.25 )
-                              case c_kdf
-                              solve( !KU( ~k ) @ #vk.50 )
-                                case TA_RESPONSE_T
-                                solve( !KU( ~ke ) @ #vk.51 )
-                                  case TA_RESPONSE_T
-                                  solve( !KU( ~ltk ) @ #vk.52 )
-                                    case Corrupt_ltk
-                                    by contradiction /* from formulas */
-                                  qed
-                                qed
-                              qed
-                            qed
+                            by contradiction /* from formulas */
                           qed
                         qed
                       qed
@@ -4546,8 +4440,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -4556,12 +4451,13 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4579,7 +4475,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4649,7 +4545,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 next
   case TA_COMPLETE_C_case_2
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -4667,7 +4563,7 @@ next
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -4737,94 +4633,7 @@ next
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
-       ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-    case Generate_chip_key_pair
-    solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
-      case CA_Sign_ltk
-      solve( !KU( ~iid ) @ #vk.13 )
-        case TA_CHALLENGE_C
-        solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T), 
-                         cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, 
-                         pk(~skCe), cipe>,
-                        kdf(<'TMAC', ~r1>, ~kTA))
-               ) @ #vk.6 )
-          case TA_RESPONSE_T
-          solve( splitEqs(0) )
-            case split_case_1
-            solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.16 )
-              case c_kdf
-              solve( !KU( ~kTA ) @ #vk.29 )
-                case TA_CHALLENGE_C
-                solve( !KU( ~ltk.1 ) @ #vk.31 )
-                  case Corrupt_ltk
-                  solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.25 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( senc(<
-                                      cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe)
-                                     >,
-                                     kdf(<'TENC', ~r1>, ~kTA))
-                           ) @ #vk.27 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~r1 ) @ #vk.25 )
-                        case TA_CHALLENGE_C
-                        solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T)
-                               ) @ #vk.24 )
-                          case CA_Sign_ltk
-                          solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 )
-                            case TA_RESPONSE_T
-                            solve( splitEqs(2) )
-                              case split_case_1
-                              solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.37 )
-                                case TA_CHALLENGE_C
-                                solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), x.1>,
-                                                 kdf(<'TENC', ~r1>, ~kTA))
-                                       ) @ #vk.37 )
-                                  case c_senc
-                                  solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.39 )
-                                    case CA_Sign_ltk
-                                    solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.25 )
-                                      case TA_RESPONSE_T
-                                      solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.28 )
-                                        case TA_RESPONSE_T
-                                        SOLVED // trace found
-                                      qed
-                                    qed
-                                  qed
-                                qed
-                              qed
-                            qed
-                          qed
-                        qed
-                      qed
-                    qed
-                  qed
-                qed
-              qed
-            qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -4900,7 +4709,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -4967,7 +4776,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -4989,7 +4798,7 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case TA_COMPLETE_C_case_1
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5007,7 +4816,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5077,7 +4886,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 next
   case TA_COMPLETE_C_case_2
-  solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
+  solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF
          ) ▶₁ #i )
     case TA_CHALLENGE_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
@@ -5095,7 +4904,7 @@ next
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( TAResponseT( <$T, iid.1>, id_c.1,
+          solve( TAResponseT( $T, id_c.1,
                               cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>,
                               <z.2, cipe>, pk(~skCe)
                  ) ▶₁ #j )
@@ -5218,21 +5027,20 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 1715.21s
+  processing time: 1520.43s
   
   session_exist (exists-trace): verified (26 steps)
   two_session_exist (exists-trace): verified (52 steps)
+  aliveness (all-traces): verified (39 steps)
   weak_agreement_C (all-traces): verified (12 steps)
   weak_agreement_T (all-traces): verified (37 steps)
   agreement_C (all-traces): verified (44 steps)
   agreement_T (all-traces): verified (37 steps)
-  aliveness (all-traces): verified (39 steps)
   session_uniqueness (all-traces): verified (64 steps)
-  consistency (all-traces): verified (116 steps)
+  consistency (all-traces): verified (100 steps)
   key_secrecy (all-traces): verified (44 steps)
-  chip_hiding (all-traces): falsified - found trace (22 steps)
-  nonRepudiation_terminal (exists-trace): verified (18 steps)
-  nonRepudiation_chip (exists-trace): verified (15 steps)
-  pfs (all-traces): verified (44 steps)
+  notNonRepudiation_C (exists-trace): verified (18 steps)
+  notNonRepudiation_T (exists-trace): verified (15 steps)
+  forward_secrecy (all-traces): verified (44 steps)
 
 ==============================================================================
diff --git a/results/45992234.err.ALL_SigPQEAC_TAMARIN b/results/46109591.err.CLASSIC_EAC
similarity index 81%
rename from results/45992234.err.ALL_SigPQEAC_TAMARIN
rename to results/46109591.err.CLASSIC_EAC
index 3503e35..35cf59a 100644
--- a/results/45992234.err.ALL_SigPQEAC_TAMARIN
+++ b/results/46109591.err.CLASSIC_EAC
@@ -30,5 +30,5 @@
 [Saturating Sources] Step 2/5
 [Saturating Sources] Step 1/5
 [Saturating Sources] Step 2/5
-/var/spool/slurmd/job45992234/slurm_script: line 29: output/hw/45992234.cpu: No such file or directory
-/var/spool/slurmd/job45992234/slurm_script: line 30: output/hw/45992234.processor: No such file or directory
+WARNING: you should run this program as super-user.
+WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
diff --git a/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN b/results/46109591.out.CLASSIC_EAC
similarity index 83%
rename from results/45991167.out.ALL_CLASSIC_EAC_TAMARIN
rename to results/46109591.out.CLASSIC_EAC
index 9db40ed..0b768c4 100644
--- a/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN
+++ b/results/46109591.out.CLASSIC_EAC
@@ -36,7 +36,7 @@ rule (modulo E) Publish_ca_pk:
 
 rule (modulo E) Generate_chip_key_pair:
    [ Fr( ~ltk ) ]
-  --[ TestMe( ) ]->
+  -->
    [ !Pk( $A, 'g'^~ltk, 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( 'g'^~ltk )
    ]
 
@@ -73,677 +73,652 @@ rule (modulo E) Reveal_session:
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_INIT_T:
-   [ !Cert( $T, certT, 'terminal' ), Fr( ~skTe ), Fr( ~iid ) ]
+   [ !Cert( $T, certT, 'terminal' ), Fr( ~skTe ) ]
   --[ Started( ) ]->
-   [
-   Out( <certT, 'g'^~skTe, '1', 't'> ), Out( ~iid ),
-   TAInitT( <$T, ~iid>, ~skTe )
-   ]
+   [ Out( <certT, 'g'^~skTe, '1', 't'> ), TAInitT( $T, ~skTe ) ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) TA_CHALLENGE_C:
-   [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+   [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
   --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]->
    [
    Out( <~id_c, ~r1, '2', 'c'> ),
-   TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
+   TAChallengeC( $C, certT, pkTe, ~id_c, ~r1 )
    ]
 
   /*
   rule (modulo AC) TA_CHALLENGE_C:
-     [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ]
+     [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ]
     --[ Eq( z, true ), Started( ) ]->
      [
      Out( <~id_c, ~r1, '2', 'c'> ),
-     TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 )
+     TAChallengeC( $C, certT, pkTe, ~id_c, ~r1 )
      ]
     variants (modulo AC)
-    1. certT = certT.13
-       z     = verify(cert_sig(certT.13),
-                      <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk))
+    1. certT = certT.12
+       z     = verify(cert_sig(certT.12),
+                      <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk))
     
-    2. certT = cert(x.14, sign(<x.14, x.15, 'terminal'>, ca_sk), x.15)
+    2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14)
        z     = true
     
-    3. certT = cert(x.15, x.16, x.17)
-       z     = verify(x.16, <x.15, x.17, 'terminal'>, pk(ca_sk))
+    3. certT = cert(x.14, x.15, x.16)
+       z     = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk))
   */
 
 rule (modulo E) TA_RESPONSE_T:
    [
-   In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
+   In( <id_c, r1, '2', 'c'> ), TAInitT( $T, skTe ),
    !Ltk( $T, ~skT, 'terminal' )
    ]
   -->
    [
    Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), '3', 't'> ),
-   TAResponseT( <$T, iid>, skTe, id_c )
+   TAResponseT( $T, skTe, id_c )
    ]
 
   /*
   rule (modulo AC) TA_RESPONSE_T:
      [
-     In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ),
+     In( <id_c, r1, '2', 'c'> ), TAInitT( $T, skTe ),
      !Ltk( $T, ~skT, 'terminal' )
      ]
     -->
      [
      Out( <sign(<id_c, r1, z>, ~skT), '3', 't'> ),
-     TAResponseT( <$T, iid>, skTe, id_c )
+     TAResponseT( $T, skTe, id_c )
      ]
     variants (modulo AC)
-    1. skTe  = skTe.12
-       z     = 'g'^skTe.12
+    1. skTe  = skTe.11
+       z     = 'g'^skTe.11
     
     2. skTe  = one
        z     = 'g'
   */
 
 rule (modulo E) TA_COMPLETE_C:
-   [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-  --[
-  Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ),
-  CompletedTA( $C, iid, cert_id(certT) )
-  ]->
-   [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+   [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, pkTe, id_c, r1 ) ]
+  --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]->
+   [ TACompleteC( $C, certT, pkTe, id_c, r1 ) ]
 
   /*
   rule (modulo AC) TA_COMPLETE_C:
-     [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
-    --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]->
-     [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ]
+     [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, pkTe, id_c, r1 ) ]
+    --[ Eq( z, true ) ]->
+     [ TACompleteC( $C, certT, pkTe, id_c, r1 ) ]
     variants (modulo AC)
-    1. certT = certT.18
-       id_c  = id_c.19
+    1. certT = certT.15
+       id_c  = id_c.16
+       pkTe  = pkTe.17
+       r1    = r1.18
+       s     = s.19
+       z     = verify(s.19, <id_c.16, r1.18, pkTe.17>, cert_pk(certT.15))
+    
+    2. certT = cert(x.34, x.35, x.36)
+       id_c  = id_c.20
        pkTe  = pkTe.21
        r1    = r1.22
        s     = s.23
-       z     = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18))
-       z.1   = cert_id(certT.18)
-    
-    2. certT = cert(x.41, x.42, z.31)
-       id_c  = id_c.23
-       pkTe  = pkTe.25
-       r1    = r1.26
-       s     = s.27
-       z     = verify(s.27, <id_c.23, r1.26, pkTe.25>, x.41)
-       z.1   = z.31
-    
-    3. certT = cert(pk(x.41), x.42, z.31)
-       id_c  = id_c.23
-       pkTe  = pkTe.25
-       r1    = r1.26
-       s     = sign(<id_c.23, r1.26, pkTe.25>, x.41)
+       z     = verify(s.23, <id_c.20, r1.22, pkTe.21>, x.34)
+    
+    3. certT = cert(pk(x.34), x.35, x.36)
+       id_c  = id_c.20
+       pkTe  = pkTe.21
+       r1    = r1.22
+       s     = sign(<id_c.20, r1.22, pkTe.21>, x.34)
        z     = true
-       z.1   = z.31
   */
 
 rule (modulo E) CA_INIT_C:
    [
    !Cert( $C, certC, 'chip' ), Fr( ~r2 ),
-   TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 )
+   TACompleteC( $C, certT, pkTe, id_c, r1 )
    ]
   -->
    [
-   Out( <certC, ~r2, '4', 'c'> ), Out( iid ),
-   CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 )
+   Out( <certC, ~r2, '4', 'c'> ), CAInitC( $C, certT, pkTe, id_c, r1, ~r2 )
    ]
 
   /* has exactly the trivial AC variant */
 
 rule (modulo E) CA_INIT_T:
-   [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ]
+   [ In( <certC, r2, '4', 'c'> ), TAResponseT( $T, skTe, id_c ) ]
   --[ Eq( verify_cert(certC, 'chip'), true ) ]->
-   [ Out( <'g'^skTe, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ]
+   [ Out( <'g'^skTe, '5', 't'> ), CAInitT( $T, skTe, id_c, certC ) ]
 
   /*
   rule (modulo AC) CA_INIT_T:
-     [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ]
+     [ In( <certC, r2, '4', 'c'> ), TAResponseT( $T, skTe, id_c ) ]
     --[ Eq( z.1, true ) ]->
-     [ Out( <z, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ]
+     [ Out( <z, '5', 't'> ), CAInitT( $T, skTe, id_c, certC ) ]
     variants (modulo AC)
-    1. certC = certC.14
+    1. certC = certC.13
        skTe  = one
        z     = 'g'
-       z.1   = verify(cert_sig(certC.14),
-                      <cert_pk(certC.14), cert_id(certC.14), 'chip'>, pk(ca_sk))
+       z.1   = verify(cert_sig(certC.13),
+                      <cert_pk(certC.13), cert_id(certC.13), 'chip'>, pk(ca_sk))
     
-    2. certC = certC.18
-       skTe  = skTe.22
-       z     = 'g'^skTe.22
-       z.1   = verify(cert_sig(certC.18),
-                      <cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk))
+    2. certC = certC.16
+       skTe  = skTe.19
+       z     = 'g'^skTe.19
+       z.1   = verify(cert_sig(certC.16),
+                      <cert_pk(certC.16), cert_id(certC.16), 'chip'>, pk(ca_sk))
     
-    3. certC = cert(x.15, sign(<x.15, x.16, 'chip'>, ca_sk), x.16)
+    3. certC = cert(x.14, sign(<x.14, x.15, 'chip'>, ca_sk), x.15)
        skTe  = one
        z     = 'g'
        z.1   = true
     
-    4. certC = cert(x.16, x.17, x.18)
+    4. certC = cert(x.15, x.16, x.17)
        skTe  = one
        z     = 'g'
-       z.1   = verify(x.17, <x.16, x.18, 'chip'>, pk(ca_sk))
+       z.1   = verify(x.16, <x.15, x.17, 'chip'>, pk(ca_sk))
     
-    5. certC = cert(x.64, sign(<x.64, x.65, 'chip'>, ca_sk), x.65)
-       skTe  = skTe.36
-       z     = 'g'^skTe.36
+    5. certC = cert(x.63, sign(<x.63, x.64, 'chip'>, ca_sk), x.64)
+       skTe  = skTe.35
+       z     = 'g'^skTe.35
        z.1   = true
     
-    6. certC = cert(x.65, x.66, x.67)
-       skTe  = skTe.37
-       z     = 'g'^skTe.37
-       z.1   = verify(x.66, <x.65, x.67, 'chip'>, pk(ca_sk))
+    6. certC = cert(x.64, x.65, x.66)
+       skTe  = skTe.36
+       z     = 'g'^skTe.36
+       z.1   = verify(x.65, <x.64, x.66, 'chip'>, pk(ca_sk))
   */
 
 rule (modulo E) CA_FINISH_C:
    [
-   In( <pkTe_t, '5', 't'> ),
-   CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ),
+   In( <pkTe_t, '5', 't'> ), CAInitC( $C, certT, pkTe, id_c, r1, r2 ),
    !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
    ]
   --[
   Eq( pkTe_t, pkTe ),
-  Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>,
+  Completed( kdf_enc(pkTe^~skC, r2),
              <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', cert_id(certT)
   )
   ]->
-   [
-   Out( <r2, mac(pkTe, kdf_mac(pkTe^~skC, r2)), '6', 'c'> ),
-   CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) )
-   ]
+   [ Out( <r2, mac(pkTe, kdf_mac(pkTe^~skC, r2)), '6', 'c'> ) ]
 
   /*
   rule (modulo AC) CA_FINISH_C:
      [
-     In( <pkTe_t, '5', 't'> ),
-     CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ),
+     In( <pkTe_t, '5', 't'> ), CAInitC( $C, certT, pkTe, id_c, r1, r2 ),
      !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' )
      ]
     --[
     Eq( pkTe_t, pkTe ),
-    Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>,
-               <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', z.1
+    Completed( kdf_enc(z, r2), <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C,
+               'chip', z.1
     )
     ]->
-     [
-     Out( <r2, mac(pkTe, kdf_mac(z, r2)), '6', 'c'> ),
-     CAFinishC( $C, z.1, kdf_enc(z, r2) )
-     ]
+     [ Out( <r2, mac(pkTe, kdf_mac(z, r2)), '6', 'c'> ) ]
     variants (modulo AC)
-     1. ~skC  = ~skC.24
-        certT = certT.26
-        pkTe  = pkTe.29
-        z     = pkTe.29^~skC.24
-        z.1   = cert_id(certT.26)
-    
-     2. ~skC  = ~skC.31
-        certT = certT.33
-        pkTe  = z.43^inv(~skC.31)
-        z     = z.43
-        z.1   = cert_id(certT.33)
-    
-     3. ~skC  = ~skC.170
-        certT = certT.172
-        pkTe  = x.336^x.337
-        z     = x.336^(~skC.170*x.337)
-        z.1   = cert_id(certT.172)
-    
-     4. ~skC  = ~skC.170
-        certT = cert(x.336, x.337, z.185)
-        pkTe  = pkTe.175
-        z     = pkTe.175^~skC.170
-        z.1   = z.185
-    
-     5. ~skC  = ~skC.172
-        certT = cert(x.340, x.341, z.187)
-        pkTe  = z.184^inv(~skC.172)
-        z     = z.184
-        z.1   = z.187
-    
-     6. ~skC  = ~skC.175
-        certT = certT.177
-        pkTe  = x.346^inv((~skC.175*x.347))
-        z     = x.346^inv(x.347)
-        z.1   = cert_id(certT.177)
-    
-     7. ~skC  = ~skC.175
-        certT = certT.177
-        pkTe  = x.346^(x.347*inv(~skC.175))
-        z     = x.346^x.347
-        z.1   = cert_id(certT.177)
-    
-     8. ~skC  = ~skC.175
-        certT = cert(x.341, x.342, z.190)
-        pkTe  = x.346^x.347
-        z     = x.346^(~skC.175*x.347)
-        z.1   = z.190
-    
-     9. ~skC  = ~skC.176
-        certT = certT.178
-        pkTe  = x.347^(x.348*inv((~skC.176*x.349)))
-        z     = x.347^(x.348*inv(x.349))
-        z.1   = cert_id(certT.178)
-    
-    10. ~skC  = ~skC.177
-        certT = cert(x.345, x.346, z.192)
-        pkTe  = x.350^inv((~skC.177*x.351))
-        z     = x.350^inv(x.351)
-        z.1   = z.192
-    
-    11. ~skC  = ~skC.177
-        certT = cert(x.345, x.346, z.192)
-        pkTe  = x.350^(x.351*inv(~skC.177))
-        z     = x.350^x.351
-        z.1   = z.192
-    
-    12. ~skC  = ~skC.178
-        certT = cert(x.346, x.347, z.193)
-        pkTe  = x.351^(x.352*inv((~skC.178*x.353)))
-        z     = x.351^(x.352*inv(x.353))
-        z.1   = z.193
+     1. ~skC  = ~skC.23
+        certT = certT.25
+        pkTe  = pkTe.27
+        z     = pkTe.27^~skC.23
+        z.1   = cert_id(certT.25)
+    
+     2. ~skC  = ~skC.30
+        certT = certT.32
+        pkTe  = z.41^inv(~skC.30)
+        z     = z.41
+        z.1   = cert_id(certT.32)
+    
+     3. ~skC  = ~skC.162
+        certT = certT.164
+        pkTe  = x.320^x.321
+        z     = x.320^(~skC.162*x.321)
+        z.1   = cert_id(certT.164)
+    
+     4. ~skC  = ~skC.162
+        certT = cert(x.320, x.321, z.177)
+        pkTe  = pkTe.166
+        z     = pkTe.166^~skC.162
+        z.1   = z.177
+    
+     5. ~skC  = ~skC.164
+        certT = cert(x.324, x.325, z.179)
+        pkTe  = z.175^inv(~skC.164)
+        z     = z.175
+        z.1   = z.179
+    
+     6. ~skC  = ~skC.166
+        certT = certT.168
+        pkTe  = x.328^inv((~skC.166*x.329))
+        z     = x.328^inv(x.329)
+        z.1   = cert_id(certT.168)
+    
+     7. ~skC  = ~skC.166
+        certT = certT.168
+        pkTe  = x.328^(x.329*inv(~skC.166))
+        z     = x.328^x.329
+        z.1   = cert_id(certT.168)
+    
+     8. ~skC  = ~skC.166
+        certT = cert(x.324, x.325, z.181)
+        pkTe  = x.328^x.329
+        z     = x.328^(~skC.166*x.329)
+        z.1   = z.181
+    
+     9. ~skC  = ~skC.167
+        certT = certT.169
+        pkTe  = x.329^(x.330*inv((~skC.167*x.331)))
+        z     = x.329^(x.330*inv(x.331))
+        z.1   = cert_id(certT.169)
+    
+    10. ~skC  = ~skC.168
+        certT = cert(x.328, x.329, z.183)
+        pkTe  = x.332^inv((~skC.168*x.333))
+        z     = x.332^inv(x.333)
+        z.1   = z.183
+    
+    11. ~skC  = ~skC.168
+        certT = cert(x.328, x.329, z.183)
+        pkTe  = x.332^(x.333*inv(~skC.168))
+        z     = x.332^x.333
+        z.1   = z.183
+    
+    12. ~skC  = ~skC.169
+        certT = cert(x.329, x.330, z.184)
+        pkTe  = x.333^(x.334*inv((~skC.169*x.335)))
+        z     = x.333^(x.334*inv(x.335))
+        z.1   = z.184
     
     13. certT = certT.19
         pkTe  = DH_neutral
         z     = DH_neutral
         z.1   = cert_id(certT.19)
     
-    14. certT = cert(x.201, x.202, z.110)
+    14. certT = cert(x.185, x.186, z.102)
         pkTe  = DH_neutral
         z     = DH_neutral
-        z.1   = z.110
+        z.1   = z.102
   */
 
 rule (modulo E) CA_FINISH_T:
    [
-   In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ),
+   In( <r2, tag, '6', 'c'> ), CAInitT( $T, skTe, id_c, certC ),
    !Cert( $T, certT, 'terminal' )
    ]
   --[
   Eq( tag, mac('g'^skTe, kdf_mac(cert_pk(certC)^skTe, r2)) ),
-  Completed( <kdf_enc(cert_pk(certC)^skTe, r2), 
-              kdf_mac(cert_pk(certC)^skTe, r2)>,
+  Completed( kdf_enc(cert_pk(certC)^skTe, r2),
              <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal',
              cert_id(certC)
   ),
   Finished( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2> )
   ]->
    [
-   CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ),
    !SessionReveal( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>,
-                   <kdf_enc(cert_pk(certC)^skTe, r2), kdf_mac(cert_pk(certC)^skTe, r2)>
+                   kdf_enc(cert_pk(certC)^skTe, r2)
    )
    ]
 
   /*
   rule (modulo AC) CA_FINISH_T:
      [
-     In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ),
+     In( <r2, tag, '6', 'c'> ), CAInitT( $T, skTe, id_c, certC ),
      !Cert( $T, certT, 'terminal' )
      ]
     --[
-    Eq( tag, mac(z.2, kdf_mac(z.1, r2)) ),
-    Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>,
-               <certT, certC, z.2, z.3, id_c, r2>, $T, 'terminal', z
+    Eq( tag, mac(z, kdf_mac(z.2, r2)) ),
+    Completed( kdf_enc(z.2, r2), <certT, certC, z, z.1, id_c, r2>, $T,
+               'terminal', z.3
     ),
-    Finished( <certT, certC, z.2, z.3, id_c, r2> )
+    Finished( <certT, certC, z, z.1, id_c, r2> )
     ]->
-     [
-     CAFinishT( z, $T, kdf_enc(z.1, r2) ),
-     !SessionReveal( <certT, certC, z.2, z.3, id_c, r2>,
-                     <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>
-     )
-     ]
+     [ !SessionReveal( <certT, certC, z, z.1, id_c, r2>, kdf_enc(z.2, r2) ) ]
     variants (modulo AC)
-     1. certC = certC.17
+     1. certC = certC.16
         skTe  = one
-        z     = cert_id(certC.17)
-        z.1   = cert_pk(certC.17)
-        z.2   = 'g'
-        z.3   = cert_pk(certC.17)
-    
-     2. certC = certC.22
-        skTe  = skTe.27
-        z     = cert_id(certC.22)
-        z.1   = cert_pk(certC.22)^skTe.27
-        z.2   = 'g'^skTe.27
-        z.3   = cert_pk(certC.22)
-    
-     3. certC = cert(z.27, x.39, z.26)
+        z     = 'g'
+        z.1   = cert_pk(certC.16)
+        z.2   = cert_pk(certC.16)
+        z.3   = cert_id(certC.16)
+    
+     2. certC = certC.20
+        skTe  = skTe.24
+        z     = 'g'^skTe.24
+        z.1   = cert_pk(certC.20)
+        z.2   = cert_pk(certC.20)^skTe.24
+        z.3   = cert_id(certC.20)
+    
+     3. certC = cert(z.23, x.33, z.25)
         skTe  = one
-        z     = z.26
-        z.1   = z.27
-        z.2   = 'g'
+        z     = 'g'
+        z.1   = z.23
+        z.2   = z.23
+        z.3   = z.25
+    
+     4. certC = cert(z.41, x.63, z.43)
+        skTe  = skTe.35
+        z     = 'g'^skTe.35
+        z.1   = z.41
+        z.2   = z.41^skTe.35
+        z.3   = z.43
+    
+     5. certC = cert(DH_neutral, x.61, z.42)
+        skTe  = skTe.34
+        z     = 'g'^skTe.34
+        z.1   = DH_neutral
+        z.2   = DH_neutral
+        z.3   = z.42
+    
+     6. certC = cert(z.22^x.29, x.30, z.23)
+        skTe  = inv(x.29)
+        z     = 'g'^inv(x.29)
+        z.1   = z.22^x.29
+        z.2   = z.22
+        z.3   = z.23
+    
+     7. certC = cert(z.23^(x.30*inv(x.31)), x.32, z.24)
+        skTe  = (x.31*inv(x.30))
+        z     = 'g'^(x.31*inv(x.30))
+        z.1   = z.23^(x.30*inv(x.31))
+        z.2   = z.23
+        z.3   = z.24
+    
+     8. certC = cert(x.24^(x.25*x.26), x.27, z.21)
+        skTe  = inv(x.25)
+        z     = 'g'^inv(x.25)
+        z.1   = x.24^(x.25*x.26)
+        z.2   = x.24^x.26
+        z.3   = z.21
+    
+     9. certC = cert(x.25^(x.26*x.27*inv(x.28)), x.29, z.22)
+        skTe  = (x.28*inv(x.27))
+        z     = 'g'^(x.28*inv(x.27))
+        z.1   = x.25^(x.26*x.27*inv(x.28))
+        z.2   = x.25^x.26
+        z.3   = z.22
+    
+    10. certC = cert(x.25^(x.26*inv((x.27*x.28))), x.29, z.22)
+        skTe  = (x.28*inv(x.26))
+        z     = 'g'^(x.28*inv(x.26))
+        z.1   = x.25^(x.26*inv((x.27*x.28)))
+        z.2   = x.25^inv(x.27)
+        z.3   = z.22
+    
+    11. certC = cert(x.26^(x.27*x.28*inv((x.29*x.30))), x.31, z.23)
+        skTe  = (x.30*inv(x.28))
+        z     = 'g'^(x.30*inv(x.28))
+        z.1   = x.26^(x.27*x.28*inv((x.29*x.30)))
+        z.2   = x.26^(x.27*inv(x.29))
+        z.3   = z.23
+    
+    12. certC = cert(x.28^x.29, x.30, z.25)
+        skTe  = inv((x.29*x.35))
+        z     = 'g'^inv((x.29*x.35))
+        z.1   = x.28^x.29
+        z.2   = x.28^inv(x.35)
+        z.3   = z.25
+    
+    13. certC = cert(x.28^x.29, x.30, z.25)
+        skTe  = (x.35*inv(x.29))
+        z     = 'g'^(x.35*inv(x.29))
+        z.1   = x.28^x.29
+        z.2   = x.28^x.35
+        z.3   = z.25
+    
+    14. certC = cert(x.28^inv(x.29), x.30, z.25)
+        skTe  = inv(x.35)
+        z     = 'g'^inv(x.35)
+        z.1   = x.28^inv(x.29)
+        z.2   = x.28^inv((x.29*x.35))
+        z.3   = z.25
+    
+    15. certC = cert(x.28^inv(x.29), x.30, z.25)
+        skTe  = (x.29*x.35)
+        z     = 'g'^(x.29*x.35)
+        z.1   = x.28^inv(x.29)
+        z.2   = x.28^x.35
+        z.3   = z.25
+    
+    16. certC = cert(x.29^x.30, x.31, z.26)
+        skTe  = (x.36*inv((x.30*x.37)))
+        z     = 'g'^(x.36*inv((x.30*x.37)))
+        z.1   = x.29^x.30
+        z.2   = x.29^(x.36*inv(x.37))
+        z.3   = z.26
+    
+    17. certC = cert(x.29^inv(x.30), x.31, z.26)
+        skTe  = (x.36*inv(x.37))
+        z     = 'g'^(x.36*inv(x.37))
+        z.1   = x.29^inv(x.30)
+        z.2   = x.29^(x.36*inv((x.30*x.37)))
+        z.3   = z.26
+    
+    18. certC = cert(x.29^inv((x.30*x.31)), x.32, z.26)
+        skTe  = (x.30*x.37)
+        z     = 'g'^(x.30*x.37)
+        z.1   = x.29^inv((x.30*x.31))
+        z.2   = x.29^(x.37*inv(x.31))
+        z.3   = z.26
+    
+    19. certC = cert(x.29^inv((x.30*x.31)), x.32, z.26)
+        skTe  = (x.30*inv(x.37))
+        z     = 'g'^(x.30*inv(x.37))
+        z.1   = x.29^inv((x.30*x.31))
+        z.2   = x.29^inv((x.31*x.37))
+        z.3   = z.26
+    
+    20. certC = cert(x.29^(x.30*x.31), x.32, z.26)
+        skTe  = inv((x.30*x.37))
+        z     = 'g'^inv((x.30*x.37))
+        z.1   = x.29^(x.30*x.31)
+        z.2   = x.29^(x.31*inv(x.37))
+        z.3   = z.26
+    
+    21. certC = cert(x.29^(x.30*x.31), x.32, z.26)
+        skTe  = (x.37*inv(x.30))
+        z     = 'g'^(x.37*inv(x.30))
+        z.1   = x.29^(x.30*x.31)
+        z.2   = x.29^(x.31*x.37)
+        z.3   = z.26
+    
+    22. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26)
+        skTe  = inv(x.37)
+        z     = 'g'^inv(x.37)
+        z.1   = x.29^(x.30*inv(x.31))
+        z.2   = x.29^(x.30*inv((x.31*x.37)))
+        z.3   = z.26
+    
+    23. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26)
+        skTe  = inv((x.30*x.37))
+        z     = 'g'^inv((x.30*x.37))
+        z.1   = x.29^(x.30*inv(x.31))
+        z.2   = x.29^inv((x.31*x.37))
+        z.3   = z.26
+    
+    24. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26)
+        skTe  = (x.31*x.37)
+        z     = 'g'^(x.31*x.37)
+        z.1   = x.29^(x.30*inv(x.31))
+        z.2   = x.29^(x.30*x.37)
+        z.3   = z.26
+    
+    25. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26)
+        skTe  = (x.31*x.37*inv(x.30))
+        z     = 'g'^(x.31*x.37*inv(x.30))
+        z.1   = x.29^(x.30*inv(x.31))
+        z.2   = x.29^x.37
+        z.3   = z.26
+    
+    26. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26)
+        skTe  = (x.31*inv((x.30*x.37)))
+        z     = 'g'^(x.31*inv((x.30*x.37)))
+        z.1   = x.29^(x.30*inv(x.31))
+        z.2   = x.29^inv(x.37)
+        z.3   = z.26
+    
+    27. certC = cert(x.30^inv((x.31*x.32)), x.33, z.27)
+        skTe  = (x.31*x.38*inv(x.39))
+        z     = 'g'^(x.31*x.38*inv(x.39))
+        z.1   = x.30^inv((x.31*x.32))
+        z.2   = x.30^(x.38*inv((x.32*x.39)))
+        z.3   = z.27
+    
+    28. certC = cert(x.30^(x.31*x.32), x.33, z.27)
+        skTe  = (x.38*inv((x.31*x.39)))
+        z     = 'g'^(x.38*inv((x.31*x.39)))
+        z.1   = x.30^(x.31*x.32)
+        z.2   = x.30^(x.32*x.38*inv(x.39))
+        z.3   = z.27
+    
+    29. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27)
+        skTe  = inv((x.32*x.39))
+        z     = 'g'^inv((x.32*x.39))
+        z.1   = x.30^(x.31*x.32*inv(x.33))
+        z.2   = x.30^(x.31*inv((x.33*x.39)))
+        z.3   = z.27
+    
+    30. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27)
+        skTe  = (x.33*x.39*inv(x.31))
+        z     = 'g'^(x.33*x.39*inv(x.31))
+        z.1   = x.30^(x.31*x.32*inv(x.33))
+        z.2   = x.30^(x.32*x.39)
+        z.3   = z.27
+    
+    31. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27)
+        skTe  = (x.33*inv((x.31*x.39)))
+        z     = 'g'^(x.33*inv((x.31*x.39)))
+        z.1   = x.30^(x.31*x.32*inv(x.33))
+        z.2   = x.30^(x.32*inv(x.39))
+        z.3   = z.27
+    
+    32. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27)
+        skTe  = (x.32*x.38*inv((x.31*x.39)))
+        z     = 'g'^(x.32*x.38*inv((x.31*x.39)))
+        z.1   = x.30^(x.31*inv(x.32))
+        z.2   = x.30^(x.38*inv(x.39))
         z.3   = z.27
     
-     4. certC = cert(z.44, x.64, z.41)
+    33. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27)
+        skTe  = (x.38*inv(x.39))
+        z     = 'g'^(x.38*inv(x.39))
+        z.1   = x.30^(x.31*inv(x.32))
+        z.2   = x.30^(x.31*x.38*inv((x.32*x.39)))
+        z.3   = z.27
+    
+    34. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27)
+        skTe  = (x.38*inv((x.31*x.39)))
+        z     = 'g'^(x.38*inv((x.31*x.39)))
+        z.1   = x.30^(x.31*inv(x.32))
+        z.2   = x.30^(x.38*inv((x.32*x.39)))
+        z.3   = z.27
+    
+    35. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27)
+        skTe  = (x.32*x.39)
+        z     = 'g'^(x.32*x.39)
+        z.1   = x.30^(x.31*inv((x.32*x.33)))
+        z.2   = x.30^(x.31*x.39*inv(x.33))
+        z.3   = z.27
+    
+    36. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27)
+        skTe  = (x.32*x.39*inv(x.31))
+        z     = 'g'^(x.32*x.39*inv(x.31))
+        z.1   = x.30^(x.31*inv((x.32*x.33)))
+        z.2   = x.30^(x.39*inv(x.33))
+        z.3   = z.27
+    
+    37. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27)
+        skTe  = (x.32*inv(x.39))
+        z     = 'g'^(x.32*inv(x.39))
+        z.1   = x.30^(x.31*inv((x.32*x.33)))
+        z.2   = x.30^(x.31*inv((x.33*x.39)))
+        z.3   = z.27
+    
+    38. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27)
+        skTe  = (x.32*inv((x.31*x.39)))
+        z     = 'g'^(x.32*inv((x.31*x.39)))
+        z.1   = x.30^(x.31*inv((x.32*x.33)))
+        z.2   = x.30^inv((x.33*x.39))
+        z.3   = z.27
+    
+    39. certC = cert(x.31^(x.32*x.33*inv(x.34)), x.35, z.28)
+        skTe  = (x.34*x.40*inv((x.32*x.41)))
+        z     = 'g'^(x.34*x.40*inv((x.32*x.41)))
+        z.1   = x.31^(x.32*x.33*inv(x.34))
+        z.2   = x.31^(x.33*x.40*inv(x.41))
+        z.3   = z.28
+    
+    40. certC = cert(x.31^(x.32*x.33*inv(x.34)), x.35, z.28)
+        skTe  = (x.40*inv((x.32*x.41)))
+        z     = 'g'^(x.40*inv((x.32*x.41)))
+        z.1   = x.31^(x.32*x.33*inv(x.34))
+        z.2   = x.31^(x.33*x.40*inv((x.34*x.41)))
+        z.3   = z.28
+    
+    41. certC = cert(x.31^(x.32*x.33*inv((x.34*x.35))), x.36, z.28)
+        skTe  = (x.34*x.41*inv(x.32))
+        z     = 'g'^(x.34*x.41*inv(x.32))
+        z.1   = x.31^(x.32*x.33*inv((x.34*x.35)))
+        z.2   = x.31^(x.33*x.41*inv(x.35))
+        z.3   = z.28
+    
+    42. certC = cert(x.31^(x.32*x.33*inv((x.34*x.35))), x.36, z.28)
+        skTe  = (x.34*inv((x.32*x.41)))
+        z     = 'g'^(x.34*inv((x.32*x.41)))
+        z.1   = x.31^(x.32*x.33*inv((x.34*x.35)))
+        z.2   = x.31^(x.33*inv((x.35*x.41)))
+        z.3   = z.28
+    
+    43. certC = cert(x.31^(x.32*inv((x.33*x.34))), x.35, z.28)
+        skTe  = (x.33*x.40*inv(x.41))
+        z     = 'g'^(x.33*x.40*inv(x.41))
+        z.1   = x.31^(x.32*inv((x.33*x.34)))
+        z.2   = x.31^(x.32*x.40*inv((x.34*x.41)))
+        z.3   = z.28
+    
+    44. certC = cert(x.31^(x.32*inv((x.33*x.34))), x.35, z.28)
+        skTe  = (x.33*x.40*inv((x.32*x.41)))
+        z     = 'g'^(x.33*x.40*inv((x.32*x.41)))
+        z.1   = x.31^(x.32*inv((x.33*x.34)))
+        z.2   = x.31^(x.40*inv((x.34*x.41)))
+        z.3   = z.28
+    
+    45. certC = cert(x.32^(x.33*x.34*inv((x.35*x.36))), x.37, z.29)
+        skTe  = (x.35*x.42*inv((x.33*x.43)))
+        z     = 'g'^(x.35*x.42*inv((x.33*x.43)))
+        z.1   = x.32^(x.33*x.34*inv((x.35*x.36)))
+        z.2   = x.32^(x.34*x.42*inv((x.36*x.43)))
+        z.3   = z.29
+    
+    46. certC = cert(z.43^inv(skTe.36), x.65, z.44)
         skTe  = skTe.36
-        z     = z.41
-        z.1   = z.44^skTe.36
-        z.2   = 'g'^skTe.36
+        z     = 'g'^skTe.36
+        z.1   = z.43^inv(skTe.36)
+        z.2   = z.43
         z.3   = z.44
     
-     5. certC = cert(DH_neutral, x.62, z.40)
-        skTe  = skTe.35
-        z     = z.40
-        z.1   = DH_neutral
-        z.2   = 'g'^skTe.35
-        z.3   = DH_neutral
-    
-     6. certC = cert(z.28^x.40, x.41, z.27)
-        skTe  = inv(x.40)
-        z     = z.27
-        z.1   = z.28
-        z.2   = 'g'^inv(x.40)
-        z.3   = z.28^x.40
-    
-     7. certC = cert(z.29^(x.41*inv(x.42)), x.43, z.28)
-        skTe  = (x.42*inv(x.41))
-        z     = z.28
-        z.1   = z.29
-        z.2   = 'g'^(x.42*inv(x.41))
-        z.3   = z.29^(x.41*inv(x.42))
-    
-     8. certC = cert(x.40^(x.41*x.42), x.43, z.28)
-        skTe  = inv(x.41)
-        z     = z.28
-        z.1   = x.40^x.42
-        z.2   = 'g'^inv(x.41)
-        z.3   = x.40^(x.41*x.42)
-    
-     9. certC = cert(x.41^(x.42*x.43*inv(x.44)), x.45, z.29)
-        skTe  = (x.44*inv(x.43))
-        z     = z.29
-        z.1   = x.41^x.42
-        z.2   = 'g'^(x.44*inv(x.43))
-        z.3   = x.41^(x.42*x.43*inv(x.44))
-    
-    10. certC = cert(x.41^(x.42*inv((x.43*x.44))), x.45, z.29)
-        skTe  = (x.44*inv(x.42))
-        z     = z.29
-        z.1   = x.41^inv(x.43)
-        z.2   = 'g'^(x.44*inv(x.42))
-        z.3   = x.41^(x.42*inv((x.43*x.44)))
-    
-    11. certC = cert(x.42^(x.43*x.44*inv((x.45*x.46))), x.47, z.30)
-        skTe  = (x.46*inv(x.44))
-        z     = z.30
-        z.1   = x.42^(x.43*inv(x.45))
-        z.2   = 'g'^(x.46*inv(x.44))
-        z.3   = x.42^(x.43*x.44*inv((x.45*x.46)))
-    
-    12. certC = cert(z.43^inv(skTe.37), x.66, z.42)
-        skTe  = skTe.37
-        z     = z.42
-        z.1   = z.43
-        z.2   = 'g'^skTe.37
-        z.3   = z.43^inv(skTe.37)
-    
-    13. certC = cert(x.45^x.46, x.47, z.33)
-        skTe  = inv((x.46*x.53))
-        z     = z.33
-        z.1   = x.45^inv(x.53)
-        z.2   = 'g'^inv((x.46*x.53))
-        z.3   = x.45^x.46
-    
-    14. certC = cert(x.45^x.46, x.47, z.33)
-        skTe  = (x.53*inv(x.46))
-        z     = z.33
-        z.1   = x.45^x.53
-        z.2   = 'g'^(x.53*inv(x.46))
-        z.3   = x.45^x.46
-    
-    15. certC = cert(x.45^inv(x.46), x.47, z.33)
-        skTe  = inv(x.53)
-        z     = z.33
-        z.1   = x.45^inv((x.46*x.53))
-        z.2   = 'g'^inv(x.53)
-        z.3   = x.45^inv(x.46)
-    
-    16. certC = cert(x.45^inv(x.46), x.47, z.33)
-        skTe  = (x.46*x.53)
-        z     = z.33
-        z.1   = x.45^x.53
-        z.2   = 'g'^(x.46*x.53)
-        z.3   = x.45^inv(x.46)
-    
-    17. certC = cert(x.46^x.47, x.48, z.34)
-        skTe  = (x.54*inv((x.47*x.55)))
-        z     = z.34
-        z.1   = x.46^(x.54*inv(x.55))
-        z.2   = 'g'^(x.54*inv((x.47*x.55)))
-        z.3   = x.46^x.47
-    
-    18. certC = cert(x.46^inv(x.47), x.48, z.34)
-        skTe  = (x.54*inv(x.55))
-        z     = z.34
-        z.1   = x.46^(x.54*inv((x.47*x.55)))
-        z.2   = 'g'^(x.54*inv(x.55))
-        z.3   = x.46^inv(x.47)
-    
-    19. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34)
-        skTe  = (x.47*x.55)
-        z     = z.34
-        z.1   = x.46^(x.55*inv(x.48))
-        z.2   = 'g'^(x.47*x.55)
-        z.3   = x.46^inv((x.47*x.48))
-    
-    20. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34)
-        skTe  = (x.47*inv(x.55))
-        z     = z.34
-        z.1   = x.46^inv((x.48*x.55))
-        z.2   = 'g'^(x.47*inv(x.55))
-        z.3   = x.46^inv((x.47*x.48))
-    
-    21. certC = cert(x.46^(x.47*x.48), x.49, z.34)
-        skTe  = inv((x.47*x.55))
-        z     = z.34
-        z.1   = x.46^(x.48*inv(x.55))
-        z.2   = 'g'^inv((x.47*x.55))
-        z.3   = x.46^(x.47*x.48)
-    
-    22. certC = cert(x.46^(x.47*x.48), x.49, z.34)
-        skTe  = (x.55*inv(x.47))
-        z     = z.34
-        z.1   = x.46^(x.48*x.55)
-        z.2   = 'g'^(x.55*inv(x.47))
-        z.3   = x.46^(x.47*x.48)
-    
-    23. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
-        skTe  = inv(x.55)
-        z     = z.34
-        z.1   = x.46^(x.47*inv((x.48*x.55)))
-        z.2   = 'g'^inv(x.55)
-        z.3   = x.46^(x.47*inv(x.48))
-    
-    24. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
-        skTe  = inv((x.47*x.55))
-        z     = z.34
-        z.1   = x.46^inv((x.48*x.55))
-        z.2   = 'g'^inv((x.47*x.55))
-        z.3   = x.46^(x.47*inv(x.48))
-    
-    25. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
-        skTe  = (x.48*x.55)
-        z     = z.34
-        z.1   = x.46^(x.47*x.55)
-        z.2   = 'g'^(x.48*x.55)
-        z.3   = x.46^(x.47*inv(x.48))
-    
-    26. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
-        skTe  = (x.48*x.55*inv(x.47))
-        z     = z.34
-        z.1   = x.46^x.55
-        z.2   = 'g'^(x.48*x.55*inv(x.47))
-        z.3   = x.46^(x.47*inv(x.48))
-    
-    27. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34)
-        skTe  = (x.48*inv((x.47*x.55)))
-        z     = z.34
-        z.1   = x.46^inv(x.55)
-        z.2   = 'g'^(x.48*inv((x.47*x.55)))
-        z.3   = x.46^(x.47*inv(x.48))
-    
-    28. certC = cert(x.47^inv((x.48*x.49)), x.50, z.35)
-        skTe  = (x.48*x.56*inv(x.57))
-        z     = z.35
-        z.1   = x.47^(x.56*inv((x.49*x.57)))
-        z.2   = 'g'^(x.48*x.56*inv(x.57))
-        z.3   = x.47^inv((x.48*x.49))
-    
-    29. certC = cert(x.47^(x.48*x.49), x.50, z.35)
-        skTe  = (x.56*inv((x.48*x.57)))
-        z     = z.35
-        z.1   = x.47^(x.49*x.56*inv(x.57))
-        z.2   = 'g'^(x.56*inv((x.48*x.57)))
-        z.3   = x.47^(x.48*x.49)
-    
-    30. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
-        skTe  = inv((x.49*x.57))
-        z     = z.35
-        z.1   = x.47^(x.48*inv((x.50*x.57)))
-        z.2   = 'g'^inv((x.49*x.57))
-        z.3   = x.47^(x.48*x.49*inv(x.50))
-    
-    31. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
-        skTe  = (x.50*x.57*inv(x.48))
-        z     = z.35
-        z.1   = x.47^(x.49*x.57)
-        z.2   = 'g'^(x.50*x.57*inv(x.48))
-        z.3   = x.47^(x.48*x.49*inv(x.50))
-    
-    32. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35)
-        skTe  = (x.50*inv((x.48*x.57)))
-        z     = z.35
-        z.1   = x.47^(x.49*inv(x.57))
-        z.2   = 'g'^(x.50*inv((x.48*x.57)))
-        z.3   = x.47^(x.48*x.49*inv(x.50))
-    
-    33. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
-        skTe  = (x.49*x.56*inv((x.48*x.57)))
-        z     = z.35
-        z.1   = x.47^(x.56*inv(x.57))
-        z.2   = 'g'^(x.49*x.56*inv((x.48*x.57)))
-        z.3   = x.47^(x.48*inv(x.49))
-    
-    34. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
-        skTe  = (x.56*inv(x.57))
-        z     = z.35
-        z.1   = x.47^(x.48*x.56*inv((x.49*x.57)))
-        z.2   = 'g'^(x.56*inv(x.57))
-        z.3   = x.47^(x.48*inv(x.49))
-    
-    35. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35)
-        skTe  = (x.56*inv((x.48*x.57)))
-        z     = z.35
-        z.1   = x.47^(x.56*inv((x.49*x.57)))
-        z.2   = 'g'^(x.56*inv((x.48*x.57)))
-        z.3   = x.47^(x.48*inv(x.49))
-    
-    36. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
-        skTe  = (x.49*x.57)
-        z     = z.35
-        z.1   = x.47^(x.48*x.57*inv(x.50))
-        z.2   = 'g'^(x.49*x.57)
-        z.3   = x.47^(x.48*inv((x.49*x.50)))
-    
-    37. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
-        skTe  = (x.49*x.57*inv(x.48))
-        z     = z.35
-        z.1   = x.47^(x.57*inv(x.50))
-        z.2   = 'g'^(x.49*x.57*inv(x.48))
-        z.3   = x.47^(x.48*inv((x.49*x.50)))
-    
-    38. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
-        skTe  = (x.49*inv(x.57))
-        z     = z.35
-        z.1   = x.47^(x.48*inv((x.50*x.57)))
-        z.2   = 'g'^(x.49*inv(x.57))
-        z.3   = x.47^(x.48*inv((x.49*x.50)))
-    
-    39. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35)
-        skTe  = (x.49*inv((x.48*x.57)))
-        z     = z.35
-        z.1   = x.47^inv((x.50*x.57))
-        z.2   = 'g'^(x.49*inv((x.48*x.57)))
-        z.3   = x.47^(x.48*inv((x.49*x.50)))
-    
-    40. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36)
-        skTe  = (x.51*x.58*inv((x.49*x.59)))
-        z     = z.36
-        z.1   = x.48^(x.50*x.58*inv(x.59))
-        z.2   = 'g'^(x.51*x.58*inv((x.49*x.59)))
-        z.3   = x.48^(x.49*x.50*inv(x.51))
-    
-    41. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36)
-        skTe  = (x.58*inv((x.49*x.59)))
-        z     = z.36
-        z.1   = x.48^(x.50*x.58*inv((x.51*x.59)))
-        z.2   = 'g'^(x.58*inv((x.49*x.59)))
-        z.3   = x.48^(x.49*x.50*inv(x.51))
-    
-    42. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36)
-        skTe  = (x.51*x.59*inv(x.49))
-        z     = z.36
-        z.1   = x.48^(x.50*x.59*inv(x.52))
-        z.2   = 'g'^(x.51*x.59*inv(x.49))
-        z.3   = x.48^(x.49*x.50*inv((x.51*x.52)))
-    
-    43. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36)
-        skTe  = (x.51*inv((x.49*x.59)))
-        z     = z.36
-        z.1   = x.48^(x.50*inv((x.52*x.59)))
-        z.2   = 'g'^(x.51*inv((x.49*x.59)))
-        z.3   = x.48^(x.49*x.50*inv((x.51*x.52)))
-    
-    44. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36)
-        skTe  = (x.50*x.58*inv(x.59))
-        z     = z.36
-        z.1   = x.48^(x.49*x.58*inv((x.51*x.59)))
-        z.2   = 'g'^(x.50*x.58*inv(x.59))
-        z.3   = x.48^(x.49*inv((x.50*x.51)))
-    
-    45. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36)
-        skTe  = (x.50*x.58*inv((x.49*x.59)))
-        z     = z.36
-        z.1   = x.48^(x.58*inv((x.51*x.59)))
-        z.2   = 'g'^(x.50*x.58*inv((x.49*x.59)))
-        z.3   = x.48^(x.49*inv((x.50*x.51)))
-    
-    46. certC = cert(x.49^(x.50*x.51*inv((x.52*x.53))), x.54, z.37)
-        skTe  = (x.52*x.60*inv((x.50*x.61)))
-        z     = z.37
-        z.1   = x.49^(x.51*x.60*inv((x.53*x.61)))
-        z.2   = 'g'^(x.52*x.60*inv((x.50*x.61)))
-        z.3   = x.49^(x.50*x.51*inv((x.52*x.53)))
-    
-    47. certC = cert(x.64^x.65, x.66, z.42)
+    47. certC = cert(x.63^x.64, x.65, z.44)
+        skTe  = skTe.36
+        z     = 'g'^skTe.36
+        z.1   = x.63^x.64
+        z.2   = x.63^(skTe.36*x.64)
+        z.3   = z.44
+    
+    48. certC = cert(x.64^inv((skTe.37*x.65)), x.67, z.45)
         skTe  = skTe.37
-        z     = z.42
-        z.1   = x.64^(skTe.37*x.65)
-        z.2   = 'g'^skTe.37
-        z.3   = x.64^x.65
+        z     = 'g'^skTe.37
+        z.1   = x.64^inv((skTe.37*x.65))
+        z.2   = x.64^inv(x.65)
+        z.3   = z.45
     
-    48. certC = cert(x.65^inv((skTe.38*x.66)), x.68, z.43)
-        skTe  = skTe.38
-        z     = z.43
-        z.1   = x.65^inv(x.66)
-        z.2   = 'g'^skTe.38
-        z.3   = x.65^inv((skTe.38*x.66))
+    49. certC = cert(x.64^(x.65*inv(skTe.37)), x.67, z.45)
+        skTe  = skTe.37
+        z     = 'g'^skTe.37
+        z.1   = x.64^(x.65*inv(skTe.37))
+        z.2   = x.64^x.65
+        z.3   = z.45
     
-    49. certC = cert(x.65^(x.66*inv(skTe.38)), x.68, z.43)
+    50. certC = cert(x.65^(x.66*inv((skTe.38*x.67))), x.69, z.46)
         skTe  = skTe.38
-        z     = z.43
-        z.1   = x.65^x.66
-        z.2   = 'g'^skTe.38
-        z.3   = x.65^(x.66*inv(skTe.38))
-    
-    50. certC = cert(x.66^(x.67*inv((skTe.39*x.68))), x.70, z.44)
-        skTe  = skTe.39
-        z     = z.44
-        z.1   = x.66^(x.67*inv(x.68))
-        z.2   = 'g'^skTe.39
-        z.3   = x.66^(x.67*inv((skTe.39*x.68)))
+        z     = 'g'^skTe.38
+        z.1   = x.65^(x.66*inv((skTe.38*x.67)))
+        z.2   = x.65^(x.66*inv(x.67))
+        z.3   = z.46
   */
 
 rule (modulo E) Verify_Transcript_C:
@@ -18702,20 +18677,20 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+        solve( Completed( kdf_enc(z, ~r2),
                           <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
                            cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, 
                            ~id_c, ~r2>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+          solve( CAInitT( $T, skTe, ~id_c,
                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -18741,7 +18716,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                             case CA_INIT_C
                             solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.35 )
                               case TA_RESPONSE_T
-                              solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+                              solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk), x)
                                      ) @ #vk.38 )
                                 case CA_Sign_ltk
                                 solve( !KU( ~id_c.1 ) @ #vk.41 )
@@ -18797,20 +18772,20 @@ guarded formula characterizing all satisfying traces:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+        solve( Completed( kdf_enc(z, ~r2),
                           <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
                            cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, 
                            ~id_c, ~r2>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+          solve( CAInitT( $T, skTe, ~id_c,
                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -18820,21 +18795,20 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
               case CA_Sign_ltk
               solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 )
                 case CA_FINISH_C
-                solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), pkTe, id_c.1, r1.1, r2.1
-                       ) ▶₁ #i2 )
+                solve( CAInitC( $C, cert(x, x.1, $T), pkTe, id_c.1, r1.1, r2.1 ) ▶₁ #i2 )
                   case CA_INIT_C
                   solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 )
                     case Generate_chip_key_pair
                     solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 )
                       case CA_Sign_ltk
-                      solve( Completed( <kdf_enc(z, ~r2.1), kdf_mac(z, ~r2.1)>,
+                      solve( Completed( kdf_enc(z, ~r2.1),
                                         <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T), 
                                          cert('g'^~ltk.2, sign(<'g'^~ltk.2, $C, 'chip'>, ca_sk), $C), pkTe, 
                                          'g'^~skC, ~id_c.1, ~r2.1>,
                                         $T, 'terminal', $C
                              ) @ #j2 )
                         case CA_FINISH_T
-                        solve( CAInitT( <$T, iid.3>, skTe.1, ~id_c.1,
+                        solve( CAInitT( $T, skTe.1, ~id_c.1,
                                         cert('g'^~skC, sign(<'g'^~skC, $C, 'chip'>, ca_sk), $C)
                                ) ▶₁ #j2 )
                           case CA_INIT_T
@@ -18919,24 +18893,22 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma weak_agreement_C:
+lemma aliveness:
   all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
+  "∀ k sid A role B #i #t.
+    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
+     (∃ #k.1. Corrupted( B ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid A role B #i #t.
+  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -18944,113 +18916,276 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
                       >,
-                      C, 'chip', T.1
+                      A, role, B
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
-                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe,
-                      id_c, r1, r2
-             ) ▶₁ #i )
-        case CA_INIT_C
-        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
-          case Generate_chip_key_pair
-          solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z),
-                        'chip'
-                 ) ▶₃ #i )
-            case CA_Sign_ltk
-            by contradiction /* from formulas */
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma weak_agreement_T:
-  all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
-*/
-simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
-  case CA_INIT_T
-  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
-    case CA_Sign_ltk
-    solve( Completed( k,
-                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
-                       cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
-                      >,
-                      T.1, 'terminal', C
-           ) @ #i )
+      by contradiction /* from formulas */
+    next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, ~skTe, id_c,
-                      cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C)
+      solve( CAInitT( $T, ~skTe, id_c,
+                      cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B)
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
           case CA_FINISH_C
           solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
+            case TA_RESPONSE_T
+            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
+                   ) @ #vk.14 )
+              case CA_INIT_C
+              by contradiction /* from formulas */
+            next
+              case CA_Sign_ltk
+              by contradiction /* from formulas */
+            next
+              case c_cert
+              solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.34 )
+                case CA_INIT_C
+                by contradiction /* from formulas */
+              next
+                case CA_Sign_ltk
+                by contradiction /* from formulas */
+              next
+                case c_sign
+                by solve( !KU( ca_sk ) @ #vk.38 )
+              qed
+            qed
+          next
             case c_sign
-            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C)
+            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
                    ) @ #vk.14 )
+              case CA_INIT_C
+              by contradiction /* from formulas */
+            next
               case CA_Sign_ltk
-              solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
-                     ) @ #vk.33 )
+              by contradiction /* from formulas */
+            next
+              case c_cert
+              solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.39 )
+                case CA_INIT_C
+                by contradiction /* from formulas */
+              next
                 case CA_Sign_ltk
-                solve( !KU( ~ltk.1 ) @ #vk.35 )
-                  case Corrupt_ltk
-                  solve( !KU( ~r2 ) @ #vk.10 )
-                    case CA_FINISH_C
-                    solve( !KU( ~id_c.1 ) @ #vk.36 )
-                      case TA_CHALLENGE_C
-                      solve( !KU( ~r1 ) @ #vk.37 )
-                        case TA_CHALLENGE_C
-                        solve( !KU( 'g'^~skTe ) @ #vk.28 )
-                          case CA_INIT_T
-                          SOLVED // trace found
-                        qed
-                      qed
-                    qed
+                by contradiction /* from formulas */
+              next
+                case c_sign
+                by solve( !KU( ca_sk ) @ #vk.43 )
+              qed
+            qed
+          qed
+        next
+          case c_mac
+          solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.13 )
+            case CA_INIT_C
+            solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
+              case c_kdf_mac
+              solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.22 )
+                case TA_RESPONSE_T
+                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.33 )
+                  case CA_INIT_C
+                  by solve( !KU( ~skTe ) @ #vk.37 )
+                next
+                  case CA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.37 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case Generate_chip_key_pair
+                  by solve( !KU( ~skTe ) @ #vk.37 )
+                next
+                  case TA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.37 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case c_exp
+                  solve( !KU( ~ltk ) @ #vk.39 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                qed
+              next
+                case c_sign
+                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.33 )
+                  case CA_INIT_C
+                  by solve( !KU( ~skTe ) @ #vk.38 )
+                next
+                  case CA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.38 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case Generate_chip_key_pair
+                  by solve( !KU( ~skTe ) @ #vk.38 )
+                next
+                  case TA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.38 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case c_exp
+                  solve( !KU( ~ltk ) @ #vk.40 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
                   qed
                 qed
               qed
             qed
-          qed
-        qed
-      qed
-    qed
-  qed
-qed
-
-lemma agreement_C:
-  all-traces
-  "∀ k sid C T #i #t.
-    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
-      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
-     (∃ #k.1. Corrupted( T ) @ #k.1))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ k sid C T #i #t.
-  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
- ∧
-  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+          next
+            case CA_Sign_ltk
+            solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
+              case c_kdf_mac
+              solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.21 )
+                case CA_INIT_T
+                solve( !KU( ~ltk ) @ #vk.22 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case CA_Sign_ltk
+                by solve( !KU( ~skTe ) @ #vk.22 )
+              next
+                case Generate_chip_key_pair
+                by solve( !KU( ~skTe ) @ #vk.22 )
+              next
+                case TA_INIT_T
+                solve( !KU( ~ltk ) @ #vk.22 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              next
+                case c_exp
+                solve( !KU( ~ltk ) @ #vk.24 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              qed
+            qed
+          next
+            case c_cert
+            solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.22 )
+              case CA_INIT_C
+              solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
+                case c_kdf_mac
+                solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.25 )
+                  case TA_RESPONSE_T
+                  solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 )
+                    case CA_INIT_C
+                    by solve( !KU( ~skTe ) @ #vk.40 )
+                  next
+                    case CA_INIT_T
+                    solve( !KU( ~ltk ) @ #vk.40 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case Generate_chip_key_pair
+                    by solve( !KU( ~skTe ) @ #vk.40 )
+                  next
+                    case TA_INIT_T
+                    solve( !KU( ~ltk ) @ #vk.40 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case c_exp
+                    solve( !KU( ~ltk ) @ #vk.42 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  qed
+                next
+                  case c_sign
+                  solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 )
+                    case CA_INIT_C
+                    by solve( !KU( ~skTe ) @ #vk.41 )
+                  next
+                    case CA_INIT_T
+                    solve( !KU( ~ltk ) @ #vk.41 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case Generate_chip_key_pair
+                    by solve( !KU( ~skTe ) @ #vk.41 )
+                  next
+                    case TA_INIT_T
+                    solve( !KU( ~ltk ) @ #vk.41 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case c_exp
+                    solve( !KU( ~ltk ) @ #vk.43 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  qed
+                qed
+              qed
+            next
+              case CA_Sign_ltk
+              solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
+                case c_kdf_mac
+                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.24 )
+                  case CA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.25 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case CA_Sign_ltk
+                  by solve( !KU( ~skTe ) @ #vk.25 )
+                next
+                  case Generate_chip_key_pair
+                  by solve( !KU( ~skTe ) @ #vk.25 )
+                next
+                  case TA_INIT_T
+                  solve( !KU( ~ltk ) @ #vk.25 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                next
+                  case c_exp
+                  solve( !KU( ~ltk ) @ #vk.27 )
+                    case Corrupt_ltk
+                    by contradiction /* from formulas */
+                  qed
+                qed
+              qed
+            next
+              case c_sign
+              by solve( !KU( ca_sk ) @ #vk.26 )
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma weak_agreement_C:
+  all-traces
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -19061,7 +19196,7 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
                       C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>,
+      solve( CAInitC( $C,
                       cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe,
                       id_c, r1, r2
              ) ▶₁ #i )
@@ -19080,11 +19215,11 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
   qed
 qed
 
-lemma agreement_T:
+lemma weak_agreement_T:
   all-traces
   "∀ k sid C T #i #t.
     ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+    (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨
       (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
      (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
@@ -19092,12 +19227,12 @@ guarded formula characterizing all counter-examples:
 "∃ k sid C T #i #t.
   (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
   (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -19108,29 +19243,32 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
                       T.1, 'terminal', C
            ) @ #i )
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, ~skTe, id_c,
+      solve( CAInitT( $T, ~skTe, id_c,
                       cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C)
              ) ▶₁ #i )
         case CA_INIT_T
         solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
           case CA_FINISH_C
           solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
-            case TA_RESPONSE_T
+            case c_sign
             solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C)
                    ) @ #vk.14 )
               case CA_Sign_ltk
-              solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
-                     ) @ #vk.31 )
+              solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
+                     ) @ #vk.33 )
                 case CA_Sign_ltk
-                solve( !KU( ~r2 ) @ #vk.8 )
-                  case CA_FINISH_C
-                  solve( !KU( ~id_c ) @ #vk.20 )
-                    case TA_CHALLENGE_C
-                    solve( !KU( ~r1 ) @ #vk.21 )
+                solve( !KU( ~ltk.1 ) @ #vk.35 )
+                  case Corrupt_ltk
+                  solve( !KU( ~r2 ) @ #vk.10 )
+                    case CA_FINISH_C
+                    solve( !KU( ~id_c.1 ) @ #vk.36 )
                       case TA_CHALLENGE_C
-                      solve( !KU( 'g'^~skTe ) @ #vk.24 )
-                        case TA_INIT_T
-                        SOLVED // trace found
+                      solve( !KU( ~r1 ) @ #vk.37 )
+                        case TA_CHALLENGE_C
+                        solve( !KU( 'g'^~skTe ) @ #vk.28 )
+                          case CA_INIT_T
+                          SOLVED // trace found
+                        qed
                       qed
                     qed
                   qed
@@ -19144,22 +19282,24 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
   qed
 qed
 
-lemma aliveness:
+lemma agreement_C:
   all-traces
-  "∀ k sid A role B #i #t.
-    ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
-    ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨
-     (∃ #k.1. Corrupted( B ) @ #k.1))"
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
 /*
 guarded formula characterizing all counter-examples:
-"∃ k sid A role B #i #t.
-  (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)
+"∃ k sid C T #i #t.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)
  ∧
-  (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧
-  (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)"
+  (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
 */
 simplify
-solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
+solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t )
   case CA_INIT_T
   solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
     case CA_Sign_ltk
@@ -19167,464 +19307,84 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t )
                       <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
                        cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
                       >,
-                      A, role, B
+                      C, 'chip', T.1
            ) @ #i )
       case CA_FINISH_C
-      by contradiction /* from formulas */
-    next
-      case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, ~skTe, id_c,
-                      cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B)
+      solve( CAInitC( $C,
+                      cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe,
+                      id_c, r1, r2
              ) ▶₁ #i )
-        case CA_INIT_T
-        solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
-          case CA_FINISH_C
-          solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
-            case TA_RESPONSE_T
-            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
-                   ) @ #vk.14 )
-              case CA_INIT_C
-              by contradiction /* from formulas */
-            next
-              case CA_Sign_ltk
-              by contradiction /* from formulas */
-            next
-              case c_cert
-              solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.34 )
-                case CA_INIT_C
-                by contradiction /* from formulas */
-              next
-                case CA_Sign_ltk
-                by contradiction /* from formulas */
-              next
-                case c_sign
-                by solve( !KU( ca_sk ) @ #vk.38 )
-              qed
-            qed
-          next
-            case c_sign
-            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B)
-                   ) @ #vk.14 )
-              case CA_INIT_C
-              by contradiction /* from formulas */
-            next
-              case CA_Sign_ltk
-              by contradiction /* from formulas */
-            next
-              case c_cert
-              solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.39 )
-                case CA_INIT_C
-                by contradiction /* from formulas */
-              next
-                case CA_Sign_ltk
-                by contradiction /* from formulas */
-              next
-                case c_sign
-                by solve( !KU( ca_sk ) @ #vk.43 )
-              qed
-            qed
+        case CA_INIT_C
+        solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+          case Generate_chip_key_pair
+          solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z),
+                        'chip'
+                 ) ▶₃ #i )
+            case CA_Sign_ltk
+            by contradiction /* from formulas */
           qed
-        next
-          case c_mac
-          solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.13 )
-            case CA_INIT_C
-            solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.22 )
-              case TA_RESPONSE_T
-              solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 )
-                case Reveal_session
-                solve( splitEqs(2) )
-                  case split_case_1
-                  by contradiction /* cyclic */
-                next
-                  case split_case_2
-                  solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
-                         ) @ #vk.37 )
-                    case CA_Sign_ltk
-                    solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 )
-                      case c_mac
-                      by contradiction /* cyclic */
-                    qed
-                  next
-                    case TA_INIT_T
-                    solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 )
-                      case c_mac
-                      by contradiction /* cyclic */
-                    qed
-                  next
-                    case c_cert
-                    solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.48 )
-                      case CA_Sign_ltk
-                      solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    next
-                      case TA_INIT_T
-                      solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    next
-                      case c_sign
-                      by solve( !KU( ca_sk ) @ #vk.52 )
-                    qed
-                  qed
-                qed
-              next
-                case c_kdf_mac
-                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 )
-                  case CA_INIT_C
-                  by solve( !KU( ~skTe ) @ #vk.37 )
-                next
-                  case CA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.37 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case Generate_chip_key_pair
-                  by solve( !KU( ~skTe ) @ #vk.37 )
-                next
-                  case TA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.37 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case c_exp
-                  solve( !KU( ~ltk ) @ #vk.39 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                qed
-              qed
-            next
-              case c_sign
-              solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
-                case Reveal_session
-                solve( splitEqs(2) )
-                  case split_case_1
-                  by contradiction /* cyclic */
-                next
-                  case split_case_2
-                  solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
-                         ) @ #vk.35 )
-                    case CA_Sign_ltk
-                    solve( !KU( ~ltk.2 ) @ #vk.40 )
-                      case Corrupt_ltk
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    qed
-                  next
-                    case TA_INIT_T
-                    solve( !KU( ~ltk.2 ) @ #vk.40 )
-                      case Corrupt_ltk
-                      solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    qed
-                  next
-                    case c_cert
-                    solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.49 )
-                      case CA_Sign_ltk
-                      solve( !KU( ~ltk.2 ) @ #vk.41 )
-                        case Corrupt_ltk
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      qed
-                    next
-                      case TA_INIT_T
-                      solve( !KU( ~ltk.2 ) @ #vk.41 )
-                        case Corrupt_ltk
-                        solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      qed
-                    next
-                      case c_sign
-                      by solve( !KU( ca_sk ) @ #vk.53 )
-                    qed
-                  qed
-                qed
-              next
-                case c_kdf_mac
-                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 )
-                  case CA_INIT_C
-                  by solve( !KU( ~skTe ) @ #vk.38 )
-                next
-                  case CA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.38 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case Generate_chip_key_pair
-                  by solve( !KU( ~skTe ) @ #vk.38 )
-                next
-                  case TA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.38 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case c_exp
-                  solve( !KU( ~ltk ) @ #vk.40 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                qed
-              qed
-            qed
-          next
-            case CA_Sign_ltk
-            solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 )
-              case Reveal_session
-              solve( splitEqs(2) )
-                case split_case_1
-                by contradiction /* cyclic */
-              next
-                case split_case_2
-                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                  case c_mac
-                  by contradiction /* cyclic */
-                qed
-              qed
-            next
-              case c_kdf_mac
-              solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.21 )
-                case CA_INIT_T
-                solve( !KU( ~ltk ) @ #vk.22 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case CA_Sign_ltk
-                by solve( !KU( ~skTe ) @ #vk.22 )
-              next
-                case Generate_chip_key_pair
-                by solve( !KU( ~skTe ) @ #vk.22 )
-              next
-                case TA_INIT_T
-                solve( !KU( ~ltk ) @ #vk.22 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              next
-                case c_exp
-                solve( !KU( ~ltk ) @ #vk.24 )
-                  case Corrupt_ltk
-                  by contradiction /* from formulas */
-                qed
-              qed
-            qed
-          next
-            case c_cert
-            solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.22 )
-              case CA_INIT_C
-              solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.25 )
-                case TA_RESPONSE_T
-                solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 )
-                  case Reveal_session
-                  solve( splitEqs(2) )
-                    case split_case_1
-                    by contradiction /* cyclic */
-                  next
-                    case split_case_2
-                    solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
-                           ) @ #vk.40 )
-                      case CA_Sign_ltk
-                      solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    next
-                      case TA_INIT_T
-                      solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 )
-                        case c_mac
-                        by contradiction /* cyclic */
-                      qed
-                    next
-                      case c_cert
-                      solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.51 )
-                        case CA_Sign_ltk
-                        solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      next
-                        case TA_INIT_T
-                        solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      next
-                        case c_sign
-                        by solve( !KU( ca_sk ) @ #vk.55 )
-                      qed
-                    qed
-                  qed
-                next
-                  case c_kdf_mac
-                  solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.39 )
-                    case CA_INIT_C
-                    by solve( !KU( ~skTe ) @ #vk.40 )
-                  next
-                    case CA_INIT_T
-                    solve( !KU( ~ltk ) @ #vk.40 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case Generate_chip_key_pair
-                    by solve( !KU( ~skTe ) @ #vk.40 )
-                  next
-                    case TA_INIT_T
-                    solve( !KU( ~ltk ) @ #vk.40 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case c_exp
-                    solve( !KU( ~ltk ) @ #vk.42 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  qed
-                qed
-              next
-                case c_sign
-                solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 )
-                  case Reveal_session
-                  solve( splitEqs(2) )
-                    case split_case_1
-                    by contradiction /* cyclic */
-                  next
-                    case split_case_2
-                    solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z)
-                           ) @ #vk.38 )
-                      case CA_Sign_ltk
-                      solve( !KU( ~ltk.3 ) @ #vk.43 )
-                        case Corrupt_ltk
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      qed
-                    next
-                      case TA_INIT_T
-                      solve( !KU( ~ltk.3 ) @ #vk.43 )
-                        case Corrupt_ltk
-                        solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 )
-                          case c_mac
-                          by contradiction /* cyclic */
-                        qed
-                      qed
-                    next
-                      case c_cert
-                      solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.52 )
-                        case CA_Sign_ltk
-                        solve( !KU( ~ltk.3 ) @ #vk.44 )
-                          case Corrupt_ltk
-                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 )
-                            case c_mac
-                            by contradiction /* cyclic */
-                          qed
-                        qed
-                      next
-                        case TA_INIT_T
-                        solve( !KU( ~ltk.3 ) @ #vk.44 )
-                          case Corrupt_ltk
-                          solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 )
-                            case c_mac
-                            by contradiction /* cyclic */
-                          qed
-                        qed
-                      next
-                        case c_sign
-                        by solve( !KU( ca_sk ) @ #vk.56 )
-                      qed
-                    qed
-                  qed
-                next
-                  case c_kdf_mac
-                  solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.40 )
-                    case CA_INIT_C
-                    by solve( !KU( ~skTe ) @ #vk.41 )
-                  next
-                    case CA_INIT_T
-                    solve( !KU( ~ltk ) @ #vk.41 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case Generate_chip_key_pair
-                    by solve( !KU( ~skTe ) @ #vk.41 )
-                  next
-                    case TA_INIT_T
-                    solve( !KU( ~ltk ) @ #vk.41 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  next
-                    case c_exp
-                    solve( !KU( ~ltk ) @ #vk.43 )
-                      case Corrupt_ltk
-                      by contradiction /* from formulas */
-                    qed
-                  qed
-                qed
-              qed
-            next
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma agreement_T:
+  all-traces
+  "∀ k sid C T #i #t.
+    ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒
+    (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨
+      (∃ #k.1. Corrupted( C ) @ #k.1)) ∨
+     (∃ #k.1. Corrupted( T ) @ #k.1))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ k sid C T #i #t.
+  (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)
+ ∧
+  (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧
+  (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)"
+*/
+simplify
+solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t )
+  case CA_INIT_T
+  solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t )
+    case CA_Sign_ltk
+    solve( Completed( k,
+                      <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 
+                       cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2
+                      >,
+                      T.1, 'terminal', C
+           ) @ #i )
+      case CA_FINISH_T
+      solve( CAInitT( $T, ~skTe, id_c,
+                      cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C)
+             ) ▶₁ #i )
+        case CA_INIT_T
+        solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 )
+          case CA_FINISH_C
+          solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 )
+            case TA_RESPONSE_T
+            solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C)
+                   ) @ #vk.14 )
               case CA_Sign_ltk
-              solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 )
-                case Reveal_session
-                solve( splitEqs(2) )
-                  case split_case_1
-                  by contradiction /* cyclic */
-                next
-                  case split_case_2
-                  solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
-                    case c_mac
-                    by contradiction /* cyclic */
-                  qed
-                qed
-              next
-                case c_kdf_mac
-                solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.24 )
-                  case CA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.25 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case CA_Sign_ltk
-                  by solve( !KU( ~skTe ) @ #vk.25 )
-                next
-                  case Generate_chip_key_pair
-                  by solve( !KU( ~skTe ) @ #vk.25 )
-                next
-                  case TA_INIT_T
-                  solve( !KU( ~ltk ) @ #vk.25 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
-                  qed
-                next
-                  case c_exp
-                  solve( !KU( ~ltk ) @ #vk.27 )
-                    case Corrupt_ltk
-                    by contradiction /* from formulas */
+              solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
+                     ) @ #vk.31 )
+                case CA_Sign_ltk
+                solve( !KU( ~r2 ) @ #vk.8 )
+                  case CA_FINISH_C
+                  solve( !KU( ~id_c ) @ #vk.20 )
+                    case TA_CHALLENGE_C
+                    solve( !KU( ~r1 ) @ #vk.21 )
+                      case TA_CHALLENGE_C
+                      solve( !KU( 'g'^~skTe ) @ #vk.24 )
+                        case TA_INIT_T
+                        SOLVED // trace found
+                      qed
+                    qed
                   qed
                 qed
               qed
-            next
-              case c_sign
-              by solve( !KU( ca_sk ) @ #vk.26 )
             qed
           qed
         qed
@@ -19654,16 +19414,15 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_1
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+      solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
           solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
-                   ) @ #j )
+            solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+              solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
               qed
@@ -19673,15 +19432,13 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+      solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
-          solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
-                            B
-                 ) @ #j )
+          solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+            solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j )
               case CA_INIT_T
               solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
                 case CA_Sign_ltk
@@ -19701,14 +19458,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.32 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.57 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.61 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.57 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.57 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.57 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.59 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.63 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.59 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                qed
                               qed
                             qed
                           qed
@@ -19716,14 +19498,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.30 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.58 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.62 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.58 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.58 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.58 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.60 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.64 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.60 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                qed
                               qed
                             qed
                           qed
@@ -19732,14 +19539,38 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.47 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.51 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 )
+                              case CA_INIT_T
+                              by contradiction /* cyclic */
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.47 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.47 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.47 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.49 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.53 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.49 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              qed
                             qed
                           qed
                         qed
@@ -19751,14 +19582,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case TA_RESPONSE_T
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.33 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.60 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.63 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                next
+                                  case CA_INIT_T
+                                  by contradiction /* cyclic */
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.60 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.36 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.62 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.65 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.62 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.63 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -19766,14 +19622,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case c_sign
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.31 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.61 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.64 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                next
+                                  case CA_INIT_T
+                                  by contradiction /* cyclic */
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.61 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.34 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.63 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.66 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.63 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.64 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -19782,14 +19663,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case CA_Sign_ltk
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.50 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.53 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 )
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case CA_Sign_ltk
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.50 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.52 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.55 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.52 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.53 )
+                                qed
                               qed
                             qed
                           qed
@@ -19807,14 +19713,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.32 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.62 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.66 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.62 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.62 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.36 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.64 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.68 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.62 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.62 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.64 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.68 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.64 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                qed
                               qed
                             qed
                           qed
@@ -19822,14 +19766,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.30 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.63 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.67 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.63 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.63 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.65 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.69 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.63 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.63 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.65 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.69 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.65 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                qed
                               qed
                             qed
                           qed
@@ -19838,14 +19820,50 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.52 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.56 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 )
+                              case CA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.54 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              qed
                             qed
                           qed
                         qed
@@ -19857,14 +19875,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case TA_RESPONSE_T
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.33 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.65 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.68 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                next
+                                  case CA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.65 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.37 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.67 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.70 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.65 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.36 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.67 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.70 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.67 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.68 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -19872,14 +19928,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case c_sign
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.31 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.66 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.69 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                next
+                                  case CA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.66 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.35 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.68 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.71 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.66 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.34 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.68 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.71 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.68 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.69 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -19888,14 +19982,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case CA_Sign_ltk
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.55 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.58 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.55 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.57 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.60 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case CA_Sign_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.55 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.57 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.60 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.57 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.58 )
+                                qed
                               qed
                             qed
                           qed
@@ -19915,33 +20047,108 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                       by contradiction /* cyclic */
                     next
                       case split_case_2
-                      solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
-                        case TA_RESPONSE_T
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.30 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.49 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.53 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                        case c_kdf_mac
+                        solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+                          case TA_RESPONSE_T
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.48 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.48 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.51 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.55 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.48 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.48 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.51 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.55 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.50 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.51 )
                             qed
                           qed
-                        qed
-                      next
-                        case c_sign
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.50 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.54 )
+                        next
+                          case c_sign
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.49 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.49 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.52 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.56 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.49 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.49 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.52 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.56 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.51 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.52 )
                             qed
                           qed
                         qed
@@ -19954,16 +20161,55 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                       by contradiction /* cyclic */
                     next
                       case split_case_2
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
-                        case c_mac
-                        solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                               ) @ #vk.26 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                                 ) @ #vk.34 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.38 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                        case c_kdf_mac
+                        solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 )
+                          case CA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.33 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.30 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.36 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.40 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case CA_Sign_ltk
+                          by solve( !KU( ~skTe ) @ #vk.33 )
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.33 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.33 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.30 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.36 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.40 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case c_exp
+                          solve( !KU( ~ltk ) @ #vk.35 )
+                            case Corrupt_ltk
+                            by solve( !KU( ~skTe ) @ #vk.36 )
                           qed
                         qed
                       qed
@@ -19975,35 +20221,114 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                       solve( splitEqs(1) )
                         case split_case_1
                         by contradiction /* cyclic */
-                      next
-                        case split_case_2
-                        solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
-                          case TA_RESPONSE_T
-                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
-                            case c_mac
-                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.31 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.52 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.55 )
+                      next
+                        case split_case_2
+                        solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                          case c_kdf_mac
+                          solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+                            case TA_RESPONSE_T
+                            solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.51 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.51 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.54 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.57 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.51 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.51 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.54 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.57 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~ltk ) @ #vk.53 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.54 )
                               qed
                             qed
-                          qed
-                        next
-                          case c_sign
-                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                            case c_mac
-                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.53 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.56 )
+                          next
+                            case c_sign
+                            solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.55 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.58 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.55 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.58 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~ltk ) @ #vk.54 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
                               qed
                             qed
                           qed
@@ -20016,16 +20341,55 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         by contradiction /* cyclic */
                       next
                         case split_case_2
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                                 ) @ #vk.27 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                                   ) @ #vk.37 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.40 )
+                        solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                          case c_kdf_mac
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 )
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.36 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                       ) @ #vk.31 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                         ) @ #vk.39 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.42 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case CA_Sign_ltk
+                            by solve( !KU( ~skTe ) @ #vk.36 )
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.36 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.36 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                       ) @ #vk.31 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                         ) @ #vk.39 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.42 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.38 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.39 )
                             qed
                           qed
                         qed
@@ -20046,16 +20410,15 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
     case case_2
     solve( Completed( k, sid, A, role, B ) @ #i )
       case CA_FINISH_C
-      solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+      solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
         case CA_INIT_C
         solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
           case Generate_chip_key_pair
           solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
             case CA_Sign_ltk
-            solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
-                   ) @ #j )
+            solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j )
               case CA_FINISH_C
-              solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+              solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
                 case CA_INIT_C
                 by contradiction /* cyclic */
               qed
@@ -20065,15 +20428,13 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
       qed
     next
       case CA_FINISH_T
-      solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+      solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i )
         case CA_INIT_T
         solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
           case CA_Sign_ltk
-          solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
-                            B
-                 ) @ #j )
+          solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j )
             case CA_FINISH_T
-            solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+            solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j )
               case CA_INIT_T
               solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
                 case CA_Sign_ltk
@@ -20093,14 +20454,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.32 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.57 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.61 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.57 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.57 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.57 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.59 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.63 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.59 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                qed
                               qed
                             qed
                           qed
@@ -20108,14 +20494,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.30 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.58 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.62 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.58 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.58 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.58 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.60 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.64 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.60 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                qed
                               qed
                             qed
                           qed
@@ -20124,14 +20535,38 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.47 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.51 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 )
+                              case CA_INIT_T
+                              by contradiction /* cyclic */
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.47 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.47 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.47 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.49 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.53 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.49 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              qed
                             qed
                           qed
                         qed
@@ -20143,14 +20578,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case TA_RESPONSE_T
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.33 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.60 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.63 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                next
+                                  case CA_INIT_T
+                                  by contradiction /* cyclic */
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.60 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.60 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.36 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.62 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.65 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.62 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.63 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -20158,14 +20618,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case c_sign
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.31 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.61 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.64 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                next
+                                  case CA_INIT_T
+                                  by contradiction /* cyclic */
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.61 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.61 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.34 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.63 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.66 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.63 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.64 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -20174,14 +20659,39 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case CA_Sign_ltk
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.50 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.53 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 )
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case CA_Sign_ltk
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.50 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.50 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.52 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.55 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.52 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.53 )
+                                qed
                               qed
                             qed
                           qed
@@ -20199,14 +20709,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.32 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.62 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.66 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.62 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.62 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.36 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.64 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.68 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.62 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.62 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.64 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.68 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.64 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                qed
                               qed
                             qed
                           qed
@@ -20214,14 +20762,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.30 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.63 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.67 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.63 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.63 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.65 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.69 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.63 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.63 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.65 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.69 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.65 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                qed
                               qed
                             qed
                           qed
@@ -20230,14 +20816,50 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.52 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.56 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 )
+                              case CA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.54 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              qed
                             qed
                           qed
                         qed
@@ -20249,14 +20871,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case TA_RESPONSE_T
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.33 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.65 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.68 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                next
+                                  case CA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.65 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.37 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.67 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.70 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.65 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.65 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.36 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.67 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.70 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.67 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.68 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -20264,14 +20924,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                             case c_sign
                             solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                               case c_mac
-                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                     ) @ #vk.31 )
-                                case c_cert
-                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                       ) @ #vk.66 )
-                                  case c_sign
-                                  by solve( !KU( ca_sk ) @ #vk.69 )
+                              solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 )
+                                case c_kdf_mac
+                                solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
+                                  case CA_INIT_C
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                next
+                                  case CA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.66 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.35 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.68 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.71 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case Generate_chip_key_pair
+                                  by solve( !KU( ~skTe ) @ #vk.66 )
+                                next
+                                  case TA_INIT_T
+                                  solve( !KU( ~skC ) @ #vk.66 )
+                                    case Corrupt_ltk
+                                    solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                     sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                     $C)
+                                           ) @ #vk.34 )
+                                      case c_cert
+                                      solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                             ) @ #vk.68 )
+                                        case c_sign
+                                        by solve( !KU( ca_sk ) @ #vk.71 )
+                                      qed
+                                    qed
+                                  qed
+                                next
+                                  case c_exp
+                                  solve( !KU( ~skC ) @ #vk.68 )
+                                    case Corrupt_ltk
+                                    by solve( !KU( ~skTe ) @ #vk.69 )
+                                  qed
                                 qed
                               qed
                             qed
@@ -20280,14 +20978,52 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                           case CA_Sign_ltk
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.55 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.58 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.55 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.57 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.60 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case CA_Sign_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.55 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.55 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.57 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.60 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.57 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.58 )
+                                qed
                               qed
                             qed
                           qed
@@ -20307,33 +21043,108 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                       by contradiction /* cyclic */
                     next
                       case split_case_2
-                      solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
-                        case TA_RESPONSE_T
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.30 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.49 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.53 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                        case c_kdf_mac
+                        solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+                          case TA_RESPONSE_T
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.48 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.48 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.51 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.55 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.48 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.48 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.51 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.55 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.50 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.51 )
                             qed
                           qed
-                        qed
-                      next
-                        case c_sign
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.28 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.50 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.54 )
+                        next
+                          case c_sign
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.49 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.49 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.52 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.56 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.49 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.49 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.52 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.56 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.51 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.52 )
                             qed
                           qed
                         qed
@@ -20346,16 +21157,55 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                       by contradiction /* cyclic */
                     next
                       case split_case_2
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
-                        case c_mac
-                        solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                               ) @ #vk.26 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                                 ) @ #vk.34 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.38 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                        case c_kdf_mac
+                        solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 )
+                          case CA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.33 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.30 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.36 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.40 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case CA_Sign_ltk
+                          by solve( !KU( ~skTe ) @ #vk.33 )
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.33 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.33 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.30 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.36 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.40 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case c_exp
+                          solve( !KU( ~ltk ) @ #vk.35 )
+                            case Corrupt_ltk
+                            by solve( !KU( ~skTe ) @ #vk.36 )
                           qed
                         qed
                       qed
@@ -20369,33 +21219,112 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         by contradiction /* cyclic */
                       next
                         case split_case_2
-                        solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
-                          case TA_RESPONSE_T
-                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
-                            case c_mac
-                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.31 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.52 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.55 )
+                        solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                          case c_kdf_mac
+                          solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+                            case TA_RESPONSE_T
+                            solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.51 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.51 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.54 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.57 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.51 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.51 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.54 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.57 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~ltk ) @ #vk.53 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.54 )
                               qed
                             qed
-                          qed
-                        next
-                          case c_sign
-                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                            case c_mac
-                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.29 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.53 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.56 )
+                          next
+                            case c_sign
+                            solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.55 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.58 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.52 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~ltk ) @ #vk.52 )
+                                case Corrupt_ltk
+                                solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                  case c_mac
+                                  solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.33 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.55 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.58 )
+                                    qed
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~ltk ) @ #vk.54 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.55 )
                               qed
                             qed
                           qed
@@ -20408,16 +21337,55 @@ solve( (¬(#i = #j))  ∥ (¬(sid = sid2)) )
                         by contradiction /* cyclic */
                       next
                         case split_case_2
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                                 ) @ #vk.27 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                                   ) @ #vk.37 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.40 )
+                        solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                          case c_kdf_mac
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 )
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.36 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                       ) @ #vk.31 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                         ) @ #vk.39 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.42 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case CA_Sign_ltk
+                            by solve( !KU( ~skTe ) @ #vk.36 )
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.36 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.36 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                       ) @ #vk.31 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                         ) @ #vk.39 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.42 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.38 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.39 )
                             qed
                           qed
                         qed
@@ -20439,16 +21407,15 @@ next
   case case_2
   solve( Completed( k, sid, A, role, B ) @ #i )
     case CA_FINISH_C
-    solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+    solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
       case CA_INIT_C
       solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
         case Generate_chip_key_pair
         solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
           case CA_Sign_ltk
-          solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B
-                 ) @ #j )
+          solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j )
             case CA_FINISH_C
-            solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
+            solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j )
               case CA_INIT_C
               by contradiction /* from formulas */
             qed
@@ -20458,15 +21425,13 @@ next
     qed
   next
     case CA_FINISH_T
-    solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i )
+    solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i )
       case CA_INIT_T
       solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i )
         case CA_Sign_ltk
-        solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal',
-                          B
-               ) @ #j )
+        solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j )
+          solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j )
             case CA_INIT_T
             solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j )
               case CA_Sign_ltk
@@ -20486,14 +21451,38 @@ next
                         case TA_RESPONSE_T
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.32 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.57 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.61 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.57 )
+                            next
+                              case CA_INIT_T
+                              by contradiction /* cyclic */
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.57 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.57 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.35 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.59 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.63 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.59 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.60 )
+                              qed
                             qed
                           qed
                         qed
@@ -20501,14 +21490,38 @@ next
                         case c_sign
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.30 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.58 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.62 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.58 )
+                            next
+                              case CA_INIT_T
+                              by contradiction /* cyclic */
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.58 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.58 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.60 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.64 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.60 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.61 )
+                              qed
                             qed
                           qed
                         qed
@@ -20517,14 +21530,38 @@ next
                       case CA_Sign_ltk
                       solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                         case c_mac
-                        solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.28 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                 ) @ #vk.47 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.51 )
+                        solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 )
+                          case c_kdf_mac
+                          solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 )
+                            case CA_INIT_T
+                            by contradiction /* cyclic */
+                          next
+                            case CA_Sign_ltk
+                            by solve( !KU( ~skTe ) @ #vk.47 )
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.47 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~skC ) @ #vk.47 )
+                              case Corrupt_ltk
+                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.32 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.49 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.53 )
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~skC ) @ #vk.49 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.50 )
+                            qed
                           qed
                         qed
                       qed
@@ -20536,14 +21573,39 @@ next
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.33 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.60 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.63 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.60 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.60 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.60 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.36 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.62 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.65 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.62 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.63 )
+                                qed
                               qed
                             qed
                           qed
@@ -20551,14 +21613,39 @@ next
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.31 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.61 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.64 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.61 )
+                              next
+                                case CA_INIT_T
+                                by contradiction /* cyclic */
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.61 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.61 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.63 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.66 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.63 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.64 )
+                                qed
                               qed
                             qed
                           qed
@@ -20567,14 +21654,38 @@ next
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.29 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.50 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.53 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 )
+                              case CA_INIT_T
+                              by contradiction /* cyclic */
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.50 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.50 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.50 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.52 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.55 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.52 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.53 )
+                              qed
                             qed
                           qed
                         qed
@@ -20592,14 +21703,50 @@ next
                         case TA_RESPONSE_T
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.32 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.62 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.66 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.62 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.62 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.36 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.64 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.68 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.62 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.62 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.35 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.64 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.68 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.64 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.65 )
+                              qed
                             qed
                           qed
                         qed
@@ -20607,14 +21754,50 @@ next
                         case c_sign
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.30 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.63 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.67 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 )
+                              case CA_INIT_C
+                              by solve( !KU( ~skTe ) @ #vk.63 )
+                            next
+                              case CA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.63 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.65 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.69 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.63 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.63 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.65 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.69 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.65 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.66 )
+                              qed
                             qed
                           qed
                         qed
@@ -20623,14 +21806,50 @@ next
                       case CA_Sign_ltk
                       solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 )
                         case c_mac
-                        solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.28 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                 ) @ #vk.52 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.56 )
+                        solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 )
+                          case c_kdf_mac
+                          solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 )
+                            case CA_INIT_T
+                            solve( !KU( ~skC ) @ #vk.52 )
+                              case Corrupt_ltk
+                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.33 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.54 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.58 )
+                                qed
+                              qed
+                            qed
+                          next
+                            case CA_Sign_ltk
+                            by solve( !KU( ~skTe ) @ #vk.52 )
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.52 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~skC ) @ #vk.52 )
+                              case Corrupt_ltk
+                              solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.33 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.54 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.58 )
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~skC ) @ #vk.54 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.55 )
+                            qed
                           qed
                         qed
                       qed
@@ -20642,14 +21861,52 @@ next
                           case TA_RESPONSE_T
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.33 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.65 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.68 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.65 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.65 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.37 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.67 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.70 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.65 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.65 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.36 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.67 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.70 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.67 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.68 )
+                                qed
                               qed
                             qed
                           qed
@@ -20657,14 +21914,52 @@ next
                           case c_sign
                           solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 )
                             case c_mac
-                            solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                             sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                   ) @ #vk.31 )
-                              case c_cert
-                              solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                     ) @ #vk.66 )
-                                case c_sign
-                                by solve( !KU( ca_sk ) @ #vk.69 )
+                            solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 )
+                              case c_kdf_mac
+                              solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 )
+                                case CA_INIT_C
+                                by solve( !KU( ~skTe ) @ #vk.66 )
+                              next
+                                case CA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.66 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.35 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.68 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.71 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case Generate_chip_key_pair
+                                by solve( !KU( ~skTe ) @ #vk.66 )
+                              next
+                                case TA_INIT_T
+                                solve( !KU( ~skC ) @ #vk.66 )
+                                  case Corrupt_ltk
+                                  solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                   sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk),
+                                                   $C)
+                                         ) @ #vk.34 )
+                                    case c_cert
+                                    solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                           ) @ #vk.68 )
+                                      case c_sign
+                                      by solve( !KU( ca_sk ) @ #vk.71 )
+                                    qed
+                                  qed
+                                qed
+                              next
+                                case c_exp
+                                solve( !KU( ~skC ) @ #vk.68 )
+                                  case Corrupt_ltk
+                                  by solve( !KU( ~skTe ) @ #vk.69 )
+                                qed
                               qed
                             qed
                           qed
@@ -20673,14 +21968,50 @@ next
                         case CA_Sign_ltk
                         solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 )
                           case c_mac
-                          solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.29 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.55 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.58 )
+                          solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 )
+                            case c_kdf_mac
+                            solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 )
+                              case CA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.55 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.57 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.60 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case CA_Sign_ltk
+                              by solve( !KU( ~skTe ) @ #vk.55 )
+                            next
+                              case Generate_chip_key_pair
+                              by solve( !KU( ~skTe ) @ #vk.55 )
+                            next
+                              case TA_INIT_T
+                              solve( !KU( ~skC ) @ #vk.55 )
+                                case Corrupt_ltk
+                                solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.34 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.57 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.60 )
+                                  qed
+                                qed
+                              qed
+                            next
+                              case c_exp
+                              solve( !KU( ~skC ) @ #vk.57 )
+                                case Corrupt_ltk
+                                by solve( !KU( ~skTe ) @ #vk.58 )
+                              qed
                             qed
                           qed
                         qed
@@ -20700,33 +22031,108 @@ next
                     by contradiction /* from formulas */
                   next
                     case split_case_2
-                    solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
-                      case TA_RESPONSE_T
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                        case c_mac
-                        solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.30 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                 ) @ #vk.49 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.53 )
+                    solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                      case c_kdf_mac
+                      solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 )
+                        case TA_RESPONSE_T
+                        solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                          case CA_INIT_C
+                          by solve( !KU( ~skTe ) @ #vk.48 )
+                        next
+                          case CA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.48 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.34 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.51 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.55 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.48 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.48 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.34 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.51 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.55 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case c_exp
+                          solve( !KU( ~ltk ) @ #vk.50 )
+                            case Corrupt_ltk
+                            by solve( !KU( ~skTe ) @ #vk.51 )
                           qed
                         qed
-                      qed
-                    next
-                      case c_sign
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                        case c_mac
-                        solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                               ) @ #vk.28 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                 ) @ #vk.50 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.54 )
+                      next
+                        case c_sign
+                        solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 )
+                          case CA_INIT_C
+                          by solve( !KU( ~skTe ) @ #vk.49 )
+                        next
+                          case CA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.49 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.32 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.52 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.56 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.49 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.49 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                     ) @ #vk.32 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                       ) @ #vk.52 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.56 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case c_exp
+                          solve( !KU( ~ltk ) @ #vk.51 )
+                            case Corrupt_ltk
+                            by solve( !KU( ~skTe ) @ #vk.52 )
                           qed
                         qed
                       qed
@@ -20739,16 +22145,55 @@ next
                     by contradiction /* from formulas */
                   next
                     case split_case_2
-                    solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 )
-                      case c_mac
-                      solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                       sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                             ) @ #vk.26 )
-                        case c_cert
-                        solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                               ) @ #vk.34 )
-                          case c_sign
-                          by solve( !KU( ca_sk ) @ #vk.38 )
+                    solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 )
+                      case c_kdf_mac
+                      solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 )
+                        case CA_INIT_T
+                        solve( !KU( ~ltk ) @ #vk.33 )
+                          case Corrupt_ltk
+                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                            case c_mac
+                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                   ) @ #vk.30 )
+                              case c_cert
+                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                     ) @ #vk.36 )
+                                case c_sign
+                                by solve( !KU( ca_sk ) @ #vk.40 )
+                              qed
+                            qed
+                          qed
+                        qed
+                      next
+                        case CA_Sign_ltk
+                        by solve( !KU( ~skTe ) @ #vk.33 )
+                      next
+                        case Generate_chip_key_pair
+                        by solve( !KU( ~skTe ) @ #vk.33 )
+                      next
+                        case TA_INIT_T
+                        solve( !KU( ~ltk ) @ #vk.33 )
+                          case Corrupt_ltk
+                          solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 )
+                            case c_mac
+                            solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                             sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                   ) @ #vk.30 )
+                              case c_cert
+                              solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                     ) @ #vk.36 )
+                                case c_sign
+                                by solve( !KU( ca_sk ) @ #vk.40 )
+                              qed
+                            qed
+                          qed
+                        qed
+                      next
+                        case c_exp
+                        solve( !KU( ~ltk ) @ #vk.35 )
+                          case Corrupt_ltk
+                          by solve( !KU( ~skTe ) @ #vk.36 )
                         qed
                       qed
                     qed
@@ -20762,33 +22207,108 @@ next
                       by contradiction /* from formulas */
                     next
                       case split_case_2
-                      solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
-                        case TA_RESPONSE_T
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.31 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.52 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.55 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                        case c_kdf_mac
+                        solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 )
+                          case TA_RESPONSE_T
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.51 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.51 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.35 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.57 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.51 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.51 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.35 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.54 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.57 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.53 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.54 )
                             qed
                           qed
-                        qed
-                      next
-                        case c_sign
-                        solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 )
-                          case c_mac
-                          solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                           sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
-                                 ) @ #vk.29 )
-                            case c_cert
-                            solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
-                                   ) @ #vk.53 )
-                              case c_sign
-                              by solve( !KU( ca_sk ) @ #vk.56 )
+                        next
+                          case c_sign
+                          solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 )
+                            case CA_INIT_C
+                            by solve( !KU( ~skTe ) @ #vk.52 )
+                          next
+                            case CA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.52 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.55 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case Generate_chip_key_pair
+                            by solve( !KU( ~skTe ) @ #vk.52 )
+                          next
+                            case TA_INIT_T
+                            solve( !KU( ~ltk ) @ #vk.52 )
+                              case Corrupt_ltk
+                              solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 )
+                                case c_mac
+                                solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                                 sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.33 )
+                                  case c_cert
+                                  solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk)
+                                         ) @ #vk.55 )
+                                    case c_sign
+                                    by solve( !KU( ca_sk ) @ #vk.58 )
+                                  qed
+                                qed
+                              qed
+                            qed
+                          next
+                            case c_exp
+                            solve( !KU( ~ltk ) @ #vk.54 )
+                              case Corrupt_ltk
+                              by solve( !KU( ~skTe ) @ #vk.55 )
                             qed
                           qed
                         qed
@@ -20801,16 +22321,55 @@ next
                       by contradiction /* from formulas */
                     next
                       case split_case_2
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 )
-                        case c_mac
-                        solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
-                                         sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
-                               ) @ #vk.27 )
-                          case c_cert
-                          solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
-                                 ) @ #vk.37 )
-                            case c_sign
-                            by solve( !KU( ca_sk ) @ #vk.40 )
+                      solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 )
+                        case c_kdf_mac
+                        solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 )
+                          case CA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.36 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.31 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.39 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.42 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case CA_Sign_ltk
+                          by solve( !KU( ~skTe ) @ #vk.36 )
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.36 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk ) @ #vk.36 )
+                            case Corrupt_ltk
+                            solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 )
+                              case c_mac
+                              solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)),
+                                               sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A)
+                                     ) @ #vk.31 )
+                                case c_cert
+                                solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk)
+                                       ) @ #vk.39 )
+                                  case c_sign
+                                  by solve( !KU( ca_sk ) @ #vk.42 )
+                                qed
+                              qed
+                            qed
+                          qed
+                        next
+                          case c_exp
+                          solve( !KU( ~ltk ) @ #vk.38 )
+                            case Corrupt_ltk
+                            by solve( !KU( ~skTe ) @ #vk.39 )
                           qed
                         qed
                       qed
@@ -20834,19 +22393,21 @@ lemma consistency:
   "∀ C T k k2 sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒
-    ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))"
+    (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k k2 sid #i #j.
   (Completed( k, sid, C, 'chip', T ) @ #i) ∧
   (Completed( k2, sid, T, 'terminal', C ) @ #j)
  ∧
-  (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (¬(k = k2)) ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
@@ -20859,7 +22420,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+          solve( CAInitT( $T, skTe, ~id_c,
                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -20876,8 +22437,9 @@ lemma key_secrecy:
   "∀ C T k sid #i #j.
     ((Completed( k, sid, C, 'chip', T ) @ #i) ∧
      (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒
-    (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
-     (∃ #m. Corrupted( C ) @ #m))"
+    ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨
+      (∃ #m. Corrupted( C ) @ #m)) ∨
+     (∃ #m. Corrupted( T ) @ #m))"
 /*
 guarded formula characterizing all counter-examples:
 "∃ C T k sid #i #j.
@@ -20886,25 +22448,26 @@ guarded formula characterizing all counter-examples:
  ∧
   (∃ #m. (K( k ) @ #m)) ∧
   (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧
-  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)"
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)"
 */
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+        solve( Completed( kdf_enc(z, ~r2),
                           <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
                            cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, 
                            ~id_c, ~r2>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+          solve( CAInitT( $T, skTe, ~id_c,
                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -20912,9 +22475,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           'terminal'
                    ) ▶₂ #j )
               case CA_Sign_ltk
-              solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 )
+              solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 )
                 case TA_RESPONSE_T
-                solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 )
+                solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 )
                   case Reveal_session
                   solve( splitEqs(2) )
                     case split_case_1
@@ -20922,132 +22485,65 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                   next
                     case split_case_2
                     solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
-                           ) @ #vk.42 )
+                           ) @ #vk.40 )
                       case c_mac
-                      solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.14 )
-                        case Reveal_session
-                        by contradiction /* cyclic */
-                      next
+                      solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.46 )
                         case c_kdf_mac
-                        solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.48 )
+                        solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.47 )
                           case CA_INIT_C
-                          by solve( !KU( ~skTe ) @ #vk.52 )
+                          by solve( !KU( ~skTe ) @ #vk.51 )
                         next
                           case CA_INIT_T
                           by contradiction /* cyclic */
                         next
                           case CA_Sign_ltk
-                          by solve( !KU( ~skTe ) @ #vk.49 )
+                          by solve( !KU( ~skTe ) @ #vk.48 )
                         next
                           case Generate_chip_key_pair
-                          by solve( !KU( ~skTe ) @ #vk.49 )
+                          by solve( !KU( ~skTe ) @ #vk.48 )
                         next
                           case TA_INIT_T
-                          solve( !KU( ~ltk.1 ) @ #vk.49 )
+                          solve( !KU( ~ltk.1 ) @ #vk.48 )
                             case Corrupt_ltk
                             by contradiction /* from formulas */
                           qed
                         next
                           case c_exp
-                          by solve( !KU( ~skTe ) @ #vk.51 )
+                          by solve( !KU( ~skTe ) @ #vk.50 )
                         qed
                       qed
                     qed
                   qed
                 next
                   case c_kdf_enc
-                  solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 )
+                  solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 )
                     case CA_INIT_C
-                    by solve( !KU( ~skTe ) @ #vk.40 )
+                    by solve( !KU( ~skTe ) @ #vk.38 )
                   next
                     case CA_INIT_T
                     by contradiction /* cyclic */
                   next
                     case CA_Sign_ltk
-                    by solve( !KU( ~skTe ) @ #vk.37 )
+                    by solve( !KU( ~skTe ) @ #vk.35 )
                   next
                     case Generate_chip_key_pair
-                    by solve( !KU( ~skTe ) @ #vk.37 )
+                    by solve( !KU( ~skTe ) @ #vk.35 )
                   next
                     case TA_INIT_T
-                    solve( !KU( ~ltk.1 ) @ #vk.37 )
+                    solve( !KU( ~ltk.1 ) @ #vk.35 )
                       case Corrupt_ltk
                       by contradiction /* from formulas */
                     qed
                   next
                     case c_exp
-                    by solve( !KU( ~skTe ) @ #vk.39 )
+                    by solve( !KU( ~skTe ) @ #vk.37 )
                   qed
                 qed
               next
                 case c_sign
-                solve( !KU( ~ltk ) @ #vk.38 )
+                solve( !KU( ~ltk ) @ #vk.36 )
                   case Corrupt_ltk
-                  solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 )
-                    case Reveal_session
-                    solve( splitEqs(2) )
-                      case split_case_1
-                      by contradiction /* from formulas */
-                    next
-                      case split_case_2
-                      solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
-                             ) @ #vk.46 )
-                        case c_mac
-                        solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.17 )
-                          case Reveal_session
-                          by contradiction /* cyclic */
-                        next
-                          case c_kdf_mac
-                          solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.52 )
-                            case CA_INIT_C
-                            by solve( !KU( ~skTe ) @ #vk.56 )
-                          next
-                            case CA_INIT_T
-                            by contradiction /* cyclic */
-                          next
-                            case CA_Sign_ltk
-                            by solve( !KU( ~skTe ) @ #vk.53 )
-                          next
-                            case Generate_chip_key_pair
-                            by solve( !KU( ~skTe ) @ #vk.53 )
-                          next
-                            case TA_INIT_T
-                            solve( !KU( ~ltk.1 ) @ #vk.53 )
-                              case Corrupt_ltk
-                              by contradiction /* from formulas */
-                            qed
-                          next
-                            case c_exp
-                            by solve( !KU( ~skTe ) @ #vk.55 )
-                          qed
-                        qed
-                      qed
-                    qed
-                  next
-                    case c_kdf_enc
-                    solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.40 )
-                      case CA_INIT_C
-                      by solve( !KU( ~skTe ) @ #vk.44 )
-                    next
-                      case CA_INIT_T
-                      by contradiction /* cyclic */
-                    next
-                      case CA_Sign_ltk
-                      by solve( !KU( ~skTe ) @ #vk.41 )
-                    next
-                      case Generate_chip_key_pair
-                      by solve( !KU( ~skTe ) @ #vk.41 )
-                    next
-                      case TA_INIT_T
-                      solve( !KU( ~ltk.1 ) @ #vk.41 )
-                        case Corrupt_ltk
-                        by contradiction /* from formulas */
-                      qed
-                    next
-                      case c_exp
-                      by solve( !KU( ~skTe ) @ #vk.43 )
-                    qed
-                  qed
+                  by contradiction /* from formulas */
                 qed
               qed
             qed
@@ -21058,29 +22554,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma chip_hiding:
-  all-traces
-  "∀ C T iid #i.
-    (CompletedTA( C, iid, T ) @ #i) ⇒
-    ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))"
-/*
-guarded formula characterizing all counter-examples:
-"∃ C T iid #i.
-  (CompletedTA( C, iid, T ) @ #i)
- ∧
-  (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))"
-*/
-simplify
-solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), pkTe, id_c, r1
-       ) ▶₁ #i )
-  case TA_CHALLENGE_C
-  solve( !KU( ~iid ) @ #vk.6 )
-    case CA_INIT_C
-    by contradiction /* cyclic */
-  qed
-qed
-
-lemma nonRepudiation_terminal:
+lemma notNonRepudiation_C:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -21129,7 +22603,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i )
   qed
 qed
 
-lemma nonRepudiation_chip:
+lemma notNonRepudiation_T:
   exists-trace
   "∃ C T #i.
     (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧
@@ -21187,7 +22661,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i )
   qed
 qed
 
-lemma pfs:
+lemma forward_secrecy:
   all-traces
   "∀ C T k sid #i #j.
     ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
@@ -21209,20 +22683,20 @@ guarded formula characterizing all counter-examples:
 simplify
 solve( Completed( k, sid, C, 'chip', T ) @ #i )
   case CA_FINISH_C
-  solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
     case CA_INIT_C
     solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
       case Generate_chip_key_pair
       solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
         case CA_Sign_ltk
-        solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>,
+        solve( Completed( kdf_enc(z, ~r2),
                           <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
                            cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, 
                            ~id_c, ~r2>,
                           T, 'terminal', $C
                ) @ #j )
           case CA_FINISH_T
-          solve( CAInitT( <$T, iid.1>, skTe, ~id_c,
+          solve( CAInitT( $T, skTe, ~id_c,
                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
                  ) ▶₁ #j )
             case CA_INIT_T
@@ -21230,45 +22704,42 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
                           'terminal'
                    ) ▶₂ #j )
               case CA_Sign_ltk
-              solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 )
+              solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 )
                 case TA_RESPONSE_T
-                solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 )
+                solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 )
                   case c_kdf_enc
-                  solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 )
+                  solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 )
                     case TA_INIT_T
-                    solve( !KU( ~ltk.1 ) @ #vk.37 )
+                    solve( !KU( ~ltk.1 ) @ #vk.35 )
                       case Corrupt_ltk
-                      solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 )
-                        case c_kdf_mac
-                        solve( !KU( ~r2 ) @ #vk.20 )
-                          case CA_FINISH_C
-                          solve( !KU( ~id_c ) @ #vk.35 )
+                      solve( !KU( ~r2 ) @ #vk.18 )
+                        case CA_FINISH_C
+                        solve( !KU( ~id_c ) @ #vk.33 )
+                          case TA_CHALLENGE_C
+                          solve( !KU( ~r1 ) @ #vk.34 )
                             case TA_CHALLENGE_C
-                            solve( !KU( ~r1 ) @ #vk.36 )
-                              case TA_CHALLENGE_C
-                              solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T)
-                                     ) @ #vk.22 )
-                                case CA_Sign_ltk
-                                solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.26 )
-                                  case CA_FINISH_C
-                                  solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C)
-                                         ) @ #vk.34 )
-                                    case CA_INIT_C
-                                    solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.40 )
-                                      case TA_RESPONSE_T
-                                      solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z)
-                                             ) @ #vk.43 )
-                                        case CA_Sign_ltk
-                                        solve( !KU( ~id_c.1 ) @ #vk.46 )
+                            solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T)
+                                   ) @ #vk.20 )
+                              case CA_Sign_ltk
+                              solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.24 )
+                                case CA_FINISH_C
+                                solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C)
+                                       ) @ #vk.32 )
+                                  case CA_INIT_C
+                                  solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.38 )
+                                    case TA_RESPONSE_T
+                                    solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk), x)
+                                           ) @ #vk.41 )
+                                      case CA_Sign_ltk
+                                      solve( !KU( ~id_c.1 ) @ #vk.44 )
+                                        case TA_CHALLENGE_C
+                                        solve( !KU( ~r1.1 ) @ #vk.45 )
                                           case TA_CHALLENGE_C
-                                          solve( !KU( ~r1.1 ) @ #vk.47 )
-                                            case TA_CHALLENGE_C
-                                            solve( !KU( 'g'^~skTe ) @ #vk.27 )
+                                          solve( !KU( 'g'^~skTe ) @ #vk.25 )
+                                            case TA_INIT_T
+                                            solve( !KU( 'g'^~skTe.1 ) @ #vk.45 )
                                               case TA_INIT_T
-                                              solve( !KU( 'g'^~skTe.1 ) @ #vk.47 )
-                                                case TA_INIT_T
-                                                SOLVED // trace found
-                                              qed
+                                              SOLVED // trace found
                                             qed
                                           qed
                                         qed
@@ -21293,6 +22764,128 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i )
   qed
 qed
 
+lemma forward_secrecy_T:
+  all-traces
+  "∀ C T k sid #i #j.
+    ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧
+       (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧
+      (¬(∃ #m. Corrupted( C ) @ #m))) ∧
+     (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒
+    ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))"
+/*
+guarded formula characterizing all counter-examples:
+"∃ C T k sid #i #j.
+  (Completed( k, sid, C, 'chip', T ) @ #i) ∧
+  (Completed( k, sid, T, 'terminal', C ) @ #j)
+ ∧
+  (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧
+  (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧
+  (∃ #m. (K( k ) @ #m)) ∧
+  (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)"
+*/
+simplify
+solve( Completed( k, sid, C, 'chip', T ) @ #i )
+  case CA_FINISH_C
+  solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i )
+    case CA_INIT_C
+    solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i )
+      case Generate_chip_key_pair
+      solve( !Cert( $C, certC, 'chip' ) ▶₃ #i )
+        case CA_Sign_ltk
+        solve( Completed( kdf_enc(z, ~r2),
+                          <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), 
+                           cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, 
+                           ~id_c, ~r2>,
+                          T, 'terminal', $C
+               ) @ #j )
+          case CA_FINISH_T
+          solve( CAInitT( $T, skTe, ~id_c,
+                          cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C)
+                 ) ▶₁ #j )
+            case CA_INIT_T
+            solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T),
+                          'terminal'
+                   ) ▶₂ #j )
+              case CA_Sign_ltk
+              solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 )
+                case TA_RESPONSE_T
+                solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 )
+                  case Reveal_session
+                  solve( splitEqs(2) )
+                    case split_case_1
+                    by contradiction /* from formulas */
+                  next
+                    case split_case_2
+                    solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2))
+                           ) @ #vk.40 )
+                      case c_mac
+                      solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.46 )
+                        case c_kdf_mac
+                        solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.47 )
+                          case CA_INIT_C
+                          by solve( !KU( ~skTe ) @ #vk.51 )
+                        next
+                          case CA_INIT_T
+                          by contradiction /* cyclic */
+                        next
+                          case CA_Sign_ltk
+                          by solve( !KU( ~skTe ) @ #vk.48 )
+                        next
+                          case Generate_chip_key_pair
+                          by solve( !KU( ~skTe ) @ #vk.48 )
+                        next
+                          case TA_INIT_T
+                          solve( !KU( ~ltk.1 ) @ #vk.48 )
+                            case Corrupt_ltk
+                            by contradiction /* from formulas */
+                          qed
+                        next
+                          case c_exp
+                          by solve( !KU( ~skTe ) @ #vk.50 )
+                        qed
+                      qed
+                    qed
+                  qed
+                next
+                  case c_kdf_enc
+                  solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 )
+                    case CA_INIT_C
+                    by solve( !KU( ~skTe ) @ #vk.38 )
+                  next
+                    case CA_INIT_T
+                    by contradiction /* cyclic */
+                  next
+                    case CA_Sign_ltk
+                    by solve( !KU( ~skTe ) @ #vk.35 )
+                  next
+                    case Generate_chip_key_pair
+                    by solve( !KU( ~skTe ) @ #vk.35 )
+                  next
+                    case TA_INIT_T
+                    solve( !KU( ~ltk.1 ) @ #vk.35 )
+                      case Corrupt_ltk
+                      by contradiction /* from formulas */
+                    qed
+                  next
+                    case c_exp
+                    by solve( !KU( ~skTe ) @ #vk.37 )
+                  qed
+                qed
+              next
+                case c_sign
+                solve( !KU( ~ltk ) @ #vk.36 )
+                  case Corrupt_ltk
+                  by contradiction /* from formulas */
+                qed
+              qed
+            qed
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
 
 
 
@@ -21340,21 +22933,21 @@ summary of summaries:
 
 analyzed: tmp.spthy
 
-  processing time: 54.21s
+  processing time: 67.38s
   
   session_exist (exists-trace): verified (22 steps)
   two_session_exist (exists-trace): verified (32 steps)
+  aliveness (all-traces): verified (85 steps)
   weak_agreement_C (all-traces): verified (8 steps)
   weak_agreement_T (all-traces): falsified - found trace (15 steps)
   agreement_C (all-traces): verified (8 steps)
   agreement_T (all-traces): falsified - found trace (14 steps)
-  aliveness (all-traces): verified (155 steps)
-  session_uniqueness (all-traces): verified (336 steps)
+  session_uniqueness (all-traces): verified (888 steps)
   consistency (all-traces): verified (8 steps)
-  key_secrecy (all-traces): verified (54 steps)
-  chip_hiding (all-traces): verified (4 steps)
-  nonRepudiation_terminal (exists-trace): verified (12 steps)
-  nonRepudiation_chip (exists-trace): falsified - no trace found (15 steps)
-  pfs (all-traces): falsified - found trace (26 steps)
+  key_secrecy (all-traces): verified (32 steps)
+  notNonRepudiation_C (exists-trace): verified (12 steps)
+  notNonRepudiation_T (exists-trace): falsified - no trace found (15 steps)
+  forward_secrecy (all-traces): falsified - found trace (25 steps)
+  forward_secrecy_T (all-traces): verified (32 steps)
 
 ==============================================================================
diff --git a/tmp.spthy b/tmp.spthy
deleted file mode 100644
index 9d54c88..0000000
--- a/tmp.spthy
+++ /dev/null
@@ -1,463 +0,0 @@
-/*
-PQ-EAC with Terminal Signatures
-======================================
-
-Author:  Jonas Mueller
-Date:    May 2024
-
-*/
-
-theory SigPQEAC
-begin
-
-builtins: signing
-functions: kdf/2
-functions: encaps/2, decaps/2
-equations: decaps((encaps(k, pk(sk))), sk) = k
-
-
-/* Key setup and Certificate model for all EAC models */
-
-
-functions: cert/3, cert_pk/1, cert_sig/1, cert_id/1, ca_sk/0 [private]
-equations: cert_pk(cert(pk, s, id)) = pk, cert_sig(cert(pk, s, id)) = s, cert_id(cert(pk, s, id)) = id
-
-macros: verify_cert(cert, role) = verify(cert_sig(cert), <cert_pk(cert), cert_id(cert), role>, pk(ca_sk))
-
-
-rule Publish_ca_pk:
-    [ ]
-  -->
-    [ Out(pk(ca_sk)) ]
-
-// Generate long-term key pair for the chip. Classic version needs dh key pair
-#ifdef CLASSIC
-rule Generate_chip_key_pair:
-let
-    pk = 'g'^~ltk
-in
-    [ Fr(~ltk) ]
-  --[ TestMe() ]->
-    [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ]
-#else
-rule Generate_chip_key_pair:
-let
-    pk = pk(~ltk)
-in
-    [ Fr(~ltk) ]
-  -->
-    [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ]
-#endif
-
-// Generate static long-term key pair for the terminal.
-rule Generate_terminal_key_pair:
-let
-    pk = pk(~ltk)
-in
-    [ Fr(~ltk) ]
-  -->
-    [ !Pk($A, pk, 'terminal'), !Ltk($A, ~ltk, 'terminal'), Out(pk) ]
-
-rule CA_Sign_ltk:
-let
-    certA = cert(pk, sign(<pk, A, role>, ca_sk), A)
-in
-    [ !Pk(A, pk, role) ]
-  --[ RegisteredRole(A, role) ]->
-    [ !Cert(A, certA, role), Out(certA) ]
-
-/* Attacker model */
-// We extend the Dolev-Yao attack model in tamarin with Reveal and Corrupt capabilities
-
-rule Corrupt_ltk:
-    [ !Ltk($A, ltk, role) ]
-  --[ Corrupted($A) ]->
-    [ Out(<ltk, role>) ]
-
-rule Reveal_session:
-    [ !SessionReveal(sid, k) ]
-  --[ Revealed(sid) ]->
-    [ Out(k) ]
-
-
-
-/* Terminal Authentication */
-// State machine: TA_INIT_T -> TA_CHALLENGE_C -> TA_RESPONSE_T -> TA_COMPLETE_C
-
-
-rule TA_INIT_T:
-let
-    msg1 = <certT, '1', 't'>
-in
-    [ !Cert($T, certT, 'terminal'), Fr(~iid) ]
-  --[ Started() ]->
-    [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ]
-
-// We generate a fresh IDc to simulate the previous execution of PACE or BAC
-rule TA_CHALLENGE_C:
-let
-    msg1 = <certT, '1', 't'>
-    msg2 = <~id_c, ~r1, '2', 'c'>
-in
-    [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ]
-  --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]->
-    [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1) ]
-
-rule TA_RESPONSE_T:
-let
-    msg2 = <id_c, r1, '2', 'c'>
-    s = sign(<'TA', id_c, r1>, ~skT)
-    msg3 = <s, '3', 't'>
-in
-    [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ]
-  -->
-    [ Out(msg3), TAResponseT(<$T, iid>, id_c) ]
-
-rule TA_COMPLETE_C:
-let
-    msg3 = <s, '3', 't'>
-in
-    [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1) ]
-  --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]->
-    [ TACompleteC(<$C, iid>, certT, id_c, r1) ]
-
-
-
-/* Chip Authentication */
-// State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T
-
-#ifdef PFS
-rule CA_INIT_C:
-let
-    msg4 = <certC, ~r2, pk(~skCe), '4', 'c'>
-in
-    [ Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ]
-  -->
-    [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2, ~skCe) ]
-#else
-rule CA_INIT_C:
-let
-    msg4 = <certC, ~r2, '4', 'c'>
-in
-    [ Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ]
-  -->
-    [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2) ]
-#endif
-
-
-#ifdef PFS
-rule CA_INIT_T:
-let
-    msg4 = <certC, r2, pkCe, '4', 'c'>
-    pkC = cert_pk(certC)
-    cip = encaps(~k, pkC)
-    cipe = encaps(~ke, pkCe)
-    sid = <certT, certC, r2, cip, pkCe, cipe>
-    s = sign(<'CA', sid>, ~skT)
-    msg5 = <cip, s, cipe, '5', 't'>
-in
-    [ In(msg4), Fr(~k), Fr(~ke), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
-  --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ]
-#else
-rule CA_INIT_T:
-let
-    msg4 = <certC, r2, '4', 'c'>
-    pkC = cert_pk(certC)
-    cip = encaps(~k, pkC)
-    sid = <certT, certC, r2, cip>
-    s = sign(<'CA', sid>, ~skT)
-    msg5 = <cip, s, '5', 't'>
-in
-    [ In(msg4), Fr(~k), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ]
-  --[ Eq(verify_cert(certC, 'chip'), true) ]->
-    [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ]
-#endif
-
-
-#ifdef PFS
-rule CA_FINISH_C:
-let
-    msg5 = <cip, s, cipe, '5', 't'>
-    sid = <certT, certC, r2, cip, pk(skCe), cipe>
-    k = decaps(cip, ~skC)
-    ke = decaps(cipe, skCe)
-    kCNF = kdf(<'CNF', sid>, <k, ke>)
-    kKEY = kdf(<'KEY', sid>, <k, ke>)
-    msg6 = <kCNF, '6', 'c'>
-in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
-#else
-rule CA_FINISH_C:
-let
-    msg5 = <cip, s, '5', 't'>
-    sid = <certT, certC, r2, cip>
-    k = decaps(cip, ~skC)
-    kCNF = kdf(<'CNF', sid>, k)
-    kKEY = kdf(<'KEY', sid>, k)
-    msg6 = <kCNF, '6', 'c'>
-in
-    [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ]
-  --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]->
-    [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ]
-#endif
-
-#ifdef PFS
-rule CA_FINISH_T:
-let
-    msg6 = <kCNF_C, '6', 'c'>
-    sid = <certT, certC, r2, cip, pkCe, cipe>
-    kCNF = kdf(<'CNF', sid>, <k, ke>)
-    kKEY = kdf(<'KEY', sid>, <k, ke>)
-in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ]
-  --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
-#else
-rule CA_FINISH_T:
-let
-    msg6 = <kCNF_c, '6', 'c'>
-    sid = <certT, certC, r2, cip>
-    kCNF = kdf(<'CNF', sid>, k)
-    kKEY = kdf(<'KEY', sid>, k)
-in
-    [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ]
-  --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]->
-    [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ]
-#endif
-
-
-
-
-/* Contains the restrictions and lemmas for all EAC models */
-
-restriction Equality:
-    "All x y #i. Eq(x, y) @ i ==> x = y"
-
-
-// Correctness
-
-lemma session_exist: exists-trace
-  " Ex C T k sid #i #j.
-     Completed(k, sid, C, 'chip', T) @ #i
-     & Completed(k, sid, T, 'terminal', C) @ #j
-     & #i < #j
-  "
-
-lemma two_session_exist: exists-trace
-  " Ex C T k k2 sid sid2 #i #j #i2 #j2.
-     Completed(k, sid, C, 'chip', T) @ #i
-     & Completed(k, sid, T, 'terminal', C) @ #j
-     & #i < #j
-     & Completed(k2, sid2, C, 'chip', T) @ #i2
-     & Completed(k2, sid2, T, 'terminal', C) @ #j2
-     & #i2 < #j2
-     & not(k=k2)
-  "
-
-// Agreement
-lemma weak_agreement_C:
-  "All k sid C T #i #t .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Finished(sid) @ #t
-    ==> (Ex k2 sid2 #j .
-        Completed(k2, sid2, T, 'terminal', C) @ #j)
-        | (Ex #k . Corrupted(C) @ #k)
-        | (Ex #k . Corrupted(T) @ #k)
-  "
-
-lemma weak_agreement_T:
-  "All k sid C T #i #t .
-    Completed(k, sid, T, 'terminal', C) @ #i
-    & Finished(sid) @ #t
-    ==> (Ex k2 sid2 #j .
-        Completed(k2, sid2, C, 'chip', T) @ #j)
-        | (Ex #k . Corrupted(C) @ #k)
-        | (Ex #k . Corrupted(T) @ #k)
-  "
-
-lemma agreement_C:
-  "All k sid C T #i #t .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Finished(sid) @ #t
-    ==> (Ex #j .
-        Completed(k, sid, T, 'terminal', C) @ #j)
-        | (Ex #k . Corrupted(C) @ #k)
-        | (Ex #k . Corrupted(T) @ #k)
-  "
-
-lemma agreement_T:
-  "All k sid C T #i #t .
-    Completed(k, sid, T, 'terminal', C) @ #i
-    & Finished(sid) @ #t
-    ==> (Ex #j .
-        Completed(k, sid, C, 'chip', T) @ #j)
-        | (Ex #k . Corrupted(C) @ #k)
-        | (Ex #k . Corrupted(T) @ #k)
-  "
-
-lemma aliveness:
-  "All k sid A role B #i #t .
-    Completed(k, sid, A, role, B) @ #i
-    & Finished(sid) @ #t
-    ==> (Ex k2 sid2 role2 C #j .
-        Completed(k2, sid2, B, role2, C) @ #j)
-        | (Ex #k . Corrupted(B) @ #k)
-  "
-
-lemma session_uniqueness:
-  "All A B k sid sid2 role #i #j .
-    Completed(k, sid, A, role, B) @ #i
-    & Completed(k, sid2, A, role, B) @ #j
-    ==> (#i = #j) & (sid = sid2)
-  "
-
-// Sole purpose of static key of T is authentication
-// The final keys k/k2 are only derived from pkC/skC, pkTe/skTe and r2
-lemma consistency:
-  "All C T k k2 sid #i #j .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Completed(k2, sid, T, 'terminal', C) @ #j
-    ==> (k=k2)
-        | (Ex #m . Corrupted(C) @ #m)
-  "
-
-// Key secrecy
-lemma key_secrecy:
-  "All C T k sid #i #j .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Completed(k, sid, T, 'terminal', C) @ #j
-    ==> not(Ex #m . K(k) @ #m)
-        | (Ex #m . Revealed(sid) @ #m)
-        | (Ex #m . Corrupted(C) @ #m)
-  "
-
-// Cannot track chip before CA
-lemma chip_hiding:
-  "All C T iid #i .
-    CompletedTA(C, iid, T) @ #i
-    ==> not(Ex #m . K(iid) @ #m)
-        | (Ex #m . (K(iid) @ #m & #i < #m))
-  "
-
-/* This lemma shows that the chip has NOT non-repudiation */
-// We use the exists-trace keyword because it is enough to show the possibility
-// 1.: To exclude an empty trace, we check for a finished protocol run (with the two Completed facts)
-// 2.: We define that the chip is not corrupted
-// 3.: We say that for every data the chip computed (which we manually put into action facts) the adversary could know the value before
-    // We use the adversaries knowledge because it is easy to model and he can simple corrupt the terminal and execute the protocol instead
-// Problems: Some information required so that the other party can compute the data is sent after the Computed fact
-
-/*
-lemma notNonRepudiation: exists-trace
-  "Ex C T k sid #i #j .
-    Completed(k, sid, C, 'chip', T) @ #i            // 1.
-    & Completed(k, sid, T, 'terminal', C) @ #j      // 1.
-    & not(Ex #n . Corrupted(C) @ #n)                // 2.
-    & (All data #m . Computed(C, 'chip', data) @ #m // 3.
-       ==> (Ex #k . K(data) @ #k & #k < #m))        // 3.
-  "
-*/
-
-/* This lemma shows that the chip has NOT non-repudiation */
-// We use the fact that every value the chip can calculate its partner could too
-// We state the possibility that with a finished protocol run the terminal could identify as a chip because it knows all the computations too
-// Problems: pkTe is a fresh value used in the DH key, T could simply get a chip certificate and key pair (this could be solved but would limit our model), limited by our model at the moment because the identity from Completed is from the sent certificate which prevents T from trying a replay scenario
-
-/*
-lemma notNonRepudiation2: exists-trace
-  "Ex C T T2 k k2 sid sid2 #i #i2 #j #j2 .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Completed(k2, sid2, T, 'chip', T2) @ #i2
-    & Completed(k2, sid2, T2, 'terminal', T) @ #j2
-  "
-*/
-
-// We simulate a one sided protocol execution
-
-// The terminal finishes the protocol by itself
-// It does not register a chip certificate and the chip shouldn't be involved in the protocol execution
-// This should be possible for the terminal
-
-lemma nonRepudiation_terminal: exists-trace
-  "Ex C T #i .
-    ValidTrans(C, 'chip', T) @ #i
-    & not(Ex #k . Started() @ #k)
-    & not(Ex #k . Corrupted(C) @ #k)
-    & not(Ex #k . RegisteredRole(T, 'chip') @ #k)
-  "
-
-// The chip finishes the protocol by itself
-// It does not register a terminal certificate and the terminal shouldn't be involved in the protocol execution
-// This should NOT be possible for the chip
-
-lemma nonRepudiation_chip: exists-trace
-  "Ex C T #i .
-    ValidTrans(T, 'terminal', C) @ #i
-    & not(Ex #k . Started() @ #k)
-    & not(Ex #k . Corrupted(T) @ #k)
-    & not(Ex #k . RegisteredRole(C, 'terminal') @ #k)
-  "
-
-// Perfect forward secrecy
-lemma pfs:
-  "All C T k sid #i #j .
-    Completed(k, sid, C, 'chip', T) @ #i
-    & Completed(k, sid, T, 'terminal', C) @ #j
-    & not(Ex #m . Corrupted(C) @ #m & #m < #j)
-    & not(Ex #m . Corrupted(T) @ #m & #m < #j)
-    ==> (not(Ex #m . K(k) @ #m)
-        | (Ex #m . Revealed(sid) @ #m))
-  "
-
-
-#ifdef PFS
-rule Verify_Transcript_C:
-let
-    pkT = cert_pk(certT)
-    sid = <certT, certC, r2, cip, pkCe, cipe>
-    k = decaps(cip, skC)
-    ke = decaps(cipe, skCe)
-    kCNF_c = kdf(<'CNF', sid>, <k, ke>)
-in
-    [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(skCe), !Ltk(C, skC, 'chip') ]
-  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
-    [  ]
-#else
-rule Verify_Transcript_C:
-let
-    pkT = cert_pk(certT)
-    sid = <certT, certC, r2, cip>
-    kKDF = decaps(cip, skC)
-    kCNF_c = kdf(<'CNF', sid>, kKDF)
-in
-    [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), !Ltk(C, skC, 'chip') ]
-  --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]->
-    [  ]
-#endif
-
-#ifdef PFS
-rule Verify_Transcript_T:
-let
-    pkT = cert_pk(certT)
-    sid = <certT, certC, r2, cip, pkCe, cipe>
-    kCNF_t = kdf(<'CNF', sid>, <k, ke>)
-in
-    [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(<k, ke>) ]
-  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
-    [  ]
-#else
-rule Verify_Transcript_T:
-let
-    pkT = cert_pk(certT)
-    sid = <certT, certC, r2, cip>
-    kCNF_t = kdf(<'CNF', sid>, kKDF)
-in
-    [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), In(kKDF) ]
-  --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]->
-    [  ]
-#endif
-
-end
-- 
GitLab