From e7f75533c22b40a5e4f8190fd31a5444e06a6187 Mon Sep 17 00:00:00 2001 From: jm71syxy <jonas.mueller.97@stud.tu-darmstadt.de> Date: Tue, 2 Jul 2024 15:32:52 +0200 Subject: [PATCH] Remove chip hiding property and add forward secrecy for terminal ltk --- ClassicEAC.spthy | 42 +- FastKemPQEAC.spthy | 48 +- FastSigPQEAC.spthy | 48 +- KemPQEAC.spthy | 58 +- README.md | 5 +- SigPQEAC.spthy | 58 +- include/include/attacker.spthy | 12 + .../include/classic_verify_transcript.spthy | 24 + include/include/kem_verify_transcript.spthy | 75 + include/include/lemmas.spthy | 151 + include/include/setup.spthy | 49 + include/include/sig_verify_transcript.spthy | 44 + ...QEAC_TAMARIN => 46092847.err.FastSigPQEAC} | 0 ...QEAC_TAMARIN => 46092847.out.FastSigPQEAC} | 857 ++- ...SSIC_EAC_TAMARIN => 46092855.err.SigPQEAC} | 0 ...SigPQEAC_TAMARIN => 46092855.out.SigPQEAC} | 712 +-- ...KemPQEAC_TAMARIN => 46092858.err.KemPQEAC} | 0 ...KemPQEAC_TAMARIN => 46092858.out.KemPQEAC} | 710 +-- ...QEAC_TAMARIN => 46092862.err.FastKemPQEAC} | 0 ...QEAC_TAMARIN => 46092862.out.FastKemPQEAC} | 1107 ++-- ...N => 46092873.err.ForwardSecrecy_SigPQEAC} | 0 ...N => 46092873.out.ForwardSecrecy_SigPQEAC} | 989 ++-- ... 46092874.err.ForwardSecrecy_FastSigPQEAC} | 0 ... 46092874.out.ForwardSecrecy_FastSigPQEAC} | 1326 ++--- ...N => 46092875.err.ForwardSecrecy_KemPQEAC} | 0 ...N => 46092875.out.ForwardSecrecy_KemPQEAC} | 1622 +++--- ... 46092876.err.ForwardSecrecy_FastKemPQEAC} | 0 ... 46092876.out.ForwardSecrecy_FastKemPQEAC} | 1228 ++-- ...PQEAC_TAMARIN => 46109591.err.CLASSIC_EAC} | 4 +- ...C_EAC_TAMARIN => 46109591.out.CLASSIC_EAC} | 5183 +++++++++++------ tmp.spthy | 463 -- 31 files changed, 7412 insertions(+), 7403 deletions(-) create mode 100644 include/include/attacker.spthy create mode 100644 include/include/classic_verify_transcript.spthy create mode 100644 include/include/kem_verify_transcript.spthy create mode 100644 include/include/lemmas.spthy create mode 100644 include/include/setup.spthy create mode 100644 include/include/sig_verify_transcript.spthy rename results/{45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN => 46092847.err.FastSigPQEAC} (100%) rename results/{45991792.out.ALL_FastSigPQEAC_TAMARIN => 46092847.out.FastSigPQEAC} (86%) rename results/{45991167.err.ALL_CLASSIC_EAC_TAMARIN => 46092855.err.SigPQEAC} (100%) rename results/{45992234.out.ALL_SigPQEAC_TAMARIN => 46092855.out.SigPQEAC} (89%) rename results/{45991549.err.PFS_ALL_KemPQEAC_TAMARIN => 46092858.err.KemPQEAC} (100%) rename results/{45991793.out.ALL_KemPQEAC_TAMARIN => 46092858.out.KemPQEAC} (92%) rename results/{45991792.err.ALL_FastSigPQEAC_TAMARIN => 46092862.err.FastKemPQEAC} (100%) rename results/{45991794.out.ALL_FastKemPQEAC_TAMARIN => 46092862.out.FastKemPQEAC} (88%) rename results/{45991168.err.PFS_ALL_SigPQEAC_TAMARIN => 46092873.err.ForwardSecrecy_SigPQEAC} (100%) rename results/{45991168.out.PFS_ALL_SigPQEAC_TAMARIN => 46092873.out.ForwardSecrecy_SigPQEAC} (90%) rename results/{45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN => 46092874.err.ForwardSecrecy_FastSigPQEAC} (100%) rename results/{45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN => 46092874.out.ForwardSecrecy_FastSigPQEAC} (87%) rename results/{45991793.err.ALL_KemPQEAC_TAMARIN => 46092875.err.ForwardSecrecy_KemPQEAC} (100%) rename results/{45991549.out.PFS_ALL_KemPQEAC_TAMARIN => 46092875.out.ForwardSecrecy_KemPQEAC} (79%) rename results/{45991794.err.ALL_FastKemPQEAC_TAMARIN => 46092876.err.ForwardSecrecy_FastKemPQEAC} (100%) rename results/{45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN => 46092876.out.ForwardSecrecy_FastKemPQEAC} (88%) rename results/{45992234.err.ALL_SigPQEAC_TAMARIN => 46109591.err.CLASSIC_EAC} (81%) rename results/{45991167.out.ALL_CLASSIC_EAC_TAMARIN => 46109591.out.CLASSIC_EAC} (83%) delete mode 100644 tmp.spthy diff --git a/ClassicEAC.spthy b/ClassicEAC.spthy index 403fc9b..3c5234a 100644 --- a/ClassicEAC.spthy +++ b/ClassicEAC.spthy @@ -31,9 +31,9 @@ let pkTe = 'g'^~skTe msg1 = <certT, pkTe, '1', 't'> in - [ !Cert($T, certT, 'terminal'), Fr(~skTe), Fr(~iid) ] // skTe is ephemeral session key, iid is instance id of user $T + [ !Cert($T, certT, 'terminal'), Fr(~skTe) ] // skTe is ephemeral session key --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>, ~skTe) ] // Publish T's iid as its identity gets revealed through certT + [ Out(msg1), TAInitT($T, ~skTe) ] // We generate a fresh IDc to simulate the previous execution of PACE or BAC rule TA_CHALLENGE_C: @@ -41,9 +41,9 @@ let msg1 = <certT, pkTe, '1', 't'> msg2 = <~id_c, ~r1, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ] + [ In(msg1), Fr(~r1), Fr(~id_c) ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, pkTe, ~id_c, ~r1) ] + [ Out(msg2), TAChallengeC($C, certT, pkTe, ~id_c, ~r1) ] rule TA_RESPONSE_T: let @@ -52,17 +52,17 @@ let s = sign(<id_c, r1, pkTe>, ~skT) msg3 = <s, '3', 't'> in - [ In(msg2), TAInitT(<$T, iid>, skTe), !Ltk($T, ~skT, 'terminal') ] + [ In(msg2), TAInitT($T, skTe), !Ltk($T, ~skT, 'terminal') ] --> - [ Out(msg3), TAResponseT(<$T, iid>, skTe, id_c) ] + [ Out(msg3), TAResponseT($T, skTe, id_c) ] rule TA_COMPLETE_C: let msg3 = <s, '3', 't'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, pkTe, id_c, r1) ] - --[ Eq(verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]-> - [ TACompleteC(<$C, iid>, certT, pkTe, id_c, r1) ] + [ In(msg3), TAChallengeC($C, certT, pkTe, id_c, r1) ] + --[ Eq(verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true) ]-> + [ TACompleteC($C, certT, pkTe, id_c, r1) ] @@ -73,9 +73,9 @@ rule CA_INIT_C: let msg4 = <certC, ~r2, '4', 'c'> in - [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC(<$C, iid>, certT, pkTe, id_c, r1) ] + [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC($C, certT, pkTe, id_c, r1) ] --> - [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, pkTe, id_c, r1, ~r2) ] // Publish C's iid as its identity gets revealed through certC + [ Out(msg4), CAInitC($C, certT, pkTe, id_c, r1, ~r2) ] rule CA_INIT_T: @@ -84,9 +84,9 @@ let msg4 = <certC, r2, '4', 'c'> msg5 = <pkTe, '5', 't'> in - [ In(msg4), TAResponseT(<$T, iid>, skTe, id_c) ] + [ In(msg4), TAResponseT($T, skTe, id_c) ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, skTe, id_c, certC) ] + [ Out(msg5), CAInitT($T, skTe, id_c, certC) ] rule CA_FINISH_C: @@ -95,13 +95,13 @@ let k = pkTe^~skC kMac = kdf_mac(k, r2) kEnc = kdf_enc(k, r2) + sid = <certT, certC, pkTe, 'g'^~skC, id_c, r2> tag = mac(pkTe, kMac) msg6 = <r2, tag, '6', 'c'> - sid = <certT, certC, pkTe, 'g'^~skC, id_c, r2> in - [ In(msg5), CAInitC(<$C, iid>, certT, pkTe, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(pkTe_t, pkTe), Completed(<kEnc, kMac>, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kEnc) ] + [ In(msg5), CAInitC($C, certT, pkTe, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + --[ Eq(pkTe_t, pkTe), Completed(kEnc, sid, $C, 'chip', cert_id(certT)) ]-> + [ Out(msg6) ] rule CA_FINISH_T: @@ -112,12 +112,12 @@ let k = pkC^skTe kMac = kdf_mac(k, r2) kEnc = kdf_enc(k, r2) - tag_T = mac(pkTe, kMac) sid = <certT, certC, pkTe, pkC, id_c, r2> + tag_T = mac(pkTe, kMac) in - [ In(msg6), CAInitT(<$T, iid>, skTe, id_c, certC), !Cert($T, certT, 'terminal') ] - --[ Eq(tag, tag_T), Completed(<kEnc, kMac>, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kEnc), !SessionReveal(sid, <kEnc, kMac>) ] + [ In(msg6), CAInitT($T, skTe, id_c, certC), !Cert($T, certT, 'terminal') ] + --[ Eq(tag, tag_T), Completed(kEnc, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> + [ !SessionReveal(sid, kEnc) ] insert(include/classic_verify_transcript.spthy) diff --git a/FastKemPQEAC.spthy b/FastKemPQEAC.spthy index 53c36b0..8a36b95 100644 --- a/FastKemPQEAC.spthy +++ b/FastKemPQEAC.spthy @@ -30,11 +30,11 @@ rule TA_INIT_T: let msg1 = <certT, '1', 't'> in - [ !Cert($T, certT, 'terminal'), Fr(~iid) ] + [ !Cert($T, certT, 'terminal') ] --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ] + [ Out(msg1), TAInitT($T) ] -#ifdef PFS +#ifdef ForwardSecrecy rule TA_CHALLENGE_C: let msg1 = <certT, '1', 't'> @@ -45,9 +45,9 @@ let cCA = senc(<certC, ~r2, pk(~skCe)>, kTENC) msg2 = <~id_c, ~r1, cTA, cCA, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~skCe), Fr(~iid), !Cert($C, certC, 'chip') ] + [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~skCe), !Cert($C, certC, 'chip') ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), Out(senc(~iid, kTENC)), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe, kTMAC, kTCNF) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2, ~skCe, kTMAC, kTCNF) ] #else rule TA_CHALLENGE_C: let @@ -59,12 +59,12 @@ let cCA = senc(<certC, ~r2>, kTENC) msg2 = <~id_c, ~r1, cTA, cCA, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), Fr(~iid), !Cert($C, certC, 'chip') ] + [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~r2), !Cert($C, certC, 'chip') ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), Out(senc(~iid, kTENC)), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2, kTMAC, kTCNF) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2, kTMAC, kTCNF) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule TA_RESPONSE_T: let msg2 = <id_c, r1, cTA, cCA, '2', 'c'> @@ -83,9 +83,9 @@ let s = mac(<'CA', sid>, kTMAC) msg3 = <kTCNF, cip, s, cipe, '3', 't'> in - [ In(msg2), Fr(~k), Fr(~ke), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] + [ In(msg2), Fr(~k), Fr(~ke), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg3), TAResponseT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] + [ Out(msg3), TAResponseT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] #else rule TA_RESPONSE_T: let @@ -103,12 +103,12 @@ let s = mac(<'CA', sid>, kTMAC) msg3 = <kTCNF, cip, s, '3', 't'> in - [ In(msg2), Fr(~k), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] + [ In(msg2), Fr(~k), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg3), TAResponseT(<$T, iid>, id_c, certC, r2, <~k, cip>) ] + [ Out(msg3), TAResponseT($T, id_c, certC, r2, <~k, cip>) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule TA_COMPLETE_C: let msg3 = <kTCNF_T, cip, s, cipe, '3', 't'> @@ -119,9 +119,9 @@ let kKEY = kdf(<'KEY', sid>, <k, ke>) msg4 = <kCNF, '4', 'c'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg4), TACompleteC(<$C, iid>, kKEY) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> + [ Out(msg4) ] #else rule TA_COMPLETE_C: let @@ -132,12 +132,12 @@ let kKEY = kdf(<'KEY', sid>, k) msg4 = <kCNF, '4', 'c'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg4), TACompleteC(<$C, iid>, kKEY) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2, kTMAC, kTCNF), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + --[ Eq(kTCNF_T, kTCNF), Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> + [ Out(msg4) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_T: let msg4 = <kCNF_C, '4', 'c'> @@ -145,9 +145,9 @@ let kCNF = kdf(<'CNF', sid>, <k, ke>) kKEY = kdf(<'KEY', sid>, <k, ke>) in - [ In(msg4), TAResponseT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] + [ In(msg4), TAResponseT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #else rule CA_FINISH_T: let @@ -156,9 +156,9 @@ let kCNF = kdf(<'CNF', sid>, k) kKEY = kdf(<'KEY', sid>, k) in - [ In(msg4), TAResponseT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] + [ In(msg4), TAResponseT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #endif diff --git a/FastSigPQEAC.spthy b/FastSigPQEAC.spthy index 5b4f4cd..92141ec 100644 --- a/FastSigPQEAC.spthy +++ b/FastSigPQEAC.spthy @@ -29,31 +29,31 @@ rule TA_INIT_T: let msg1 = <certT, '1', 't'> in - [ !Cert($T, certT, 'terminal'), Fr(~iid) ] + [ !Cert($T, certT, 'terminal') ] --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ] + [ Out(msg1), TAInitT($T) ] -#ifdef PFS +#ifdef ForwardSecrecy rule TA_CHALLENGE_C: let msg1 = <certT, '1', 't'> msg2 = <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid), Fr(~skCe), Fr(~r2), !Cert($C, certC, 'chip') ] + [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~skCe), Fr(~r2), !Cert($C, certC, 'chip') ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), Out(~iid), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~skCe, ~r2) ] #else rule TA_CHALLENGE_C: let msg1 = <certT, '1', 't'> msg2 = <~id_c, ~r1, certC, ~r2, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid), Fr(~r2), !Cert($C, certC, 'chip') ] + [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~r2), !Cert($C, certC, 'chip') ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), Out(~iid), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, ~r2) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, ~r2) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule TA_RESPONSE_T: let msg2 = <id_c, r1, certC, r2, pkCe, '2', 'c'> @@ -65,9 +65,9 @@ let s2 = sign(<'CA', sid>, ~skT) msg3 = <cip, cipe, s1, s2, '3', 't'> in - [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ] + [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg3), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] + [ Out(msg3), CAInitT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] #else rule TA_RESPONSE_T: let @@ -79,12 +79,12 @@ let s2 = sign(<'CA', sid>, ~skT) msg3 = <cip, s1, s2, '3', 't'> in - [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k) ] + [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal'), Fr(~k) ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg3), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ] + [ Out(msg3), CAInitT($T, id_c, certC, r2, <~k, cip>) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule TA_COMPLETE_C: let msg3 = <cip, cipe, s1, s2, '3', 't'> @@ -95,9 +95,9 @@ let kKEY = kdf(<'KEY', sid>, <k, ke>) msg4 = <kCNF, '4', 'c'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, skCe, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg4), TACompleteC(<$C, iid>, certT, id_c, r1, skCe, r2) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1, skCe, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> + [ Out(msg4) ] #else rule TA_COMPLETE_C: let @@ -108,12 +108,12 @@ let kKEY = kdf(<'KEY', sid>, k) msg4 = <kCNF, '4', 'c'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg4), TACompleteC(<$C, iid>, certT, id_c, r1, r2) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + --[ Eq(verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true), Eq(verify(s2, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> + [ Out(msg4) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_T: let msg4 = <kCNF_C, '4', 'c'> @@ -121,9 +121,9 @@ let kCNF = kdf(<'CNF', sid>, <k, ke>) kKEY = kdf(<'KEY', sid>, <k, ke>) in - [ In(msg4), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] + [ In(msg4), CAInitT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #else rule CA_FINISH_T: let @@ -132,9 +132,9 @@ let kCNF = kdf(<'CNF', sid>, k) kKEY = kdf(<'KEY', sid>, k) in - [ In(msg4), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] + [ In(msg4), CAInitT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #endif diff --git a/KemPQEAC.spthy b/KemPQEAC.spthy index deec497..d245cbc 100644 --- a/KemPQEAC.spthy +++ b/KemPQEAC.spthy @@ -30,9 +30,9 @@ rule TA_INIT_T: let msg1 = <certT, '1', 't'> in - [ !Cert($T, certT, 'terminal'), Fr(~iid) ] + [ !Cert($T, certT, 'terminal') ] --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ] + [ Out(msg1), TAInitT($T) ] // We generate a fresh IDc to simulate the previous execution of PACE or BAC rule TA_CHALLENGE_C: @@ -41,9 +41,9 @@ let cTA = encaps(~kTA, cert_pk(certT)) msg2 = <~id_c, ~r1, cTA, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA), Fr(~iid) ] + [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~kTA) ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1, <~kTA, cTA>) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1, <~kTA, cTA>) ] rule TA_RESPONSE_T: let @@ -54,9 +54,9 @@ let kTCNF = kdf(<'TCNF', r1>, kTA) msg3 = <kTCNF, '3', 't'> in - [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ] + [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal') ] --> - [ Out(msg3), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC) ] + [ Out(msg3), TAResponseT($T, id_c, kTMAC, kTENC) ] rule TA_COMPLETE_C: let @@ -65,37 +65,37 @@ let kTENC = kdf(<'TENC', r1>, kTA) kTCNF = kdf(<'TCNF', r1>, kTA) in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1, <kTA, cTA>) ] - --[ Eq(kTCNF_T, kTCNF), CompletedTA($C, iid, cert_id(certT)) ]-> - [ TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1, <kTA, cTA>) ] + --[ Eq(kTCNF_T, kTCNF) ]-> + [ TACompleteC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ] /* Chip Authentication */ // State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T -#ifdef PFS +#ifdef ForwardSecrecy rule CA_INIT_C: let cCA = senc(<certC, ~r2, pk(~skCe)>, kTENC) msg4 = <cCA, '4', 'c'> in - [ !Cert($C, certC, 'chip'), Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ] + [ !Cert($C, certC, 'chip'), Fr(~r2), Fr(~skCe) ] --> - [ Out(msg4), Out(senc(iid, kTENC)), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe) ] + [ Out(msg4), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe) ] #else rule CA_INIT_C: let cCA = senc(<certC, ~r2>, kTENC) msg4 = <cCA, '4', 'c'> in - [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ] + [ !Cert($C, certC, 'chip'), Fr(~r2), TACompleteC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC) ] --> - [ Out(msg4), Out(senc(iid, kTENC)), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2) ] + [ Out(msg4), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_INIT_T: let msg4 = <cCA, '4', 'c'> @@ -110,9 +110,9 @@ let s = mac(<'CA', sid>, kTMAC) msg5 = <cip, s, cipe, '5', 't'> in - [ In(msg4), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ] + [ In(msg4), TAResponseT($T, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k), Fr(~ke) ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] + [ Out(msg5), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] #else rule CA_INIT_T: let @@ -126,13 +126,13 @@ let s = mac(<'CA', sid>, kTMAC) msg5 = <cip, s, '5', 't'> in - [ In(msg4), TAResponseT(<$T, iid>, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k) ] + [ In(msg4), TAResponseT($T, id_c, kTMAC, kTENC), !Cert($T, certT, 'terminal'), Fr(~k) ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <~k, cip>) ] + [ Out(msg5), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <~k, cip>) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_C: let msg5 = <cip, s, cipe, '5', 't'> @@ -143,9 +143,9 @@ let kKEY = kdf(<'KEY', sid>, <k, ke>) msg6 = <kCNF, '6', 'c'> in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + [ In(msg5), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] --[ Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] + [ Out(msg6) ] #else rule CA_FINISH_C: let @@ -156,13 +156,13 @@ let kKEY = kdf(<'KEY', sid>, k) msg6 = <kCNF, '6', 'c'> in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + [ In(msg5), CAInitC($C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] --[ Eq(s, mac(<'CA', sid>, kTMAC)), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] + [ Out(msg6) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_T: let msg6 = <kCNF_c, '6', 'c'> @@ -170,9 +170,9 @@ let kCNF = kdf(<'CNF', sid>, <k, ke>) kKEY = kdf(<'KEY', sid>, <k, ke>) in - [ In(msg6), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] + [ In(msg6), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #else rule CA_FINISH_T: let @@ -181,9 +181,9 @@ let kCNF = kdf(<'CNF', sid>, k) kKEY = kdf(<'KEY', sid>, k) in - [ In(msg6), CAInitT(<$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] + [ In(msg6), CAInitT($T, id_c, kTMAC, kTENC, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #endif diff --git a/README.md b/README.md index ccf4468..9fdd203 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,12 @@ # EAC_Tamarin_Analysis This project contains the different versions of EAC from https://ia.cr/2023/352. -The models are the classic EAC, SigPQEAC and KemPQEAC as well as the forward security and full round trip save modifications. +The models are the classic EAC, SigPQEAC and KemPQEAC as well as the forward seccrecy and saved round-trip modifications. The [python script](InsertLemmas.py) inserts the different sections into the .spthy files and creates the tmp.spthy file. Usage: python InsertLemmas.py file.spthy The [include](include/) directory contains the code that will be included to the different models. +## Forward Secrecy modification +For each post-quantum model (SigPQEAC, FastSigPQEAC, KemPQEAC and FastKemPQEAC) exists a modification which is forward secrecy secure. To analyze the modified model, we need to add the '--defines=ForwardSecrecy' flag to the tamarin-prover execution command. + ## Results The directory [results](results/) contains the results of all variations executed on the Lichtenberg high performance computer of the TU Darmstadt. diff --git a/SigPQEAC.spthy b/SigPQEAC.spthy index 9ad48e5..bc9d371 100644 --- a/SigPQEAC.spthy +++ b/SigPQEAC.spthy @@ -30,9 +30,9 @@ rule TA_INIT_T: let msg1 = <certT, '1', 't'> in - [ !Cert($T, certT, 'terminal'), Fr(~iid) ] + [ !Cert($T, certT, 'terminal') ] --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ] + [ Out(msg1), TAInitT($T) ] // We generate a fresh IDc to simulate the previous execution of PACE or BAC rule TA_CHALLENGE_C: @@ -40,9 +40,9 @@ let msg1 = <certT, '1', 't'> msg2 = <~id_c, ~r1, '2', 'c'> in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ] + [ In(msg1), Fr(~r1), Fr(~id_c) ] --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1) ] + [ Out(msg2), TAChallengeC($C, certT, ~id_c, ~r1) ] rule TA_RESPONSE_T: let @@ -50,43 +50,43 @@ let s = sign(<'TA', id_c, r1>, ~skT) msg3 = <s, '3', 't'> in - [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ] + [ In(msg2), TAInitT($T), !Ltk($T, ~skT, 'terminal') ] --> - [ Out(msg3), TAResponseT(<$T, iid>, id_c) ] + [ Out(msg3), TAResponseT($T, id_c) ] rule TA_COMPLETE_C: let msg3 = <s, '3', 't'> in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1) ] - --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]-> - [ TACompleteC(<$C, iid>, certT, id_c, r1) ] + [ In(msg3), TAChallengeC($C, certT, id_c, r1) ] + --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true) ]-> + [ TACompleteC($C, certT, id_c, r1) ] /* Chip Authentication */ // State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T -#ifdef PFS +#ifdef ForwardSecrecy rule CA_INIT_C: let msg4 = <certC, ~r2, pk(~skCe), '4', 'c'> in - [ Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ] + [ Fr(~r2), Fr(~skCe), TACompleteC($C, certT, id_c, r1), !Cert($C, certC, 'chip') ] --> - [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2, ~skCe) ] + [ Out(msg4), CAInitC($C, certT, id_c, r1, ~r2, ~skCe) ] #else rule CA_INIT_C: let msg4 = <certC, ~r2, '4', 'c'> in - [ Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ] + [ Fr(~r2), TACompleteC($C, certT, id_c, r1), !Cert($C, certC, 'chip') ] --> - [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2) ] + [ Out(msg4), CAInitC($C, certT, id_c, r1, ~r2) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_INIT_T: let msg4 = <certC, r2, pkCe, '4', 'c'> @@ -97,9 +97,9 @@ let s = sign(<'CA', sid>, ~skT) msg5 = <cip, s, cipe, '5', 't'> in - [ In(msg4), Fr(~k), Fr(~ke), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] + [ In(msg4), Fr(~k), Fr(~ke), TAResponseT($T, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] + [ Out(msg5), CAInitT($T, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] #else rule CA_INIT_T: let @@ -110,13 +110,13 @@ let s = sign(<'CA', sid>, ~skT) msg5 = <cip, s, '5', 't'> in - [ In(msg4), Fr(~k), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] + [ In(msg4), Fr(~k), TAResponseT($T, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ] + [ Out(msg5), CAInitT($T, id_c, certC, r2, <~k, cip>) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_C: let msg5 = <cip, s, cipe, '5', 't'> @@ -127,9 +127,9 @@ let kKEY = kdf(<'KEY', sid>, <k, ke>) msg6 = <kCNF, '6', 'c'> in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + [ In(msg5), CAInitC($C, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] + [ Out(msg6) ] #else rule CA_FINISH_C: let @@ -140,12 +140,12 @@ let kKEY = kdf(<'KEY', sid>, k) msg6 = <kCNF, '6', 'c'> in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] + [ In(msg5), CAInitC($C, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] + [ Out(msg6) ] #endif -#ifdef PFS +#ifdef ForwardSecrecy rule CA_FINISH_T: let msg6 = <kCNF_C, '6', 'c'> @@ -153,9 +153,9 @@ let kCNF = kdf(<'CNF', sid>, <k, ke>) kKEY = kdf(<'KEY', sid>, <k, ke>) in - [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] + [ In(msg6), CAInitT($T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #else rule CA_FINISH_T: let @@ -164,9 +164,9 @@ let kCNF = kdf(<'CNF', sid>, k) kKEY = kdf(<'KEY', sid>, k) in - [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] + [ In(msg6), CAInitT($T, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] + [ !SessionReveal(sid, kKEY) ] #endif diff --git a/include/include/attacker.spthy b/include/include/attacker.spthy new file mode 100644 index 0000000..c535652 --- /dev/null +++ b/include/include/attacker.spthy @@ -0,0 +1,12 @@ +/* Attacker model */ +// We extend the Dolev-Yao attack model in tamarin with Reveal and Corrupt capabilities + +rule Corrupt_ltk: + [ !Ltk($A, ltk, role) ] + --[ Corrupted($A) ]-> + [ Out(<ltk, role>) ] + +rule Reveal_session: + [ !SessionReveal(sid, k) ] + --[ Revealed(sid) ]-> + [ Out(k) ] diff --git a/include/include/classic_verify_transcript.spthy b/include/include/classic_verify_transcript.spthy new file mode 100644 index 0000000..2453ba3 --- /dev/null +++ b/include/include/classic_verify_transcript.spthy @@ -0,0 +1,24 @@ +rule Verify_Transcript_C: +let + pkT = cert_pk(certT) + k = pkTe^skC + kMac = kdf_mac(k, r2) + tag_c = mac(pkTe, kMac) +in + [ In(<certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag>), !Ltk(C, skC, 'chip') ] + --[ Eq(C, cert_id(certC)), Eq(tag, tag_c), Eq(pkTe, pkTe2), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(s1, <IDc, r1, pkTe>, pkT), true), ValidTrans(C, 'chip', cert_id(certT)) ]-> + [ ] + +rule Verify_Transcript_T: +let + pkT = cert_pk(certT) + pkC = cert_pk(certC) + tag_t = mac(pkTe, kdf_mac(r2, skTe^pkC)) + k = pkC^skTe + kMac = kdf_mac(k, r2) + tag_t = mac(pkTe, kMac) +in + [ In(<certT, pkTe, IDc, r1, s1, certC, pkTe2, r2, tag>), In(<skTe, T>) ] + --[ Eq(T, cert_id(certT)), Eq(tag, tag_t), Eq(pkTe, pkTe2), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(s1, <IDc, r1, pkTe>, pkT), true), ValidTrans(T, 'terminal', cert_id(certC)) ]-> + [ ] + diff --git a/include/include/kem_verify_transcript.spthy b/include/include/kem_verify_transcript.spthy new file mode 100644 index 0000000..774a2f5 --- /dev/null +++ b/include/include/kem_verify_transcript.spthy @@ -0,0 +1,75 @@ +#ifdef PFS +rule Verify_Transcript_C: +let + pkCe = pk(skCe) + kTMAC = kdf(<'TMAC', r1>, kTA) + kTENC = kdf(<'TENC', r1>, kTA) + kTCNF_c = kdf(<'TCNF', r1>, kTA) + dmesg = sdec(cCA, kTENC) + certC = fst(dmesg) + r2 = snd(dmesg) + sid = <certT, certC, r2, cip, pkCe, cipe> + s_c = mac(<'CA', sid>, kTMAC) + k = decaps(cip, skC) + ke = decaps(cipe, skCe) + kCNF_c = kdf(<'CNF', sid>, <k, ke>) +in + [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF>), In(<kTA, skCe>), !Ltk(C, skC, 'chip') ] + --[ Eq(C, cert_id(certC)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_c), Eq(s, s_c), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> + [ ] +#else +rule Verify_Transcript_C: +let + kTMAC = kdf(<'TMAC', r1>, kTA) + kTENC = kdf(<'TENC', r1>, kTA) + kTCNF_c = kdf(<'TCNF', r1>, kTA) + dmesg = sdec(cCA, kTENC) + certC = fst(dmesg) + r2 = snd(dmesg) + sid = <certT, certC, r2, cip> + s_c = mac(<'CA', sid>, kTMAC) + kKDF = decaps(cip, skC) + kCNF_c = kdf(<'CNF', sid>, kKDF) +in + [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF>), In(kTA), !Ltk(C, skC, 'chip') ] + --[ Eq(C, cert_id(certC)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_c), Eq(s, s_c), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> + [ ] +#endif + + +#ifdef PFS +rule Verify_Transcript_T: +let + kTA = decaps(cTA, skT) + kTMAC = kdf(<'TMAC', r1>, kTA) + kTENC = kdf(<'TENC', r1>, kTA) + kTCNF_t = kdf(<'TCNF', r1>, kTA) + dmesg = sdec(cCA, kTENC) + certC = fst(dmesg) + r2 = fst(snd(dmesg)) + pkCe = snd(snd(dmesg)) + sid = <certT, certC, r2, cip, pkCe, cipe> + s_t = mac(<'CA', sid>, kTMAC) + kCNF_t = kdf(<'CNF', sid>, <k, ke>) +in + [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, cipe, kCNF>), In(<k, ke>), !Ltk(T, skT, 'terminal') ] + --[ Eq(T, cert_id(certT)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_t), Eq(s, s_t), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> + [ ] +#else +rule Verify_Transcript_T: +let + kTA = decaps(cTA, skT) + kTMAC = kdf(<'TMAC', r1>, kTA) + kTENC = kdf(<'TENC', r1>, kTA) + kTCNF_t = kdf(<'TCNF', r1>, kTA) + dmesg = sdec(cCA, kTENC) + certC = fst(dmesg) + r2 = snd(dmesg) + sid = <certT, certC, r2, cip> + s_t = mac(<'CA', sid>, kTMAC) + kCNF_t = kdf(<'CNF', sid>, kKDF) +in + [ In(<certT, IDc, r1, cTA, kTCNF, cCA, cip, s, kCNF>), In(kKDF), !Ltk(T, skT, 'terminal') ] + --[ Eq(T, cert_id(certT)), Eq(verify_cert(certC, 'chip'), true), Eq(verify_cert(certT, 'terminal'), true), Eq(kTCNF, kTCNF_t), Eq(s, s_t), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> + [ ] +#endif diff --git a/include/include/lemmas.spthy b/include/include/lemmas.spthy new file mode 100644 index 0000000..11bf1e2 --- /dev/null +++ b/include/include/lemmas.spthy @@ -0,0 +1,151 @@ +/* Contains the restrictions and lemmas for all EAC models */ + +restriction Equality: + "All x y #i. Eq(x, y) @ i ==> x = y" + + +// Correctness + +lemma session_exist: exists-trace + " Ex C T k sid #i #j. + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k, sid, T, 'terminal', C) @ #j + & #i < #j + " + +lemma two_session_exist: exists-trace + " Ex C T k k2 sid sid2 #i #j #i2 #j2. + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k, sid, T, 'terminal', C) @ #j + & #i < #j + & Completed(k2, sid2, C, 'chip', T) @ #i2 + & Completed(k2, sid2, T, 'terminal', C) @ #j2 + & #i2 < #j2 + & not(k=k2) + " + +// Agreement +lemma aliveness: + "All k sid A role B #i #t . + Completed(k, sid, A, role, B) @ #i + & Finished(sid) @ #t + ==> (Ex k2 sid2 role2 C #j . + Completed(k2, sid2, B, role2, C) @ #j) + | (Ex #k . Corrupted(B) @ #k) + " + +lemma weak_agreement_C: + "All k sid C T #i #t . + Completed(k, sid, C, 'chip', T) @ #i + & Finished(sid) @ #t + ==> (Ex k2 sid2 #j . + Completed(k2, sid2, T, 'terminal', C) @ #j) + | (Ex #k . Corrupted(C) @ #k) + | (Ex #k . Corrupted(T) @ #k) + " + +lemma weak_agreement_T: + "All k sid C T #i #t . + Completed(k, sid, T, 'terminal', C) @ #i + & Finished(sid) @ #t + ==> (Ex k2 sid2 #j . + Completed(k2, sid2, C, 'chip', T) @ #j) + | (Ex #k . Corrupted(C) @ #k) + | (Ex #k . Corrupted(T) @ #k) + " + +lemma agreement_C: + "All k sid C T #i #t . + Completed(k, sid, C, 'chip', T) @ #i + & Finished(sid) @ #t + ==> (Ex #j . + Completed(k, sid, T, 'terminal', C) @ #j) + | (Ex #k . Corrupted(C) @ #k) + | (Ex #k . Corrupted(T) @ #k) + " + +lemma agreement_T: + "All k sid C T #i #t . + Completed(k, sid, T, 'terminal', C) @ #i + & Finished(sid) @ #t + ==> (Ex #j . + Completed(k, sid, C, 'chip', T) @ #j) + | (Ex #k . Corrupted(C) @ #k) + | (Ex #k . Corrupted(T) @ #k) + " + +lemma session_uniqueness: + "All A B k sid sid2 role #i #j . + Completed(k, sid, A, role, B) @ #i + & Completed(k, sid2, A, role, B) @ #j + ==> (#i = #j) & (sid = sid2) + " + +// Sole purpose of static key of T is authentication +// The final keys k/k2 are only derived from pkC/skC, pkTe/skTe and r2 +lemma consistency: + "All C T k k2 sid #i #j . + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k2, sid, T, 'terminal', C) @ #j + ==> (k=k2) + | (Ex #m . Corrupted(C) @ #m) + | (Ex #m . Corrupted(T) @ #m) + " + +// Key secrecy +lemma key_secrecy: + "All C T k sid #i #j . + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k, sid, T, 'terminal', C) @ #j + ==> not(Ex #m . K(k) @ #m) + | (Ex #m . Revealed(sid) @ #m) + | (Ex #m . Corrupted(C) @ #m) + | (Ex #m . Corrupted(T) @ #m) + " + +/* We simulate a one sided protocol execution */ +// The terminal submits a transcript for a valid protocol execution and the chip verifies it +// If the terminal succeeds it has disproven non-repudiation for the chip +// 1.: We prohibit any previous protocol executions +// 2.: The chip should not be corrupted, so that the terminal needs to forge the values +// 3.: The terminal is not allowed to register a chip certificate + +lemma notNonRepudiation_C: exists-trace + "Ex C T #i . + ValidTrans(C, 'chip', T) @ #i + & not(Ex #k . Started() @ #k) // 1. + & not(Ex #k . Corrupted(C) @ #k) // 2. + & not(Ex #k . RegisteredRole(T, 'chip') @ #k) // 3. + " + + +// The chip submits a transcript for a valid protocol execution and the terminal verifies it +// If the chip succeeds it has disproven non-repudiation for the terminal + +lemma notNonRepudiation_T: exists-trace + "Ex C T #i . + ValidTrans(T, 'terminal', C) @ #i + & not(Ex #k . Started() @ #k) + & not(Ex #k . Corrupted(T) @ #k) + & not(Ex #k . RegisteredRole(C, 'terminal') @ #k) + " + +lemma forward_secrecy: + "All C T k sid #i #j . + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k, sid, T, 'terminal', C) @ #j + & not(Ex #m . Corrupted(C) @ #m & #m < #j) + & not(Ex #m . Corrupted(T) @ #m & #m < #j) + ==> (not(Ex #m . K(k) @ #m) + | (Ex #m . Revealed(sid) @ #m)) + " + +lemma forward_secrecy_T: + "All C T k sid #i #j . + Completed(k, sid, C, 'chip', T) @ #i + & Completed(k, sid, T, 'terminal', C) @ #j + & not(Ex #m . Corrupted(C) @ #m) + & not(Ex #m . Corrupted(T) @ #m & #m < #j) + ==> (not(Ex #m . K(k) @ #m) + | (Ex #m . Revealed(sid) @ #m)) + " diff --git a/include/include/setup.spthy b/include/include/setup.spthy new file mode 100644 index 0000000..3fa41f5 --- /dev/null +++ b/include/include/setup.spthy @@ -0,0 +1,49 @@ +/* Key setup and Certificate model for all EAC models */ + + +functions: cert/3, cert_pk/1, cert_sig/1, cert_id/1, ca_sk/0 [private] +equations: cert_pk(cert(pk, s, id)) = pk, cert_sig(cert(pk, s, id)) = s, cert_id(cert(pk, s, id)) = id + +macros: verify_cert(cert, role) = verify(cert_sig(cert), <cert_pk(cert), cert_id(cert), role>, pk(ca_sk)) + + +rule Publish_ca_pk: + [ ] + --> + [ Out(pk(ca_sk)) ] + +// Generate long-term key pair for the chip. Classic version needs dh key pair +#ifdef CLASSIC +rule Generate_chip_key_pair: +let + pk = 'g'^~ltk +in + [ Fr(~ltk) ] + --> + [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ] +#else +rule Generate_chip_key_pair: +let + pk = pk(~ltk) +in + [ Fr(~ltk) ] + --> + [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ] +#endif + +// Generate static long-term key pair for the terminal. +rule Generate_terminal_key_pair: +let + pk = pk(~ltk) +in + [ Fr(~ltk) ] + --> + [ !Pk($A, pk, 'terminal'), !Ltk($A, ~ltk, 'terminal'), Out(pk) ] + +rule CA_Sign_ltk: +let + certA = cert(pk, sign(<pk, A, role>, ca_sk), A) +in + [ !Pk(A, pk, role) ] + --[ RegisteredRole(A, role) ]-> + [ !Cert(A, certA, role), Out(certA) ] diff --git a/include/include/sig_verify_transcript.spthy b/include/include/sig_verify_transcript.spthy new file mode 100644 index 0000000..c88f69e --- /dev/null +++ b/include/include/sig_verify_transcript.spthy @@ -0,0 +1,44 @@ +#ifdef PFS +rule Verify_Transcript_C: +let + pkT = cert_pk(certT) + sid = <certT, certC, r2, cip, pkCe, cipe> + k = decaps(cip, skC) + ke = decaps(cipe, skCe) + kCNF_c = kdf(<'CNF', sid>, <k, ke>) +in + [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(skCe), !Ltk(C, skC, 'chip') ] + --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> + [ ] +#else +rule Verify_Transcript_C: +let + pkT = cert_pk(certT) + sid = <certT, certC, r2, cip> + kKDF = decaps(cip, skC) + kCNF_c = kdf(<'CNF', sid>, kKDF) +in + [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), !Ltk(C, skC, 'chip') ] + --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> + [ ] +#endif + +#ifdef PFS +rule Verify_Transcript_T: +let + sid = <certT, certC, r2, cip, pkCe, cipe> + kCNF_t = kdf(<'CNF', sid>, <k, ke>) +in + [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(<k, ke>), !Pk(T, pkT, 'terminal') ] + --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> + [ ] +#else +rule Verify_Transcript_T: +let + sid = <certT, certC, r2, cip> + kCNF_t = kdf(<'CNF', sid>, kKDF) +in + [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), In(kKDF), !Pk(T, pkT, 'terminal') ] + --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> + [ ] +#endif diff --git a/results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN b/results/46092847.err.FastSigPQEAC similarity index 100% rename from results/45991550.err.PFS_ALL_FastKemPQEAC_TAMARIN rename to results/46092847.err.FastSigPQEAC diff --git a/results/45991792.out.ALL_FastSigPQEAC_TAMARIN b/results/46092847.out.FastSigPQEAC similarity index 86% rename from results/45991792.out.ALL_FastSigPQEAC_TAMARIN rename to results/46092847.out.FastSigPQEAC index 6571991..5513199 100644 --- a/results/45991792.out.ALL_FastSigPQEAC_TAMARIN +++ b/results/46092847.out.FastSigPQEAC @@ -71,49 +71,49 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: [ - In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ), + In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~r2 ), !Cert( $C, certC, 'chip' ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ - Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 ) + Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2 ) ] /* rule (modulo AC) TA_CHALLENGE_C: [ - In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~r2 ), + In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~r2 ), !Cert( $C, certC, 'chip' ) ] --[ Eq( z, true ), Started( ) ]-> [ - Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), Out( ~iid ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2 ) + Out( <~id_c, ~r1, certC, ~r2, '2', 'c'> ), + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2 ) ] variants (modulo AC) - 1. certT = certT.15 - z = verify(cert_sig(certT.15), - <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk)) + 1. certT = certT.14 + z = verify(cert_sig(certT.14), + <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk)) - 2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17) + 2. certT = cert(x.15, sign(<x.15, x.16, 'terminal'>, ca_sk), x.16) z = true - 3. certT = cert(x.17, x.18, x.19) - z = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk)) + 3. certT = cert(x.16, x.17, x.18) + z = verify(x.17, <x.16, x.18, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ) ] --[ Eq( verify_cert(certC, 'chip'), true ) ]-> @@ -122,13 +122,13 @@ rule (modulo E) TA_RESPONSE_T: sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '3', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> ) + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> ) ] /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, certC, r2, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ) ] --[ Eq( z.1, true ) ]-> @@ -136,226 +136,217 @@ rule (modulo E) TA_RESPONSE_T: Out( <encaps(~k, z), sign(<'TA', id_c, r1>, ~skT), sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '3', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> ) + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)> ) ] variants (modulo AC) - 1. certC = certC.20 - z = cert_pk(certC.20) - z.1 = verify(cert_sig(certC.20), - <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk)) + 1. certC = certC.19 + z = cert_pk(certC.19) + z.1 = verify(cert_sig(certC.19), + <cert_pk(certC.19), cert_id(certC.19), 'chip'>, pk(ca_sk)) - 2. certC = cert(z.57, sign(<z.57, x.100, 'chip'>, ca_sk), x.100) - z = z.57 + 2. certC = cert(z.56, sign(<z.56, x.99, 'chip'>, ca_sk), x.99) + z = z.56 z.1 = true - 3. certC = cert(z.58, x.101, x.102) - z = z.58 - z.1 = verify(x.101, <z.58, x.102, 'chip'>, pk(ca_sk)) + 3. certC = cert(z.57, x.100, x.101) + z = z.57 + z.1 = verify(x.100, <z.57, x.101, 'chip'>, pk(ca_sk)) */ rule (modulo E) TA_COMPLETE_C: [ - In( <cip, s1, s2, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), - !Cert( $C, certC, 'chip' ) + In( <cip, s1, s2, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1, r2 ), + !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ), Eq( verify(s2, <'CA', certT, certC, r2, cip>, cert_pk(certT)), true ), - CompletedTA( $C, iid, cert_id(certT) ), Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)), <certT, certC, r2, cip>, $C, 'chip', cert_id(certT) ) ]-> [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> - ), - TACompleteC( <$C, iid>, certT, id_c, r1, r2 ) + Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> ) ] /* rule (modulo AC) TA_COMPLETE_C: [ - In( <cip, s1, s2, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), - !Cert( $C, certC, 'chip' ) + In( <cip, s1, s2, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1, r2 ), + !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ - Eq( z.1, true ), Eq( z.2, true ), CompletedTA( $C, iid, z.3 ), + Eq( z.1, true ), Eq( z.2, true ), Completed( kdf(<'KEY', certT, certC, r2, cip>, z), <certT, certC, r2, cip>, $C, 'chip', z.3 ) ]-> - [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ), - TACompleteC( <$C, iid>, certT, id_c, r1, r2 ) - ] + [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ) ] variants (modulo AC) - 1. ~skC = ~skC.32 - certC = certC.33 - certT = certT.34 - cip = cip.35 - id_c = id_c.36 - r1 = r1.38 - r2 = r2.39 - s1 = s1.40 - s2 = s2.41 - z = decaps(cip.35, ~skC.32) - z.1 = verify(s1.40, <'TA', id_c.36, r1.38>, cert_pk(certT.34)) - z.2 = verify(s2.41, <'CA', certT.34, certC.33, r2.39, cip.35>, - cert_pk(certT.34)) - z.3 = cert_id(certT.34) - - 2. ~skC = ~skC.37 - certC = certC.38 - certT = certT.39 - cip = encaps(z.51, pk(~skC.37)) - id_c = id_c.41 - r1 = r1.43 - r2 = r2.44 - s1 = s1.45 - s2 = s2.46 - z = z.51 - z.1 = verify(s1.45, <'TA', id_c.41, r1.43>, cert_pk(certT.39)) - z.2 = verify(s2.46, - <'CA', certT.39, certC.38, r2.44, encaps(z.51, pk(~skC.37))>, - cert_pk(certT.39)) - z.3 = cert_id(certT.39) - - 3. ~skC = ~skC.150 - certC = certC.151 - certT = cert(x.296, x.297, z.169) - cip = cip.153 - id_c = id_c.154 - r1 = r1.156 - r2 = r2.157 - s1 = s1.158 - s2 = s2.159 - z = decaps(cip.153, ~skC.150) - z.1 = verify(s1.158, <'TA', id_c.154, r1.156>, x.296) - z.2 = verify(s2.159, - <'CA', cert(x.296, x.297, z.169), certC.151, r2.157, cip.153>, x.296) - z.3 = z.169 - - 4. ~skC = ~skC.150 - certC = certC.151 - certT = cert(pk(x.296), x.297, z.169) - cip = cip.153 - id_c = id_c.154 - r1 = r1.156 - r2 = r2.157 - s1 = sign(<'TA', id_c.154, r1.156>, x.296) - s2 = s2.159 - z = decaps(cip.153, ~skC.150) + 1. ~skC = ~skC.31 + certC = certC.32 + certT = certT.33 + cip = cip.34 + id_c = id_c.35 + r1 = r1.36 + r2 = r2.37 + s1 = s1.38 + s2 = s2.39 + z = decaps(cip.34, ~skC.31) + z.1 = verify(s1.38, <'TA', id_c.35, r1.36>, cert_pk(certT.33)) + z.2 = verify(s2.39, <'CA', certT.33, certC.32, r2.37, cip.34>, + cert_pk(certT.33)) + z.3 = cert_id(certT.33) + + 2. ~skC = ~skC.36 + certC = certC.37 + certT = certT.38 + cip = encaps(z.49, pk(~skC.36)) + id_c = id_c.40 + r1 = r1.41 + r2 = r2.42 + s1 = s1.43 + s2 = s2.44 + z = z.49 + z.1 = verify(s1.43, <'TA', id_c.40, r1.41>, cert_pk(certT.38)) + z.2 = verify(s2.44, + <'CA', certT.38, certC.37, r2.42, encaps(z.49, pk(~skC.36))>, + cert_pk(certT.38)) + z.3 = cert_id(certT.38) + + 3. ~skC = ~skC.144 + certC = certC.145 + certT = cert(x.284, x.285, z.163) + cip = cip.147 + id_c = id_c.148 + r1 = r1.149 + r2 = r2.150 + s1 = s1.151 + s2 = s2.152 + z = decaps(cip.147, ~skC.144) + z.1 = verify(s1.151, <'TA', id_c.148, r1.149>, x.284) + z.2 = verify(s2.152, + <'CA', cert(x.284, x.285, z.163), certC.145, r2.150, cip.147>, x.284) + z.3 = z.163 + + 4. ~skC = ~skC.144 + certC = certC.145 + certT = cert(pk(x.284), x.285, z.163) + cip = cip.147 + id_c = id_c.148 + r1 = r1.149 + r2 = r2.150 + s1 = sign(<'TA', id_c.148, r1.149>, x.284) + s2 = s2.152 + z = decaps(cip.147, ~skC.144) z.1 = true - z.2 = verify(s2.159, - <'CA', cert(pk(x.296), x.297, z.169), certC.151, r2.157, cip.153>, - pk(x.296)) - z.3 = z.169 - - 5. ~skC = ~skC.151 - certC = certC.152 - certT = cert(pk(x.298), x.299, z.170) - cip = cip.154 - id_c = id_c.155 - r1 = r1.157 - r2 = r2.158 - s1 = s1.159 - s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158, - cip.154>, - x.298) - z = decaps(cip.154, ~skC.151) - z.1 = verify(s1.159, <'TA', id_c.155, r1.157>, pk(x.298)) + z.2 = verify(s2.152, + <'CA', cert(pk(x.284), x.285, z.163), certC.145, r2.150, cip.147>, + pk(x.284)) + z.3 = z.163 + + 5. ~skC = ~skC.145 + certC = certC.146 + certT = cert(pk(x.286), x.287, z.164) + cip = cip.148 + id_c = id_c.149 + r1 = r1.150 + r2 = r2.151 + s1 = s1.152 + s2 = sign(<'CA', cert(pk(x.286), x.287, z.164), certC.146, r2.151, + cip.148>, + x.286) + z = decaps(cip.148, ~skC.145) + z.1 = verify(s1.152, <'TA', id_c.149, r1.150>, pk(x.286)) z.2 = true - z.3 = z.170 - - 6. ~skC = ~skC.151 - certC = certC.152 - certT = cert(pk(x.298), x.299, z.170) - cip = cip.154 - id_c = id_c.155 - r1 = r1.157 - r2 = r2.158 - s1 = sign(<'TA', id_c.155, r1.157>, x.298) - s2 = sign(<'CA', cert(pk(x.298), x.299, z.170), certC.152, r2.158, - cip.154>, - x.298) - z = decaps(cip.154, ~skC.151) + z.3 = z.164 + + 6. ~skC = ~skC.145 + certC = certC.146 + certT = cert(pk(x.286), x.287, z.164) + cip = cip.148 + id_c = id_c.149 + r1 = r1.150 + r2 = r2.151 + s1 = sign(<'TA', id_c.149, r1.150>, x.286) + s2 = sign(<'CA', cert(pk(x.286), x.287, z.164), certC.146, r2.151, + cip.148>, + x.286) + z = decaps(cip.148, ~skC.145) z.1 = true z.2 = true - z.3 = z.170 - - 7. ~skC = ~skC.152 - certC = certC.153 - certT = cert(x.300, x.301, z.171) - cip = encaps(z.166, pk(~skC.152)) - id_c = id_c.156 - r1 = r1.158 - r2 = r2.159 - s1 = s1.160 - s2 = s2.161 - z = z.166 - z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, x.300) - z.2 = verify(s2.161, - <'CA', cert(x.300, x.301, z.171), certC.153, r2.159, - encaps(z.166, pk(~skC.152))>, - x.300) - z.3 = z.171 - - 8. ~skC = ~skC.152 - certC = certC.153 - certT = cert(pk(x.300), x.301, z.171) - cip = encaps(z.166, pk(~skC.152)) - id_c = id_c.156 - r1 = r1.158 - r2 = r2.159 - s1 = s1.160 - s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, - encaps(z.166, pk(~skC.152))>, - x.300) - z = z.166 - z.1 = verify(s1.160, <'TA', id_c.156, r1.158>, pk(x.300)) + z.3 = z.164 + + 7. ~skC = ~skC.146 + certC = certC.147 + certT = cert(x.288, x.289, z.165) + cip = encaps(z.159, pk(~skC.146)) + id_c = id_c.150 + r1 = r1.151 + r2 = r2.152 + s1 = s1.153 + s2 = s2.154 + z = z.159 + z.1 = verify(s1.153, <'TA', id_c.150, r1.151>, x.288) + z.2 = verify(s2.154, + <'CA', cert(x.288, x.289, z.165), certC.147, r2.152, + encaps(z.159, pk(~skC.146))>, + x.288) + z.3 = z.165 + + 8. ~skC = ~skC.146 + certC = certC.147 + certT = cert(pk(x.288), x.289, z.165) + cip = encaps(z.159, pk(~skC.146)) + id_c = id_c.150 + r1 = r1.151 + r2 = r2.152 + s1 = s1.153 + s2 = sign(<'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, + encaps(z.159, pk(~skC.146))>, + x.288) + z = z.159 + z.1 = verify(s1.153, <'TA', id_c.150, r1.151>, pk(x.288)) z.2 = true - z.3 = z.171 - - 9. ~skC = ~skC.152 - certC = certC.153 - certT = cert(pk(x.300), x.301, z.171) - cip = encaps(z.166, pk(~skC.152)) - id_c = id_c.156 - r1 = r1.158 - r2 = r2.159 - s1 = sign(<'TA', id_c.156, r1.158>, x.300) - s2 = s2.161 - z = z.166 + z.3 = z.165 + + 9. ~skC = ~skC.146 + certC = certC.147 + certT = cert(pk(x.288), x.289, z.165) + cip = encaps(z.159, pk(~skC.146)) + id_c = id_c.150 + r1 = r1.151 + r2 = r2.152 + s1 = sign(<'TA', id_c.150, r1.151>, x.288) + s2 = s2.154 + z = z.159 z.1 = true - z.2 = verify(s2.161, - <'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, - encaps(z.166, pk(~skC.152))>, - pk(x.300)) - z.3 = z.171 - - 10. ~skC = ~skC.152 - certC = certC.153 - certT = cert(pk(x.300), x.301, z.171) - cip = encaps(z.166, pk(~skC.152)) - id_c = id_c.156 - r1 = r1.158 - r2 = r2.159 - s1 = sign(<'TA', id_c.156, r1.158>, x.300) - s2 = sign(<'CA', cert(pk(x.300), x.301, z.171), certC.153, r2.159, - encaps(z.166, pk(~skC.152))>, - x.300) - z = z.166 + z.2 = verify(s2.154, + <'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, + encaps(z.159, pk(~skC.146))>, + pk(x.288)) + z.3 = z.165 + + 10. ~skC = ~skC.146 + certC = certC.147 + certT = cert(pk(x.288), x.289, z.165) + cip = encaps(z.159, pk(~skC.146)) + id_c = id_c.150 + r1 = r1.151 + r2 = r2.152 + s1 = sign(<'TA', id_c.150, r1.151>, x.288) + s2 = sign(<'CA', cert(pk(x.288), x.289, z.165), certC.147, r2.152, + encaps(z.159, pk(~skC.146))>, + x.288) + z = z.159 z.1 = true z.2 = true - z.3 = z.171 + z.3 = z.165 */ rule (modulo E) CA_FINISH_T: [ - In( <kCNF_C, '4', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_C, '4', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -366,7 +357,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) @@ -375,8 +365,7 @@ rule (modulo E) CA_FINISH_T: /* rule (modulo AC) CA_FINISH_T: [ - In( <kCNF_C, '4', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_C, '4', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -387,17 +376,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) ] variants (modulo AC) - 1. certC = certC.15 - z = cert_id(certC.15) + 1. certC = certC.16 + z = cert_id(certC.16) - 2. certC = cert(x.41, x.42, z.28) - z = z.28 + 2. certC = cert(x.26, x.27, z.21) + z = z.21 */ rule (modulo E) Verify_Transcript_C: @@ -2241,8 +2229,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2257,7 +2244,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -2339,8 +2326,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2355,7 +2341,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -2365,8 +2351,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, - r2.1 + solve( TAChallengeC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1 ) ▶₁ #i2 ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -2384,7 +2369,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, + solve( CAInitT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip> ) ▶₁ #j2 ) @@ -2521,6 +2506,88 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma aliveness: + all-traces + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) + case TA_RESPONSE_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, + A, role, B + ) @ #i ) + case CA_FINISH_T + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <k.1, encaps(~k, z)> + ) ▶₁ #i ) + case TA_RESPONSE_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + ~k) + ) @ #vk.1 ) + case TA_COMPLETE_C + by contradiction /* from formulas */ + next + case c_kdf + solve( !KU( ~k ) @ #vk.18 ) + case TA_RESPONSE_T + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.13 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.23 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.23 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.24 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.24 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.29 ) + qed + qed + qed + qed + qed + next + case TA_COMPLETE_C + by contradiction /* from formulas */ + qed + qed +qed + lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. @@ -2538,7 +2605,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2548,7 +2615,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C @@ -2582,7 +2649,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2592,8 +2659,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)> ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -2663,7 +2730,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2673,7 +2740,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C @@ -2750,7 +2817,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2760,8 +2827,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)> ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -2814,88 +2881,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed -lemma aliveness: - all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) - case TA_RESPONSE_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - A, role, B - ) @ #i ) - case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)> - ) ▶₁ #i ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, - ~k) - ) @ #vk.1 ) - case TA_COMPLETE_C - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.18 ) - case TA_RESPONSE_T - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.13 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.23 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.23 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.25 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.24 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.24 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.29 ) - qed - qed - qed - qed - qed - next - case TA_COMPLETE_C - by contradiction /* from formulas */ - qed - qed -qed - lemma session_uniqueness: all-traces "∀ A B k sid sid2 role #i #j. @@ -2917,7 +2902,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2928,8 +2913,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)> ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -2939,8 +2924,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2953,7 +2937,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, + solve( TAChallengeC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2 ) ▶₁ #j ) case TA_CHALLENGE_C @@ -2968,7 +2952,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2979,8 +2963,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)> ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -2990,8 +2974,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3004,7 +2987,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, + solve( TAChallengeC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2 ) ▶₁ #j ) case TA_CHALLENGE_C @@ -3020,7 +3003,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -3037,8 +3020,7 @@ next qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3064,20 +3046,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3089,7 +3072,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3130,67 +3113,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.19 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.29 ) case Corrupt_ltk - solve( !KU( sign(<'CA', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~ltk.1) - ) @ #vk.6 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.15 ) - case c_kdf - solve( !KU( ~k ) @ #vk.38 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.40 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.17 ) - case c_kdf - solve( !KU( ~k ) @ #vk.40 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.42 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3207,8 +3137,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -3217,13 +3148,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3238,7 +3169,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3277,140 +3208,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~ltk.1 ) @ #vk.41 ) case Corrupt_ltk - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.6 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.44 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.46 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.30 ) case Corrupt_ltk - solve( !KU( sign(<'CA', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~ltk.1) - ) @ #vk.7 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'KEY', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.39 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.41 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.41 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.43 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed -qed - -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) - case CA_Sign_ltk - solve( splitEqs(0) ) - case split_case_1 - solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.3 ) - case TA_RESPONSE_T - solve( !KU( sign(<'CA', - cert(pk(~skT), sign(<pk(~skT), T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>, - ~skT) - ) @ #vk.5 ) - case TA_RESPONSE_T - solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.19 ) - case CA_Sign_ltk - solve( !KU( ~iid ) @ #vk.12 ) - case TA_CHALLENGE_C - solve( !KU( ~id_c ) @ #vk.17 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.19 ) - case TA_CHALLENGE_C - solve( !KU( ~r2 ) @ #vk.32 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T) - ) @ #vk.19 ) - case CA_Sign_ltk - solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case CA_Sign_ltk - solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.18 ) - case TA_RESPONSE_T - SOLVED // trace found - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3421,7 +3226,7 @@ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 qed qed -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3482,7 +3287,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3515,7 +3320,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -3537,8 +3342,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 - ) ▶₁ #i ) + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3553,7 +3357,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3674,21 +3478,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 750.72s + processing time: 562.41s session_exist (exists-trace): verified (19 steps) two_session_exist (exists-trace): verified (36 steps) + aliveness (all-traces): verified (20 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): verified (19 steps) agreement_C (all-traces): verified (19 steps) agreement_T (all-traces): verified (19 steps) - aliveness (all-traces): verified (20 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (31 steps) - key_secrecy (all-traces): verified (33 steps) - chip_hiding (all-traces): falsified - found trace (16 steps) - nonRepudiation_terminal (exists-trace): verified (13 steps) - nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps) - pfs (all-traces): falsified - found trace (22 steps) + consistency (all-traces): verified (20 steps) + key_secrecy (all-traces): verified (19 steps) + notNonRepudiation_C (exists-trace): verified (13 steps) + notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps) + forward_secrecy (all-traces): falsified - found trace (22 steps) ============================================================================== diff --git a/results/45991167.err.ALL_CLASSIC_EAC_TAMARIN b/results/46092855.err.SigPQEAC similarity index 100% rename from results/45991167.err.ALL_CLASSIC_EAC_TAMARIN rename to results/46092855.err.SigPQEAC diff --git a/results/45992234.out.ALL_SigPQEAC_TAMARIN b/results/46092855.out.SigPQEAC similarity index 89% rename from results/45992234.out.ALL_SigPQEAC_TAMARIN rename to results/46092855.out.SigPQEAC index cc39be4..61dbbbb 100644 --- a/results/45992234.out.ALL_SigPQEAC_TAMARIN +++ b/results/46092855.out.SigPQEAC @@ -71,105 +71,86 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> - [ - Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 ) - ] + [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ] /* rule (modulo AC) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( z, true ), Started( ) ]-> - [ - Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 ) - ] + [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ] variants (modulo AC) - 1. certT = certT.12 - z = verify(cert_sig(certT.12), - <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk)) + 1. certT = certT.11 + z = verify(cert_sig(certT.11), + <cert_pk(certT.11), cert_id(certT.11), 'terminal'>, pk(ca_sk)) - 2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14) + 2. certT = cert(x.12, sign(<x.12, x.13, 'terminal'>, ca_sk), x.13) z = true - 3. certT = cert(x.14, x.15, x.16) - z = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk)) + 3. certT = cert(x.13, x.14, x.15) + z = verify(x.14, <x.13, x.15, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: - [ - In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ), - !Ltk( $T, ~skT, 'terminal' ) + [ In( <id_c, r1, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ - Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), - TAResponseT( <$T, iid>, id_c ) + Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), TAResponseT( $T, id_c ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ] - --[ - Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ), - CompletedTA( $C, iid, cert_id(certT) ) - ]-> - [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ] + --[ Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ) ]-> + [ TACompleteC( $C, certT, id_c, r1 ) ] /* rule (modulo AC) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ] - --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]-> - [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ] + --[ Eq( z, true ) ]-> + [ TACompleteC( $C, certT, id_c, r1 ) ] variants (modulo AC) - 1. certT = certT.16 - id_c = id_c.17 + 1. certT = certT.13 + id_c = id_c.14 + r1 = r1.15 + s = s.16 + z = verify(s.16, <'TA', id_c.14, r1.15>, cert_pk(certT.13)) + + 2. certT = cert(x.30, x.31, x.32) + id_c = id_c.18 r1 = r1.19 s = s.20 - z = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16)) - z.1 = cert_id(certT.16) - - 2. certT = cert(x.37, x.38, z.28) - id_c = id_c.21 - r1 = r1.23 - s = s.24 - z = verify(s.24, <'TA', id_c.21, r1.23>, x.37) - z.1 = z.28 - - 3. certT = cert(pk(x.37), x.38, z.28) - id_c = id_c.21 - r1 = r1.23 - s = sign(<'TA', id_c.21, r1.23>, x.37) + z = verify(s.20, <'TA', id_c.18, r1.19>, x.30) + + 3. certT = cert(pk(x.30), x.31, x.32) + id_c = id_c.18 + r1 = r1.19 + s = sign(<'TA', id_c.18, r1.19>, x.30) z = true - z.1 = z.28 */ rule (modulo E) CA_INIT_C: [ - Fr( ~r2 ), TACompleteC( <$C, iid>, certT, id_c, r1 ), - !Cert( $C, certC, 'chip' ) + Fr( ~r2 ), TACompleteC( $C, certT, id_c, r1 ), !Cert( $C, certC, 'chip' ) ] --> - [ - Out( <certC, ~r2, '4', 'c'> ), Out( iid ), - CAInitC( <$C, iid>, certT, id_c, r1, ~r2 ) - ] + [ Out( <certC, ~r2, '4', 'c'> ), CAInitC( $C, certT, id_c, r1, ~r2 ) ] /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_T: [ - In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ), + In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( verify_cert(certC, 'chip'), true ) ]-> @@ -178,13 +159,13 @@ rule (modulo E) CA_INIT_T: sign(<'CA', certT, certC, r2, encaps(~k, cert_pk(certC))>, ~skT), '5', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> ) + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))> ) ] /* rule (modulo AC) CA_INIT_T: [ - In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( <$T, iid>, id_c ), + In( <certC, r2, '4', 'c'> ), Fr( ~k ), TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( z.1, true ) ]-> @@ -192,26 +173,26 @@ rule (modulo E) CA_INIT_T: Out( <encaps(~k, z), sign(<'CA', certT, certC, r2, encaps(~k, z)>, ~skT), '5', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)> ) + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)> ) ] variants (modulo AC) - 1. certC = certC.18 - z = cert_pk(certC.18) - z.1 = verify(cert_sig(certC.18), - <cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk)) + 1. certC = certC.17 + z = cert_pk(certC.17) + z.1 = verify(cert_sig(certC.17), + <cert_pk(certC.17), cert_id(certC.17), 'chip'>, pk(ca_sk)) - 2. certC = cert(z.44, sign(<z.44, x.75, 'chip'>, ca_sk), x.75) - z = z.44 + 2. certC = cert(z.43, sign(<z.43, x.74, 'chip'>, ca_sk), x.74) + z = z.43 z.1 = true - 3. certC = cert(z.45, x.76, x.77) - z = z.45 - z.1 = verify(x.76, <z.45, x.77, 'chip'>, pk(ca_sk)) + 3. certC = cert(z.44, x.75, x.76) + z = z.44 + z.1 = verify(x.75, <z.44, x.76, 'chip'>, pk(ca_sk)) */ rule (modulo E) CA_FINISH_C: [ - In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ), + In( <cip, s, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -221,106 +202,98 @@ rule (modulo E) CA_FINISH_C: ) ]-> [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> - ), - CAFinishC( $C, cert_id(certT), - kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)) - ) + Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> ) ] /* rule (modulo AC) CA_FINISH_C: [ - In( <cip, s, '5', 't'> ), CAInitC( <$C, iid>, certT, id_c, r1, r2 ), + In( <cip, s, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ - Eq( z.2, true ), + Eq( z.1, true ), Completed( kdf(<'KEY', certT, certC, r2, cip>, z), - <certT, certC, r2, cip>, $C, 'chip', z.1 + <certT, certC, r2, cip>, $C, 'chip', z.2 ) ]-> - [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ), - CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) ) - ] + [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ) ] variants (modulo AC) - 1. ~skC = ~skC.30 - certC = certC.31 - certT = certT.32 - cip = cip.33 - r2 = r2.37 - s = s.38 - z = decaps(cip.33, ~skC.30) - z.1 = cert_id(certT.32) - z.2 = verify(s.38, <'CA', certT.32, certC.31, r2.37, cip.33>, - cert_pk(certT.32)) - - 2. ~skC = ~skC.35 - certC = certC.36 - certT = certT.37 - cip = encaps(z.48, pk(~skC.35)) - r2 = r2.42 - s = s.43 - z = z.48 - z.1 = cert_id(certT.37) - z.2 = verify(s.43, - <'CA', certT.37, certC.36, r2.42, encaps(z.48, pk(~skC.35))>, - cert_pk(certT.37)) - - 3. ~skC = ~skC.137 - certC = certC.138 - certT = cert(x.270, x.271, z.153) - cip = cip.140 - r2 = r2.144 - s = s.145 - z = decaps(cip.140, ~skC.137) - z.1 = z.153 - z.2 = verify(s.145, - <'CA', cert(x.270, x.271, z.153), certC.138, r2.144, cip.140>, x.270) - - 4. ~skC = ~skC.138 - certC = certC.139 - certT = cert(pk(x.272), x.273, z.154) - cip = cip.141 - r2 = r2.145 - s = sign(<'CA', cert(pk(x.272), x.273, z.154), certC.139, r2.145, - cip.141>, - x.272) - z = decaps(cip.141, ~skC.138) - z.1 = z.154 - z.2 = true - - 5. ~skC = ~skC.139 - certC = certC.140 - certT = cert(x.274, x.275, z.155) - cip = encaps(z.152, pk(~skC.139)) - r2 = r2.146 - s = s.147 - z = z.152 - z.1 = z.155 - z.2 = verify(s.147, - <'CA', cert(x.274, x.275, z.155), certC.140, r2.146, - encaps(z.152, pk(~skC.139))>, - x.274) - - 6. ~skC = ~skC.139 - certC = certC.140 - certT = cert(pk(x.274), x.275, z.155) - cip = encaps(z.152, pk(~skC.139)) - r2 = r2.146 - s = sign(<'CA', cert(pk(x.274), x.275, z.155), certC.140, r2.146, - encaps(z.152, pk(~skC.139))>, - x.274) - z = z.152 - z.1 = z.155 - z.2 = true + 1. ~skC = ~skC.28 + certC = certC.29 + certT = certT.30 + cip = cip.31 + r2 = r2.34 + s = s.35 + z = decaps(cip.31, ~skC.28) + z.1 = verify(s.35, <'CA', certT.30, certC.29, r2.34, cip.31>, + cert_pk(certT.30)) + z.2 = cert_id(certT.30) + + 2. ~skC = ~skC.33 + certC = certC.34 + certT = certT.35 + cip = encaps(z.45, pk(~skC.33)) + r2 = r2.39 + s = s.40 + z = z.45 + z.1 = verify(s.40, + <'CA', certT.35, certC.34, r2.39, encaps(z.45, pk(~skC.33))>, + cert_pk(certT.35)) + z.2 = cert_id(certT.35) + + 3. ~skC = ~skC.130 + certC = certC.131 + certT = cert(x.256, x.257, z.147) + cip = cip.133 + r2 = r2.136 + s = s.137 + z = decaps(cip.133, ~skC.130) + z.1 = verify(s.137, + <'CA', cert(x.256, x.257, z.147), certC.131, r2.136, cip.133>, x.256) + z.2 = z.147 + + 4. ~skC = ~skC.131 + certC = certC.132 + certT = cert(pk(x.258), x.259, z.148) + cip = cip.134 + r2 = r2.137 + s = sign(<'CA', cert(pk(x.258), x.259, z.148), certC.132, r2.137, + cip.134>, + x.258) + z = decaps(cip.134, ~skC.131) + z.1 = true + z.2 = z.148 + + 5. ~skC = ~skC.132 + certC = certC.133 + certT = cert(x.260, x.261, z.149) + cip = encaps(z.144, pk(~skC.132)) + r2 = r2.138 + s = s.139 + z = z.144 + z.1 = verify(s.139, + <'CA', cert(x.260, x.261, z.149), certC.133, r2.138, + encaps(z.144, pk(~skC.132))>, + x.260) + z.2 = z.149 + + 6. ~skC = ~skC.132 + certC = certC.133 + certT = cert(pk(x.260), x.261, z.149) + cip = encaps(z.144, pk(~skC.132)) + r2 = r2.138 + s = sign(<'CA', cert(pk(x.260), x.261, z.149), certC.133, r2.138, + encaps(z.144, pk(~skC.132))>, + x.260) + z = z.144 + z.1 = true + z.2 = z.149 */ rule (modulo E) CA_FINISH_T: [ - In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_c, '6', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -331,7 +304,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) @@ -340,8 +312,7 @@ rule (modulo E) CA_FINISH_T: /* rule (modulo AC) CA_FINISH_T: [ - In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_c, '6', 'c'> ), CAInitT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -352,17 +323,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) ] variants (modulo AC) - 1. certC = certC.15 - z = cert_id(certC.15) + 1. certC = certC.16 + z = cert_id(certC.16) - 2. certC = cert(x.41, x.42, z.28) - z = z.28 + 2. certC = cert(x.26, x.27, z.21) + z = z.21 */ rule (modulo E) Verify_Transcript_C: @@ -2206,7 +2176,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2221,7 +2191,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case CA_INIT_T @@ -2259,7 +2229,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_INIT_C solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.38 ) case TA_RESPONSE_T - solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z) + solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk), x) ) @ #vk.40 ) case CA_Sign_ltk solve( !KU( ~id_c.2 ) @ #vk.42 ) @@ -2313,7 +2283,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2328,7 +2298,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case CA_INIT_T @@ -2338,8 +2308,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1 - ) ▶₁ #i2 ) + solve( CAInitC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1 ) ▶₁ #i2 ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) case Generate_chip_key_pair @@ -2356,7 +2325,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, + solve( CAInitT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip> ) ▶₁ #j2 ) @@ -2420,9 +2389,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.60 ) case TA_RESPONSE_T solve( !KU( cert(pk(~skT.3), - sign(<pk(~skT.3), z, 'terminal'>, + sign(<pk(~skT.3), x, 'terminal'>, ca_sk), - z) + x) ) @ #vk.62 ) case CA_Sign_ltk solve( !KU( ~id_c.4 ) @ #vk.64 ) @@ -2466,10 +2435,10 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) ) @ #vk.68 ) case TA_RESPONSE_T solve( !KU( cert(pk(~skT.4), - sign(<pk(~skT.4), z, + sign(<pk(~skT.4), x, 'terminal'>, ca_sk), - z) + x) ) @ #vk.70 ) case CA_Sign_ltk solve( !KU( ~id_c.5 ) @ #vk.72 ) @@ -2522,6 +2491,88 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma aliveness: + all-traces + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) + case CA_INIT_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, + A, role, B + ) @ #i ) + case CA_FINISH_C + by contradiction /* from formulas */ + next + case CA_FINISH_T + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <k.1, encaps(~k, z)> + ) ▶₁ #i ) + case CA_INIT_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + ~k) + ) @ #vk.1 ) + case CA_FINISH_C + by contradiction /* from formulas */ + next + case c_kdf + solve( !KU( ~k ) @ #vk.20 ) + case CA_INIT_T + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.12 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.25 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.25 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.27 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.26 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.26 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.31 ) + qed + qed + qed + qed + qed + qed + qed +qed + lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. @@ -2539,7 +2590,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2549,7 +2600,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C @@ -2583,7 +2634,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2593,8 +2644,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)> ) ▶₁ #i ) case CA_INIT_T solve( !KU( kdf(<'CNF', @@ -2664,7 +2715,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2674,7 +2725,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C @@ -2751,7 +2802,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2761,8 +2812,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)> ) ▶₁ #i ) case CA_INIT_T solve( !KU( kdf(<'CNF', @@ -2815,88 +2866,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed -lemma aliveness: - all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) - case CA_INIT_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - A, role, B - ) @ #i ) - case CA_FINISH_C - by contradiction /* from formulas */ - next - case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)> - ) ▶₁ #i ) - case CA_INIT_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, - ~k) - ) @ #vk.1 ) - case CA_FINISH_C - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.20 ) - case CA_INIT_T - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.12 ) - case CA_INIT_C - solve( !KU( ~ltk.1 ) @ #vk.25 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.25 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.27 ) - case CA_INIT_C - solve( !KU( ~ltk.1 ) @ #vk.26 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.26 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.31 ) - qed - qed - qed - qed - qed - qed - qed -qed - lemma session_uniqueness: all-traces "∀ A B k sid sid2 role #i #j. @@ -2918,7 +2887,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2931,8 +2900,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, - cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2 + solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -2943,7 +2912,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2954,8 +2923,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)> ) ▶₁ #j ) case CA_INIT_T by contradiction /* cyclic */ @@ -2968,7 +2937,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2981,8 +2950,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, - cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2 + solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -2993,7 +2962,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -3004,8 +2973,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)> ) ▶₁ #j ) case CA_INIT_T by contradiction /* cyclic */ @@ -3019,7 +2988,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3039,7 +3008,7 @@ next qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -3062,19 +3031,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3086,7 +3057,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3127,62 +3098,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~skT ) @ #vk.33 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.17 ) - case c_kdf - solve( !KU( ~k ) @ #vk.42 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.44 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk - solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.14 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.44 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.46 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3199,8 +3122,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -3209,12 +3133,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3229,7 +3154,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3268,71 +3193,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~skT ) @ #vk.34 ) case Corrupt_ltk - solve( !KU( kdf(<'KEY', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.6 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.37 ) case Corrupt_ltk - solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.15 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.44 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.46 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.45 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.47 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3343,28 +3211,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !KU( ~iid ) @ #vk.6 ) - case CA_INIT_C - by contradiction /* cyclic */ - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3425,7 +3272,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3458,7 +3305,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -3480,7 +3327,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3495,7 +3342,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3544,8 +3391,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_INIT_C solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.46 ) case TA_RESPONSE_T - solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), - z) + solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk), + x) ) @ #vk.48 ) case CA_Sign_ltk solve( !KU( ~id_c.2 ) @ #vk.50 ) @@ -3626,21 +3473,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 98.76s + processing time: 92.56s session_exist (exists-trace): verified (22 steps) two_session_exist (exists-trace): verified (42 steps) + aliveness (all-traces): verified (20 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): verified (19 steps) agreement_C (all-traces): verified (19 steps) agreement_T (all-traces): verified (19 steps) - aliveness (all-traces): verified (20 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (31 steps) - key_secrecy (all-traces): verified (33 steps) - chip_hiding (all-traces): verified (4 steps) - nonRepudiation_terminal (exists-trace): verified (13 steps) - nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps) - pfs (all-traces): falsified - found trace (25 steps) + consistency (all-traces): verified (20 steps) + key_secrecy (all-traces): verified (19 steps) + notNonRepudiation_C (exists-trace): verified (13 steps) + notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps) + forward_secrecy (all-traces): falsified - found trace (25 steps) ============================================================================== diff --git a/results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN b/results/46092858.err.KemPQEAC similarity index 100% rename from results/45991549.err.PFS_ALL_KemPQEAC_TAMARIN rename to results/46092858.err.KemPQEAC diff --git a/results/45991793.out.ALL_KemPQEAC_TAMARIN b/results/46092858.out.KemPQEAC similarity index 92% rename from results/45991793.out.ALL_KemPQEAC_TAMARIN rename to results/46092858.out.KemPQEAC index fcb4fe9..1231c41 100644 --- a/results/45991793.out.ALL_KemPQEAC_TAMARIN +++ b/results/46092858.out.KemPQEAC @@ -74,56 +74,53 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid ) - ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, - <~kTA, encaps(~kTA, cert_pk(certT))> + TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, cert_pk(certT))> ) ] /* rule (modulo AC) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid ) - ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ] --[ Eq( z.1, true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> ) + TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> ) ] variants (modulo AC) - 1. certT = certT.14 - z = cert_pk(certT.14) - z.1 = verify(cert_sig(certT.14), - <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk)) + 1. certT = certT.13 + z = cert_pk(certT.13) + z.1 = verify(cert_sig(certT.13), + <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk)) - 2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44) - z = z.27 + 2. certT = cert(z.26, sign(<z.26, x.43, 'terminal'>, ca_sk), x.43) + z = z.26 z.1 = true - 3. certT = cert(z.28, x.45, x.46) - z = z.28 - z.1 = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk)) + 3. certT = cert(z.27, x.44, x.45) + z = z.27 + z.1 = verify(x.44, <z.27, x.45, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)), + TAResponseT( $T, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)), kdf(<'TENC', r1>, decaps(cTA, ~skT)) ) ] @@ -131,77 +128,54 @@ rule (modulo E) TA_RESPONSE_T: /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <kdf(<'TCNF', r1>, z), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) - ) + TAResponseT( $T, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) ) ] variants (modulo AC) - 1. ~skT = ~skT.14 - cTA = cTA.15 - z = decaps(cTA.15, ~skT.14) + 1. ~skT = ~skT.13 + cTA = cTA.14 + z = decaps(cTA.14, ~skT.13) - 2. ~skT = ~skT.22 - cTA = encaps(z.31, pk(~skT.22)) - z = z.31 + 2. ~skT = ~skT.20 + cTA = encaps(z.28, pk(~skT.20)) + z = z.28 */ rule (modulo E) TA_COMPLETE_C: [ In( <kTCNF_T, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) + TAChallengeC( $C, certT, id_c, r1, <kTA, cTA> ) ] - --[ - Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), - CompletedTA( $C, iid, cert_id(certT) ) - ]-> + --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ) ]-> [ - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, - kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA) + TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kdf(<'TMAC', r1>, kTA), + kdf(<'TENC', r1>, kTA) ) ] - /* - rule (modulo AC) TA_COMPLETE_C: - [ - In( <kTCNF_T, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) - ] - --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]-> - [ - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, - kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA) - ) - ] - variants (modulo AC) - 1. certT = certT.16 - z = cert_id(certT.16) - - 2. certT = cert(x.26, x.27, z.21) - z = z.21 - */ + /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_C: [ !Cert( $C, certC, 'chip' ), Fr( ~r2 ), - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC ) + TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC ) ] --> [ - Out( <senc(<certC, ~r2>, kTENC), '4', 'c'> ), Out( senc(iid, kTENC) ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2 ) + Out( <senc(<certC, ~r2>, kTENC), '4', 'c'> ), + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2 ) ] /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_T: [ - In( <cCA, 'CA_INIT', '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ), + In( <cCA, 'CA_INIT', '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ), !Cert( $T, certT, 'terminal' ), Fr( ~k ) ] --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]-> @@ -212,7 +186,7 @@ rule (modulo E) CA_INIT_T: kTMAC), '5', 't'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)), + CAInitT( $T, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)), snd(sdec(cCA, kTENC)), <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))> ) ] @@ -220,8 +194,7 @@ rule (modulo E) CA_INIT_T: /* rule (modulo AC) CA_INIT_T: [ - In( <cCA, 'CA_INIT', '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ), + In( <cCA, 'CA_INIT', '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ), !Cert( $T, certT, 'terminal' ), Fr( ~k ) ] --[ Eq( z.3, true ) ]-> @@ -229,56 +202,56 @@ rule (modulo E) CA_INIT_T: Out( <encaps(~k, z), mac(<'CA', certT, z.1, z.2, encaps(~k, z)>, kTMAC), '5', 't'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)> ) + CAInitT( $T, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)> ) ] variants (modulo AC) - 1. cCA = cCA.25 - kTENC = kTENC.29 - z = cert_pk(fst(sdec(cCA.25, kTENC.29))) - z.1 = fst(sdec(cCA.25, kTENC.29)) - z.2 = snd(sdec(cCA.25, kTENC.29)) - z.3 = verify(cert_sig(fst(sdec(cCA.25, kTENC.29))), - <cert_pk(fst(sdec(cCA.25, kTENC.29))), - cert_id(fst(sdec(cCA.25, kTENC.29))), 'chip'>, + 1. cCA = cCA.23 + kTENC = kTENC.26 + z = cert_pk(fst(sdec(cCA.23, kTENC.26))) + z.1 = fst(sdec(cCA.23, kTENC.26)) + z.2 = snd(sdec(cCA.23, kTENC.26)) + z.3 = verify(cert_sig(fst(sdec(cCA.23, kTENC.26))), + <cert_pk(fst(sdec(cCA.23, kTENC.26))), + cert_id(fst(sdec(cCA.23, kTENC.26))), 'chip'>, pk(ca_sk)) - 2. cCA = senc(x.190, kTENC.99) - kTENC = kTENC.99 - z = cert_pk(fst(x.190)) - z.1 = fst(x.190) - z.2 = snd(x.190) - z.3 = verify(cert_sig(fst(x.190)), - <cert_pk(fst(x.190)), cert_id(fst(x.190)), 'chip'>, pk(ca_sk)) - - 3. cCA = senc(<z.38, z.39>, kTENC.30) - kTENC = kTENC.30 - z = cert_pk(z.38) - z.1 = z.38 - z.2 = z.39 - z.3 = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>, + 2. cCA = senc(x.189, kTENC.98) + kTENC = kTENC.98 + z = cert_pk(fst(x.189)) + z.1 = fst(x.189) + z.2 = snd(x.189) + z.3 = verify(cert_sig(fst(x.189)), + <cert_pk(fst(x.189)), cert_id(fst(x.189)), 'chip'>, pk(ca_sk)) + + 3. cCA = senc(<z.37, z.38>, kTENC.29) + kTENC = kTENC.29 + z = cert_pk(z.37) + z.1 = z.37 + z.2 = z.38 + z.3 = verify(cert_sig(z.37), <cert_pk(z.37), cert_id(z.37), 'chip'>, pk(ca_sk)) 4. cCA = senc(< - cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192), z.109>, - kTENC.100) + cert(z.105, sign(<z.105, x.191, 'chip'>, ca_sk), x.191), z.108>, + kTENC.99) + kTENC = kTENC.99 + z = z.105 + z.1 = cert(z.105, sign(<z.105, x.191, 'chip'>, ca_sk), x.191) + z.2 = z.108 + z.3 = true + + 5. cCA = senc(<cert(z.106, x.192, x.193), z.109>, kTENC.100) kTENC = kTENC.100 z = z.106 - z.1 = cert(z.106, sign(<z.106, x.192, 'chip'>, ca_sk), x.192) + z.1 = cert(z.106, x.192, x.193) z.2 = z.109 - z.3 = true - - 5. cCA = senc(<cert(z.107, x.193, x.194), z.110>, kTENC.101) - kTENC = kTENC.101 - z = z.107 - z.1 = cert(z.107, x.193, x.194) - z.2 = z.110 - z.3 = verify(x.193, <z.107, x.194, 'chip'>, pk(ca_sk)) + z.3 = verify(x.192, <z.106, x.193, 'chip'>, pk(ca_sk)) */ rule (modulo E) CA_FINISH_C: [ In( <cip, s, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ), + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -288,18 +261,14 @@ rule (modulo E) CA_FINISH_C: ) ]-> [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> - ), - CAFinishC( $C, cert_id(certT), - kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)) - ) + Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '6', 'c'> ) ] /* rule (modulo AC) CA_FINISH_C: [ In( <cip, s, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ), + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -308,40 +277,37 @@ rule (modulo E) CA_FINISH_C: <certT, certC, r2, cip>, $C, 'chip', z.1 ) ]-> - [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ), - CAFinishC( $C, z.1, kdf(<'KEY', certT, certC, r2, cip>, z) ) - ] + [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '6', 'c'> ) ] variants (modulo AC) - 1. ~skC = ~skC.28 - certT = certT.31 - cip = cip.32 - z = decaps(cip.32, ~skC.28) - z.1 = cert_id(certT.31) + 1. ~skC = ~skC.29 + certT = certT.32 + cip = cip.33 + z = decaps(cip.33, ~skC.29) + z.1 = cert_id(certT.32) 2. ~skC = ~skC.41 certT = certT.44 - cip = encaps(z.58, pk(~skC.41)) - z = z.58 + cip = encaps(z.57, pk(~skC.41)) + z = z.57 z.1 = cert_id(certT.44) - 3. ~skC = ~skC.186 - certT = cert(x.368, x.369, z.206) - cip = cip.190 - z = decaps(cip.190, ~skC.186) - z.1 = z.206 - - 4. ~skC = ~skC.189 - certT = cert(x.374, x.375, z.209) - cip = encaps(z.206, pk(~skC.189)) - z = z.206 - z.1 = z.209 + 3. ~skC = ~skC.180 + certT = cert(x.356, x.357, z.201) + cip = cip.184 + z = decaps(cip.184, ~skC.180) + z.1 = z.201 + + 4. ~skC = ~skC.183 + certT = cert(x.362, x.363, z.204) + cip = encaps(z.199, pk(~skC.183)) + z = z.199 + z.1 = z.204 */ rule (modulo E) CA_FINISH_T: [ In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ), + CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -352,7 +318,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) @@ -362,7 +327,7 @@ rule (modulo E) CA_FINISH_T: rule (modulo AC) CA_FINISH_T: [ In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> ), + CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -373,17 +338,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) ] variants (modulo AC) - 1. certC = certC.17 - z = cert_id(certC.17) + 1. certC = certC.18 + z = cert_id(certC.18) - 2. certC = cert(x.43, x.44, z.30) - z = z.30 + 2. certC = cert(x.28, x.29, z.23) + z = z.23 */ rule (modulo E) Verify_Transcript_C: @@ -1449,7 +1413,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -1465,7 +1429,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case CA_INIT_T @@ -1579,7 +1543,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -1595,7 +1559,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case CA_INIT_T @@ -1605,8 +1569,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, - <kTA.1, cTA>, kTMAC, kTENC, r2.1 + solve( CAInitC( $C, cert(x, x.1, $T), id_c.1, r1.1, <kTA.1, cTA>, kTMAC, + kTENC, r2.1 ) ▶₁ #i2 ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -1624,7 +1588,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC, + solve( CAInitT( $T, id_c.3, kTMAC, kTENC, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip> ) ▶₁ #j2 ) @@ -1795,11 +1759,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) solve( !KU( cert(pk(sk), sign(< pk(sk), - z, + x, 'terminal' >, ca_sk), - z) + x) ) @ #vk.87 ) case CA_Sign_ltk solve( !KU( ~ltk.5 @@ -1863,89 +1827,43 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma weak_agreement_C: +lemma aliveness: all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk solve( Completed( k.1, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - C, 'chip', T.1 + A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, - <kTA, cTA>, kTMAC, kTENC, r2 - ) ▶₁ #i ) - case CA_INIT_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' - ) ▶₃ #i ) - case CA_Sign_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed -qed - -lemma weak_agreement_T: - all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #t ) - case CA_INIT_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - T.1, 'terminal', C - ) @ #i ) + by contradiction /* from formulas */ + next case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case CA_INIT_T solve( splitEqs(1) ) case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case CA_FINISH_C @@ -1954,11 +1872,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case c_kdf solve( !KU( ~k ) @ #vk.20 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.13 ) case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.26 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -1973,7 +1891,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -1997,7 +1915,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case CA_FINISH_C @@ -2006,7 +1924,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case c_kdf solve( !KU( ~k ) @ #vk.20 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, kdf(<'TENC', r1>, z)) ) @ #vk.13 ) case CA_INIT_C @@ -2023,7 +1941,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case CA_INIT_T solve( splitEqs(6) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.34 ) @@ -2038,7 +1956,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk @@ -2057,7 +1975,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.34 ) @@ -2072,7 +1990,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk @@ -2092,7 +2010,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.27 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -2107,7 +2025,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.38 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2126,7 +2044,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.27 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -2141,7 +2059,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2168,11 +2086,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed qed -lemma agreement_C: +lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -2180,13 +2098,12 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2196,7 +2113,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) @@ -2206,59 +2123,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( splitEqs(1) ) - case split_case_1 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.37 ) - case CA_INIT_T - solve( !KU( ~r2 ) @ #vk.41 ) - case CA_INIT_C - solve( !KU( ~ltk ) @ #vk.42 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - next - case split_case_2 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.37 ) - case CA_INIT_T - solve( !KU( ~r2 ) @ #vk.41 ) - case CA_INIT_C - solve( !KU( ~ltk ) @ #vk.42 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -2266,11 +2131,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed qed -lemma agreement_T: +lemma weak_agreement_T: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -2278,13 +2143,12 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2294,7 +2158,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case CA_INIT_T @@ -2525,44 +2389,139 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed qed -lemma aliveness: +lemma agreement_C: all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" + "∀ k sid C T #i #t. + ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid C T #i #t. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" + (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk solve( Completed( k.1, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - A, role, B + C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - by contradiction /* from formulas */ - next + solve( CAInitC( $C, + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, + <kTA, cTA>, kTMAC, kTENC, r2 + ) ▶₁ #i ) + case CA_INIT_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' + ) ▶₃ #i ) + case CA_Sign_ltk + solve( splitEqs(1) ) + case split_case_1 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.37 ) + case CA_INIT_T + solve( !KU( ~r2 ) @ #vk.41 ) + case CA_INIT_C + solve( !KU( ~ltk ) @ #vk.42 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + next + case split_case_2 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.37 ) + case CA_INIT_T + solve( !KU( ~r2 ) @ #vk.41 ) + case CA_INIT_C + solve( !KU( ~ltk ) @ #vk.42 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed +qed + +lemma agreement_T: + all-traces + "∀ k sid C T #i #t. + ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid C T #i #t. + (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #t ) + case CA_INIT_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, + T.1, 'terminal', C + ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)> + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case CA_INIT_T solve( splitEqs(1) ) case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case CA_FINISH_C @@ -2571,11 +2530,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case c_kdf solve( !KU( ~k ) @ #vk.20 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.13 ) case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.26 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -2590,7 +2549,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2614,7 +2573,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case CA_FINISH_C @@ -2623,7 +2582,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case c_kdf solve( !KU( ~k ) @ #vk.20 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, kdf(<'TENC', r1>, z)) ) @ #vk.13 ) case CA_INIT_C @@ -2640,7 +2599,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> case CA_INIT_T solve( splitEqs(6) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.34 ) @@ -2655,7 +2614,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk @@ -2674,7 +2633,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.34 ) @@ -2689,7 +2648,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk @@ -2709,7 +2668,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.27 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -2724,7 +2683,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.38 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.38 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2743,7 +2702,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.27 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.30 ) @@ -2758,7 +2717,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.35 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2806,7 +2765,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2820,8 +2779,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), - id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2 + solve( CAInitC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, + r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -2832,8 +2791,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2844,7 +2802,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> ) ▶₁ #j ) case CA_INIT_T @@ -2858,7 +2816,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2872,8 +2830,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), - id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2 + solve( CAInitC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, + r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -2884,8 +2842,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2896,7 +2853,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> ) ▶₁ #j ) case CA_INIT_T @@ -2911,7 +2868,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2932,8 +2889,7 @@ next qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip> - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip> ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2956,19 +2912,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2981,7 +2939,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3028,21 +2986,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.47 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.23 ) - case c_kdf - solve( !KU( ~k ) @ #vk.49 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.51 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3102,21 +3046,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.47 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.23 ) - case c_kdf - solve( !KU( ~k ) @ #vk.49 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.51 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3137,8 +3067,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -3147,12 +3078,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3168,7 +3100,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3231,28 +3163,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !KU( ~iid ) @ #vk.6 ) - case CA_INIT_C - by contradiction /* cyclic */ - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3321,7 +3232,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3388,7 +3299,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -3410,7 +3321,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3426,7 +3337,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case CA_INIT_T @@ -3575,21 +3486,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 376.55s + processing time: 154.54s session_exist (exists-trace): verified (27 steps) two_session_exist (exists-trace): verified (51 steps) + aliveness (all-traces): verified (75 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): verified (74 steps) agreement_C (all-traces): verified (22 steps) agreement_T (all-traces): verified (74 steps) - aliveness (all-traces): verified (75 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (42 steps) + consistency (all-traces): verified (36 steps) key_secrecy (all-traces): verified (21 steps) - chip_hiding (all-traces): verified (4 steps) - nonRepudiation_terminal (exists-trace): verified (15 steps) - nonRepudiation_chip (exists-trace): verified (15 steps) - pfs (all-traces): falsified - found trace (27 steps) + notNonRepudiation_C (exists-trace): verified (15 steps) + notNonRepudiation_T (exists-trace): verified (15 steps) + forward_secrecy (all-traces): falsified - found trace (27 steps) ============================================================================== diff --git a/results/45991792.err.ALL_FastSigPQEAC_TAMARIN b/results/46092862.err.FastKemPQEAC similarity index 100% rename from results/45991792.err.ALL_FastSigPQEAC_TAMARIN rename to results/46092862.err.FastKemPQEAC diff --git a/results/45991794.out.ALL_FastKemPQEAC_TAMARIN b/results/46092862.out.FastKemPQEAC similarity index 88% rename from results/45991794.out.ALL_FastKemPQEAC_TAMARIN rename to results/46092862.out.FastKemPQEAC index 8fda036..69990f3 100644 --- a/results/45991794.out.ALL_FastKemPQEAC_TAMARIN +++ b/results/46092862.out.FastKemPQEAC @@ -74,25 +74,24 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ), - Fr( ~iid ), !Cert( $C, certC, 'chip' ) + !Cert( $C, certC, 'chip' ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'> ), - Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, - kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA) + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, kdf(<'TMAC', ~r1>, ~kTA), + kdf(<'TCNF', ~r1>, ~kTA) ) ] @@ -100,36 +99,35 @@ rule (modulo E) TA_CHALLENGE_C: rule (modulo AC) TA_CHALLENGE_C: [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ), - Fr( ~iid ), !Cert( $C, certC, 'chip' ) + !Cert( $C, certC, 'chip' ) ] --[ Eq( z.1, true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, z), senc(<certC, ~r2>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'> ), - Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, - kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA) + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, kdf(<'TMAC', ~r1>, ~kTA), + kdf(<'TCNF', ~r1>, ~kTA) ) ] variants (modulo AC) - 1. certT = certT.20 - z = cert_pk(certT.20) - z.1 = verify(cert_sig(certT.20), - <cert_pk(certT.20), cert_id(certT.20), 'terminal'>, pk(ca_sk)) + 1. certT = certT.19 + z = cert_pk(certT.19) + z.1 = verify(cert_sig(certT.19), + <cert_pk(certT.19), cert_id(certT.19), 'terminal'>, pk(ca_sk)) - 2. certT = cert(z.70, sign(<z.70, x.127, 'terminal'>, ca_sk), x.127) - z = z.70 + 2. certT = cert(z.69, sign(<z.69, x.126, 'terminal'>, ca_sk), x.126) + z = z.69 z.1 = true - 3. certT = cert(z.71, x.128, x.129) - z = z.71 - z.1 = verify(x.128, <z.71, x.129, 'terminal'>, pk(ca_sk)) + 3. certT = cert(z.70, x.127, x.128) + z = z.70 + z.1 = verify(x.127, <z.70, x.128, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -149,7 +147,7 @@ rule (modulo E) TA_RESPONSE_T: kdf(<'TMAC', r1>, decaps(cTA, ~skT))), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, + TAResponseT( $T, id_c, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))), snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))), <~k, @@ -161,7 +159,7 @@ rule (modulo E) TA_RESPONSE_T: /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( z.4, true ) ]-> @@ -170,141 +168,140 @@ rule (modulo E) TA_RESPONSE_T: mac(<'CA', certT, z.2, z.3, encaps(~k, z.1)>, kdf(<'TMAC', r1>, z)), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)> ) + TAResponseT( $T, id_c, z.2, z.3, <~k, encaps(~k, z.1)> ) ] variants (modulo AC) - 1. ~skT = ~skT.30 - cCA = cCA.31 - cTA = cTA.32 - r1 = r1.36 - z = decaps(cTA.32, ~skT.30) - z.1 = cert_pk(fst(sdec(cCA.31, - kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))) - z.2 = fst(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30)))) - z.3 = snd(sdec(cCA.31, kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30)))) - z.4 = verify(cert_sig(fst(sdec(cCA.31, - kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))), + 1. ~skT = ~skT.28 + cCA = cCA.29 + cTA = cTA.30 + r1 = r1.33 + z = decaps(cTA.30, ~skT.28) + z.1 = cert_pk(fst(sdec(cCA.29, + kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))) + z.2 = fst(sdec(cCA.29, kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28)))) + z.3 = snd(sdec(cCA.29, kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28)))) + z.4 = verify(cert_sig(fst(sdec(cCA.29, + kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))), < - cert_pk(fst(sdec(cCA.31, - kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))), - cert_id(fst(sdec(cCA.31, - kdf(<'TENC', r1.36>, decaps(cTA.32, ~skT.30))))), + cert_pk(fst(sdec(cCA.29, + kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))), + cert_id(fst(sdec(cCA.29, + kdf(<'TENC', r1.33>, decaps(cTA.30, ~skT.28))))), 'chip'>, pk(ca_sk)) - 2. ~skT = ~skT.35 - cCA = cCA.36 - cTA = encaps(z.46, pk(~skT.35)) - r1 = r1.41 - z = z.46 - z.1 = cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))) - z.2 = fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46))) - z.3 = snd(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46))) - z.4 = verify(cert_sig(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), - <cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), - cert_id(fst(sdec(cCA.36, kdf(<'TENC', r1.41>, z.46)))), 'chip'>, + 2. ~skT = ~skT.33 + cCA = cCA.34 + cTA = encaps(z.43, pk(~skT.33)) + r1 = r1.38 + z = z.43 + z.1 = cert_pk(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))) + z.2 = fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43))) + z.3 = snd(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43))) + z.4 = verify(cert_sig(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))), + <cert_pk(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))), + cert_id(fst(sdec(cCA.34, kdf(<'TENC', r1.38>, z.43)))), 'chip'>, pk(ca_sk)) - 3. ~skT = ~skT.39 - cCA = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, z.50)) - cTA = encaps(z.50, pk(~skT.39)) - r1 = r1.45 - z = z.50 - z.1 = cert_pk(z.53) - z.2 = z.53 - z.3 = z.54 - z.4 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>, + 3. ~skT = ~skT.37 + cCA = senc(<z.50, z.51>, kdf(<'TENC', r1.42>, z.47)) + cTA = encaps(z.47, pk(~skT.37)) + r1 = r1.42 + z = z.47 + z.1 = cert_pk(z.50) + z.2 = z.50 + z.3 = z.51 + z.4 = verify(cert_sig(z.50), <cert_pk(z.50), cert_id(z.50), 'chip'>, pk(ca_sk)) - 4. ~skT = ~skT.39 - cCA = senc(<z.53, z.54>, kdf(<'TENC', r1.45>, decaps(cTA.41, ~skT.39))) - cTA = cTA.41 - r1 = r1.45 - z = decaps(cTA.41, ~skT.39) - z.1 = cert_pk(z.53) - z.2 = z.53 - z.3 = z.54 - z.4 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>, + 4. ~skT = ~skT.37 + cCA = senc(<z.50, z.51>, kdf(<'TENC', r1.42>, decaps(cTA.39, ~skT.37))) + cTA = cTA.39 + r1 = r1.42 + z = decaps(cTA.39, ~skT.37) + z.1 = cert_pk(z.50) + z.2 = z.50 + z.3 = z.51 + z.4 = verify(cert_sig(z.50), <cert_pk(z.50), cert_id(z.50), 'chip'>, pk(ca_sk)) - 5. ~skT = ~skT.165 - cCA = senc(x.326, kdf(<'TENC', r1.171>, z.176)) - cTA = encaps(z.176, pk(~skT.165)) - r1 = r1.171 - z = z.176 - z.1 = cert_pk(fst(x.326)) - z.2 = fst(x.326) - z.3 = snd(x.326) - z.4 = verify(cert_sig(fst(x.326)), - <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk)) - - 6. ~skT = ~skT.165 - cCA = senc(x.326, kdf(<'TENC', r1.171>, decaps(cTA.167, ~skT.165))) - cTA = cTA.167 - r1 = r1.171 - z = decaps(cTA.167, ~skT.165) - z.1 = cert_pk(fst(x.326)) - z.2 = fst(x.326) - z.3 = snd(x.326) - z.4 = verify(cert_sig(fst(x.326)), - <cert_pk(fst(x.326)), cert_id(fst(x.326)), 'chip'>, pk(ca_sk)) - - 7. ~skT = ~skT.166 - cCA = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328), - z.181>, - kdf(<'TENC', r1.172>, z.177)) - cTA = encaps(z.177, pk(~skT.166)) - r1 = r1.172 - z = z.177 - z.1 = z.178 - z.2 = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328) - z.3 = z.181 + 5. ~skT = ~skT.157 + cCA = senc(x.310, kdf(<'TENC', r1.162>, z.167)) + cTA = encaps(z.167, pk(~skT.157)) + r1 = r1.162 + z = z.167 + z.1 = cert_pk(fst(x.310)) + z.2 = fst(x.310) + z.3 = snd(x.310) + z.4 = verify(cert_sig(fst(x.310)), + <cert_pk(fst(x.310)), cert_id(fst(x.310)), 'chip'>, pk(ca_sk)) + + 6. ~skT = ~skT.157 + cCA = senc(x.310, kdf(<'TENC', r1.162>, decaps(cTA.159, ~skT.157))) + cTA = cTA.159 + r1 = r1.162 + z = decaps(cTA.159, ~skT.157) + z.1 = cert_pk(fst(x.310)) + z.2 = fst(x.310) + z.3 = snd(x.310) + z.4 = verify(cert_sig(fst(x.310)), + <cert_pk(fst(x.310)), cert_id(fst(x.310)), 'chip'>, pk(ca_sk)) + + 7. ~skT = ~skT.158 + cCA = senc(<cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312), + z.172>, + kdf(<'TENC', r1.163>, z.168)) + cTA = encaps(z.168, pk(~skT.158)) + r1 = r1.163 + z = z.168 + z.1 = z.169 + z.2 = cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312) + z.3 = z.172 z.4 = true - 8. ~skT = ~skT.166 - cCA = senc(<cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328), - z.181>, - kdf(<'TENC', r1.172>, decaps(cTA.168, ~skT.166))) - cTA = cTA.168 - r1 = r1.172 - z = decaps(cTA.168, ~skT.166) - z.1 = z.178 - z.2 = cert(z.178, sign(<z.178, x.328, 'chip'>, ca_sk), x.328) - z.3 = z.181 + 8. ~skT = ~skT.158 + cCA = senc(<cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312), + z.172>, + kdf(<'TENC', r1.163>, decaps(cTA.160, ~skT.158))) + cTA = cTA.160 + r1 = r1.163 + z = decaps(cTA.160, ~skT.158) + z.1 = z.169 + z.2 = cert(z.169, sign(<z.169, x.312, 'chip'>, ca_sk), x.312) + z.3 = z.172 z.4 = true - 9. ~skT = ~skT.167 - cCA = senc(<cert(z.179, x.329, x.330), z.182>, - kdf(<'TENC', r1.173>, z.178)) - cTA = encaps(z.178, pk(~skT.167)) - r1 = r1.173 - z = z.178 - z.1 = z.179 - z.2 = cert(z.179, x.329, x.330) - z.3 = z.182 - z.4 = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk)) - - 10. ~skT = ~skT.167 - cCA = senc(<cert(z.179, x.329, x.330), z.182>, - kdf(<'TENC', r1.173>, decaps(cTA.169, ~skT.167))) - cTA = cTA.169 - r1 = r1.173 - z = decaps(cTA.169, ~skT.167) - z.1 = z.179 - z.2 = cert(z.179, x.329, x.330) - z.3 = z.182 - z.4 = verify(x.329, <z.179, x.330, 'chip'>, pk(ca_sk)) + 9. ~skT = ~skT.159 + cCA = senc(<cert(z.170, x.313, x.314), z.173>, + kdf(<'TENC', r1.164>, z.169)) + cTA = encaps(z.169, pk(~skT.159)) + r1 = r1.164 + z = z.169 + z.1 = z.170 + z.2 = cert(z.170, x.313, x.314) + z.3 = z.173 + z.4 = verify(x.313, <z.170, x.314, 'chip'>, pk(ca_sk)) + + 10. ~skT = ~skT.159 + cCA = senc(<cert(z.170, x.313, x.314), z.173>, + kdf(<'TENC', r1.164>, decaps(cTA.161, ~skT.159))) + cTA = cTA.161 + r1 = r1.164 + z = decaps(cTA.161, ~skT.159) + z.1 = z.170 + z.2 = cert(z.170, x.313, x.314) + z.3 = z.173 + z.4 = verify(x.313, <z.170, x.314, 'chip'>, pk(ca_sk)) */ rule (modulo E) TA_COMPLETE_C: [ In( <kTCNF_T, cip, s, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ), + TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ), - CompletedTA( $C, iid, cert_id(certT) ), Completed( kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)), <certT, certC, r2, cip>, $C, 'chip', cert_id(certT) ), @@ -313,23 +310,18 @@ rule (modulo E) TA_COMPLETE_C: ) ]-> [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> - ), - TACompleteC( <$C, iid>, - kdf(<'KEY', certT, certC, r2, cip>, decaps(cip, ~skC)) - ) + Out( <kdf(<'CNF', certT, certC, r2, cip>, decaps(cip, ~skC)), '4', 'c'> ) ] /* rule (modulo AC) TA_COMPLETE_C: [ In( <kTCNF_T, cip, s, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF ), + TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip>, kTMAC) ), - CompletedTA( $C, iid, z.1 ), Completed( kdf(<'KEY', certT, certC, r2, cip>, z), <certT, certC, r2, cip>, $C, 'chip', z.1 ), @@ -337,40 +329,36 @@ rule (modulo E) TA_COMPLETE_C: <certT, certC, r2, cip>, $C, 'chip', z.1 ) ]-> - [ - Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ), - TACompleteC( <$C, iid>, kdf(<'KEY', certT, certC, r2, cip>, z) ) - ] + [ Out( <kdf(<'CNF', certT, certC, r2, cip>, z), '4', 'c'> ) ] variants (modulo AC) - 1. ~skC = ~skC.28 - certT = certT.30 - cip = cip.31 - z = decaps(cip.31, ~skC.28) - z.1 = cert_id(certT.30) - - 2. ~skC = ~skC.41 - certT = certT.43 - cip = encaps(z.57, pk(~skC.41)) - z = z.57 - z.1 = cert_id(certT.43) - - 3. ~skC = ~skC.180 - certT = cert(x.356, x.357, z.201) - cip = cip.183 - z = decaps(cip.183, ~skC.180) - z.1 = z.201 - - 4. ~skC = ~skC.182 - certT = cert(x.360, x.361, z.203) - cip = encaps(z.198, pk(~skC.182)) - z = z.198 - z.1 = z.203 + 1. ~skC = ~skC.27 + certT = certT.29 + cip = cip.30 + z = decaps(cip.30, ~skC.27) + z.1 = cert_id(certT.29) + + 2. ~skC = ~skC.39 + certT = certT.41 + cip = encaps(z.54, pk(~skC.39)) + z = z.54 + z.1 = cert_id(certT.41) + + 3. ~skC = ~skC.172 + certT = cert(x.340, x.341, z.192) + cip = cip.175 + z = decaps(cip.175, ~skC.172) + z.1 = z.192 + + 4. ~skC = ~skC.174 + certT = cert(x.344, x.345, z.194) + cip = encaps(z.189, pk(~skC.174)) + z = z.189 + z.1 = z.194 */ rule (modulo E) CA_FINISH_T: [ - In( <kCNF_C, '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_C, '4', 'c'> ), TAResponseT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -381,7 +369,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( cert_id(certC), $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) @@ -390,8 +377,7 @@ rule (modulo E) CA_FINISH_T: /* rule (modulo AC) CA_FINISH_T: [ - In( <kCNF_C, '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ), + In( <kCNF_C, '4', 'c'> ), TAResponseT( $T, id_c, certC, r2, <k, cip> ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -402,17 +388,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip> ) ]-> [ - CAFinishT( z, $T, kdf(<'KEY', certT, certC, r2, cip>, k) ), !SessionReveal( <certT, certC, r2, cip>, kdf(<'KEY', certT, certC, r2, cip>, k) ) ] variants (modulo AC) - 1. certC = certC.15 - z = cert_id(certC.15) + 1. certC = certC.16 + z = cert_id(certC.16) - 2. certC = cert(x.41, x.42, z.28) - z = z.28 + 2. certC = cert(x.26, x.27, z.21) + z = z.21 */ rule (modulo E) Verify_Transcript_C: @@ -1478,8 +1463,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -1494,7 +1478,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -1583,8 +1567,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -1599,7 +1582,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -1609,8 +1592,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(x, x.1, $T), id_c.1, r1.1, r2.1, kTMAC, + kTCNF ) ▶₁ #i2 ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -1628,7 +1611,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.3>, id_c.3, + solve( TAResponseT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip> ) ▶₁ #j2 ) @@ -1848,103 +1831,40 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma weak_agreement_C: - all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) - case TA_RESPONSE_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - C, 'chip', T.1 - ) @ #i ) - case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, - r2, kTMAC, kTCNF - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' - ) ▶₃ #i ) - case CA_Sign_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, - r2, kTMAC, kTCNF - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' - ) ▶₃ #i ) - case CA_Sign_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed -qed - -lemma weak_agreement_T: +lemma aliveness: all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk solve( Completed( k.1, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - T.1, 'terminal', C + A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case TA_RESPONSE_T solve( splitEqs(1) ) case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case TA_COMPLETE_C @@ -1953,11 +1873,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_kdf solve( !KU( ~k ) @ #vk.16 ) case TA_RESPONSE_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.14 ) case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.22 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -1972,7 +1892,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.29 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -1996,7 +1916,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case TA_COMPLETE_C @@ -2005,7 +1925,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_kdf solve( !KU( ~k ) @ #vk.16 ) case TA_RESPONSE_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, kdf(<'TENC', r1>, z)) ) @ #vk.14 ) case TA_CHALLENGE_C @@ -2020,7 +1940,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_senc solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 ) case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.23 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -2035,7 +1955,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.34 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -2056,7 +1976,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( splitEqs(6) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.25 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.29 ) @@ -2071,7 +1991,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2090,7 +2010,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.25 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.29 ) @@ -2105,7 +2025,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2125,7 +2045,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.23 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -2140,7 +2060,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.31 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -2163,15 +2083,21 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed qed + next + case TA_COMPLETE_C_case_1 + by contradiction /* from formulas */ + next + case TA_COMPLETE_C_case_2 + by contradiction /* from formulas */ qed qed qed -lemma agreement_C: +lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -2179,12 +2105,12 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2194,7 +2120,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) @@ -2204,65 +2130,13 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( splitEqs(1) ) - case split_case_1 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.31 ) - case TA_RESPONSE_T - solve( !KU( ~r2 ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk ) @ #vk.36 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - next - case split_case_2 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.31 ) - case TA_RESPONSE_T - solve( !KU( ~r2 ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk ) @ #vk.36 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) @@ -2272,59 +2146,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( splitEqs(1) ) - case split_case_1 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.31 ) - case TA_RESPONSE_T - solve( !KU( ~r2 ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk ) @ #vk.36 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - next - case split_case_2 - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~k ) @ #vk.31 ) - case TA_RESPONSE_T - solve( !KU( ~r2 ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk ) @ #vk.36 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -2332,11 +2154,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed -lemma agreement_T: +lemma weak_agreement_T: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -2344,12 +2166,12 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -2359,8 +2181,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)> + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), + r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case TA_RESPONSE_T solve( splitEqs(1) ) @@ -2590,40 +2412,207 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed -lemma aliveness: +lemma agreement_C: all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" + "∀ k sid C T #i #t. + ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +"∃ k sid C T #i #t. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) +solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk solve( Completed( k.1, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, - A, role, B + C, 'chip', T.1 + ) @ #i ) + case TA_COMPLETE_C_case_1 + solve( TAChallengeC( $C, + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, + r2, kTMAC, kTCNF + ) ▶₁ #i ) + case TA_CHALLENGE_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' + ) ▶₃ #i ) + case CA_Sign_ltk + solve( splitEqs(1) ) + case split_case_1 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.31 ) + case TA_RESPONSE_T + solve( !KU( ~r2 ) @ #vk.35 ) + case TA_CHALLENGE_C + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + next + case split_case_2 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.31 ) + case TA_RESPONSE_T + solve( !KU( ~r2 ) @ #vk.35 ) + case TA_CHALLENGE_C + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + qed + qed + qed + next + case TA_COMPLETE_C_case_2 + solve( TAChallengeC( $C, + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, + r2, kTMAC, kTCNF + ) ▶₁ #i ) + case TA_CHALLENGE_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' + ) ▶₃ #i ) + case CA_Sign_ltk + solve( splitEqs(1) ) + case split_case_1 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.31 ) + case TA_RESPONSE_T + solve( !KU( ~r2 ) @ #vk.35 ) + case TA_CHALLENGE_C + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + next + case split_case_2 + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk))>, + ~k) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~k ) @ #vk.31 ) + case TA_RESPONSE_T + solve( !KU( ~r2 ) @ #vk.35 ) + case TA_CHALLENGE_C + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed +qed + +lemma agreement_T: + all-traces + "∀ k sid C T #i #t. + ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid C T #i #t. + (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #t ) + case TA_RESPONSE_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z)>, + T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)> + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), + r2, <k.1, encaps(~k, z)> ) ▶₁ #i ) case TA_RESPONSE_T solve( splitEqs(1) ) case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case TA_COMPLETE_C @@ -2632,11 +2621,11 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_kdf solve( !KU( ~k ) @ #vk.16 ) case TA_RESPONSE_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.14 ) case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.22 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -2651,7 +2640,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.29 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.29 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -2675,7 +2664,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z)>, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z)>, ~k) ) @ #vk.1 ) case TA_COMPLETE_C @@ -2684,7 +2673,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_kdf solve( !KU( ~k ) @ #vk.16 ) case TA_RESPONSE_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2>, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2>, kdf(<'TENC', r1>, z)) ) @ #vk.14 ) case TA_CHALLENGE_C @@ -2699,7 +2688,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case c_senc solve( !KU( encaps(z, pk(~skT)) ) @ #vk.15 ) case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.23 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -2714,7 +2703,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.34 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.34 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -2735,7 +2724,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) case TA_RESPONSE_T solve( splitEqs(6) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.25 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.29 ) @@ -2750,7 +2739,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2769,7 +2758,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.25 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.29 ) @@ -2784,7 +2773,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.37 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.31 ) case Corrupt_ltk @@ -2804,7 +2793,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.23 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.26 ) @@ -2819,7 +2808,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.31 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.31 ) case CA_Sign_ltk solve( !KU( ~ltk.1 ) @ #vk.27 ) case Corrupt_ltk @@ -2842,12 +2831,6 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #t ) qed qed qed - next - case TA_COMPLETE_C_case_1 - by contradiction /* from formulas */ - next - case TA_COMPLETE_C_case_2 - by contradiction /* from formulas */ qed qed qed @@ -2873,7 +2856,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2884,8 +2867,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <~k, encaps(~k, z)> ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -2895,8 +2878,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2909,18 +2891,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -2931,8 +2911,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -2945,18 +2924,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -2970,7 +2947,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -2981,8 +2958,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)> + solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <~k, encaps(~k, z)> ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -2992,8 +2969,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3006,18 +2982,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3028,8 +3002,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3042,18 +3015,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, kTMAC, - kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3068,7 +3039,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip> ) ▶₁ #i ) + solve( TAResponseT( $T, id_c, certC, r2, <k, cip> ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -3085,8 +3056,7 @@ next qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3109,8 +3079,7 @@ next qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3139,20 +3108,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3164,7 +3134,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3211,21 +3181,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.41 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3285,21 +3241,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.41 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3315,8 +3257,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3328,7 +3269,7 @@ next T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3375,21 +3316,7 @@ next case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.41 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3449,21 +3376,7 @@ next case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.41 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk))>, - ~k) - ) @ #vk.21 ) - case c_kdf - solve( !KU( ~k ) @ #vk.43 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.45 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3484,8 +3397,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -3494,13 +3408,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3515,7 +3429,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3578,8 +3492,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3594,7 +3507,7 @@ next T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -3657,83 +3570,7 @@ next qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) - case CA_Sign_ltk - solve( !KU( ~iid ) @ #vk.11 ) - case TA_CHALLENGE_C - solve( splitEqs(0) ) - case split_case_1 - solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip>, - kdf(<'TMAC', ~r1>, ~kTA)) - ) @ #vk.6 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.14 ) - case c_kdf - solve( !KU( ~kTA ) @ #vk.27 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.29 ) - case Corrupt_ltk - solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.23 ) - case TA_CHALLENGE_C - solve( !KU( senc(< - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2>, - kdf(<'TENC', ~r1>, ~kTA)) - ) @ #vk.25 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.23 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T) - ) @ #vk.21 ) - case CA_Sign_ltk - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), z.1>, - kdf(<'TENC', ~r1>, ~kTA)) - ) @ #vk.35 ) - case TA_CHALLENGE_C - solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.20 ) - case TA_RESPONSE_T - SOLVED // trace found - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3802,7 +3639,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -3869,7 +3706,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -3891,8 +3728,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, kTMAC, kTCNF - ) ▶₁ #i ) + solve( TAChallengeC( $C, certT, id_c, r1, r2, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -3907,7 +3743,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip> ) ▶₁ #j ) case TA_RESPONSE_T @@ -4060,21 +3896,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 1594.74s + processing time: 760.62s session_exist (exists-trace): verified (20 steps) two_session_exist (exists-trace): verified (46 steps) + aliveness (all-traces): verified (76 steps) weak_agreement_C (all-traces): verified (12 steps) weak_agreement_T (all-traces): verified (74 steps) agreement_C (all-traces): verified (40 steps) agreement_T (all-traces): verified (74 steps) - aliveness (all-traces): verified (76 steps) session_uniqueness (all-traces): verified (64 steps) - consistency (all-traces): verified (82 steps) + consistency (all-traces): verified (70 steps) key_secrecy (all-traces): verified (40 steps) - chip_hiding (all-traces): falsified - found trace (19 steps) - nonRepudiation_terminal (exists-trace): verified (15 steps) - nonRepudiation_chip (exists-trace): verified (15 steps) - pfs (all-traces): falsified - found trace (28 steps) + notNonRepudiation_C (exists-trace): verified (15 steps) + notNonRepudiation_T (exists-trace): verified (15 steps) + forward_secrecy (all-traces): falsified - found trace (28 steps) ============================================================================== diff --git a/results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN b/results/46092873.err.ForwardSecrecy_SigPQEAC similarity index 100% rename from results/45991168.err.PFS_ALL_SigPQEAC_TAMARIN rename to results/46092873.err.ForwardSecrecy_SigPQEAC diff --git a/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN b/results/46092873.out.ForwardSecrecy_SigPQEAC similarity index 90% rename from results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN rename to results/46092873.out.ForwardSecrecy_SigPQEAC index 244e433..e8667e9 100644 --- a/results/45991168.out.PFS_ALL_SigPQEAC_TAMARIN +++ b/results/46092873.out.ForwardSecrecy_SigPQEAC @@ -71,98 +71,83 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> - [ - Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 ) - ] + [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ] /* rule (modulo AC) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( z, true ), Started( ) ]-> - [ - Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1 ) - ] + [ Out( <~id_c, ~r1, '2', 'c'> ), TAChallengeC( $C, certT, ~id_c, ~r1 ) ] variants (modulo AC) - 1. certT = certT.12 - z = verify(cert_sig(certT.12), - <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk)) + 1. certT = certT.11 + z = verify(cert_sig(certT.11), + <cert_pk(certT.11), cert_id(certT.11), 'terminal'>, pk(ca_sk)) - 2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14) + 2. certT = cert(x.12, sign(<x.12, x.13, 'terminal'>, ca_sk), x.13) z = true - 3. certT = cert(x.14, x.15, x.16) - z = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk)) + 3. certT = cert(x.13, x.14, x.15) + z = verify(x.14, <x.13, x.15, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: - [ - In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid> ), - !Ltk( $T, ~skT, 'terminal' ) + [ In( <id_c, r1, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ - Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), - TAResponseT( <$T, iid>, id_c ) + Out( <sign(<'TA', id_c, r1>, ~skT), '3', 't'> ), TAResponseT( $T, id_c ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ] - --[ - Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ), - CompletedTA( $C, iid, cert_id(certT) ) - ]-> - [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ] + --[ Eq( verify(s, <'TA', id_c, r1>, cert_pk(certT)), true ) ]-> + [ TACompleteC( $C, certT, id_c, r1 ) ] /* rule (modulo AC) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, id_c, r1 ) ] - --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]-> - [ TACompleteC( <$C, iid>, certT, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, id_c, r1 ) ] + --[ Eq( z, true ) ]-> + [ TACompleteC( $C, certT, id_c, r1 ) ] variants (modulo AC) - 1. certT = certT.16 - id_c = id_c.17 + 1. certT = certT.13 + id_c = id_c.14 + r1 = r1.15 + s = s.16 + z = verify(s.16, <'TA', id_c.14, r1.15>, cert_pk(certT.13)) + + 2. certT = cert(x.30, x.31, x.32) + id_c = id_c.18 r1 = r1.19 s = s.20 - z = verify(s.20, <'TA', id_c.17, r1.19>, cert_pk(certT.16)) - z.1 = cert_id(certT.16) - - 2. certT = cert(x.37, x.38, z.28) - id_c = id_c.21 - r1 = r1.23 - s = s.24 - z = verify(s.24, <'TA', id_c.21, r1.23>, x.37) - z.1 = z.28 - - 3. certT = cert(pk(x.37), x.38, z.28) - id_c = id_c.21 - r1 = r1.23 - s = sign(<'TA', id_c.21, r1.23>, x.37) + z = verify(s.20, <'TA', id_c.18, r1.19>, x.30) + + 3. certT = cert(pk(x.30), x.31, x.32) + id_c = id_c.18 + r1 = r1.19 + s = sign(<'TA', id_c.18, r1.19>, x.30) z = true - z.1 = z.28 */ rule (modulo E) CA_INIT_C: [ - Fr( ~r2 ), Fr( ~skCe ), TACompleteC( <$C, iid>, certT, id_c, r1 ), + Fr( ~r2 ), Fr( ~skCe ), TACompleteC( $C, certT, id_c, r1 ), !Cert( $C, certC, 'chip' ) ] --> [ - Out( <certC, ~r2, pk(~skCe), '4', 'c'> ), Out( iid ), - CAInitC( <$C, iid>, certT, id_c, r1, ~r2, ~skCe ) + Out( <certC, ~r2, pk(~skCe), '4', 'c'> ), + CAInitC( $C, certT, id_c, r1, ~r2, ~skCe ) ] /* has exactly the trivial AC variant */ @@ -170,7 +155,7 @@ rule (modulo E) CA_INIT_C: rule (modulo E) CA_INIT_T: [ In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ), - TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ), + TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( verify_cert(certC, 'chip'), true ) ]-> @@ -181,7 +166,7 @@ rule (modulo E) CA_INIT_T: ~skT), encaps(~ke, pkCe), '5', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>, + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>, <~ke, encaps(~ke, pkCe)>, pkCe ) ] @@ -190,7 +175,7 @@ rule (modulo E) CA_INIT_T: rule (modulo AC) CA_INIT_T: [ In( <certC, r2, pkCe, '4', 'c'> ), Fr( ~k ), Fr( ~ke ), - TAResponseT( <$T, iid>, id_c ), !Ltk( $T, ~skT, 'terminal' ), + TAResponseT( $T, id_c ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( z.1, true ) ]-> @@ -200,29 +185,28 @@ rule (modulo E) CA_INIT_T: ~skT), encaps(~ke, pkCe), '5', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>, + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ] variants (modulo AC) - 1. certC = certC.20 - z = cert_pk(certC.20) - z.1 = verify(cert_sig(certC.20), - <cert_pk(certC.20), cert_id(certC.20), 'chip'>, pk(ca_sk)) + 1. certC = certC.19 + z = cert_pk(certC.19) + z.1 = verify(cert_sig(certC.19), + <cert_pk(certC.19), cert_id(certC.19), 'chip'>, pk(ca_sk)) - 2. certC = cert(z.46, sign(<z.46, x.77, 'chip'>, ca_sk), x.77) - z = z.46 + 2. certC = cert(z.45, sign(<z.45, x.76, 'chip'>, ca_sk), x.76) + z = z.45 z.1 = true - 3. certC = cert(z.47, x.78, x.79) - z = z.47 - z.1 = verify(x.78, <z.47, x.79, 'chip'>, pk(ca_sk)) + 3. certC = cert(z.46, x.77, x.78) + z = z.46 + z.1 = verify(x.77, <z.46, x.78, 'chip'>, pk(ca_sk)) */ rule (modulo E) CA_FINISH_C: [ - In( <cip, s, cipe, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ), + In( <cip, s, cipe, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2, skCe ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -240,227 +224,219 @@ rule (modulo E) CA_FINISH_C: kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), '6', 'c'> - ), - CAFinishC( $C, cert_id(certT), - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, - <decaps(cip, ~skC), decaps(cipe, skCe)>) ) ] /* rule (modulo AC) CA_FINISH_C: [ - In( <cip, s, cipe, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, r2, skCe ), + In( <cip, s, cipe, '5', 't'> ), CAInitC( $C, certT, id_c, r1, r2, skCe ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ - Eq( z.3, true ), + Eq( z.2, true ), Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), - <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2 + <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.3 ) ]-> [ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), '6', 'c'> - ), - CAFinishC( $C, z.2, - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>) ) ] variants (modulo AC) - 1. ~skC = ~skC.35 - certC = certC.36 - certT = certT.37 - cip = cip.38 - cipe = cipe.39 - r2 = r2.43 - s = s.44 - skCe = skCe.45 - z = decaps(cip.38, ~skC.35) - z.1 = decaps(cipe.39, skCe.45) - z.2 = cert_id(certT.37) - z.3 = verify(s.44, - <'CA', certT.37, certC.36, r2.43, cip.38, pk(skCe.45), cipe.39>, - cert_pk(certT.37)) - - 2. ~skC = ~skC.40 - certC = certC.41 - certT = certT.42 - cip = encaps(z.55, pk(~skC.40)) - cipe = cipe.44 - r2 = r2.48 - s = s.49 - skCe = skCe.50 - z = z.55 - z.1 = decaps(cipe.44, skCe.50) - z.2 = cert_id(certT.42) - z.3 = verify(s.49, - <'CA', certT.42, certC.41, r2.48, encaps(z.55, pk(~skC.40)), - pk(skCe.50), cipe.44>, - cert_pk(certT.42)) - - 3. ~skC = ~skC.41 - certC = certC.42 - certT = certT.43 - cip = cip.44 - cipe = encaps(z.57, pk(skCe.51)) - r2 = r2.49 - s = s.50 - skCe = skCe.51 - z = decaps(cip.44, ~skC.41) - z.1 = z.57 - z.2 = cert_id(certT.43) - z.3 = verify(s.50, - <'CA', certT.43, certC.42, r2.49, cip.44, pk(skCe.51), - encaps(z.57, pk(skCe.51))>, - cert_pk(certT.43)) - - 4. ~skC = ~skC.41 - certC = certC.42 - certT = certT.43 - cip = encaps(z.56, pk(~skC.41)) - cipe = encaps(z.57, pk(skCe.51)) - r2 = r2.49 - s = s.50 - skCe = skCe.51 - z = z.56 - z.1 = z.57 - z.2 = cert_id(certT.43) - z.3 = verify(s.50, - <'CA', certT.43, certC.42, r2.49, encaps(z.56, pk(~skC.41)), - pk(skCe.51), encaps(z.57, pk(skCe.51))>, - cert_pk(certT.43)) - - 5. ~skC = ~skC.158 - certC = certC.159 - certT = cert(x.312, x.313, z.177) - cip = cip.161 - cipe = cipe.162 - r2 = r2.166 - s = s.167 - skCe = skCe.168 - z = decaps(cip.161, ~skC.158) - z.1 = decaps(cipe.162, skCe.168) - z.2 = z.177 - z.3 = verify(s.167, - <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161, - pk(skCe.168), cipe.162>, - x.312) - - 6. ~skC = ~skC.158 - certC = certC.159 - certT = cert(x.312, x.313, z.177) - cip = cip.161 - cipe = encaps(z.174, pk(skCe.168)) - r2 = r2.166 - s = s.167 - skCe = skCe.168 - z = decaps(cip.161, ~skC.158) - z.1 = z.174 - z.2 = z.177 - z.3 = verify(s.167, - <'CA', cert(x.312, x.313, z.177), certC.159, r2.166, cip.161, - pk(skCe.168), encaps(z.174, pk(skCe.168))>, - x.312) - - 7. ~skC = ~skC.159 - certC = certC.160 - certT = cert(pk(x.314), x.315, z.178) - cip = cip.162 - cipe = cipe.163 - r2 = r2.167 - s = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167, - cip.162, pk(skCe.169), cipe.163>, - x.314) - skCe = skCe.169 - z = decaps(cip.162, ~skC.159) - z.1 = decaps(cipe.163, skCe.169) - z.2 = z.178 - z.3 = true - - 8. ~skC = ~skC.159 - certC = certC.160 - certT = cert(pk(x.314), x.315, z.178) - cip = cip.162 - cipe = encaps(z.175, pk(skCe.169)) - r2 = r2.167 - s = sign(<'CA', cert(pk(x.314), x.315, z.178), certC.160, r2.167, - cip.162, pk(skCe.169), encaps(z.175, pk(skCe.169))>, - x.314) - skCe = skCe.169 - z = decaps(cip.162, ~skC.159) - z.1 = z.175 - z.2 = z.178 - z.3 = true - - 9. ~skC = ~skC.160 - certC = certC.161 - certT = cert(x.316, x.317, z.179) - cip = encaps(z.175, pk(~skC.160)) - cipe = cipe.164 - r2 = r2.168 - s = s.169 - skCe = skCe.170 - z = z.175 - z.1 = decaps(cipe.164, skCe.170) - z.2 = z.179 - z.3 = verify(s.169, - <'CA', cert(x.316, x.317, z.179), certC.161, r2.168, - encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>, - x.316) - - 10. ~skC = ~skC.160 - certC = certC.161 - certT = cert(x.316, x.317, z.179) - cip = encaps(z.175, pk(~skC.160)) - cipe = encaps(z.176, pk(skCe.170)) - r2 = r2.168 - s = s.169 - skCe = skCe.170 - z = z.175 - z.1 = z.176 - z.2 = z.179 - z.3 = verify(s.169, - <'CA', cert(x.316, x.317, z.179), certC.161, r2.168, - encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>, - x.316) - - 11. ~skC = ~skC.160 - certC = certC.161 - certT = cert(pk(x.316), x.317, z.179) - cip = encaps(z.175, pk(~skC.160)) - cipe = cipe.164 - r2 = r2.168 - s = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168, - encaps(z.175, pk(~skC.160)), pk(skCe.170), cipe.164>, - x.316) - skCe = skCe.170 - z = z.175 - z.1 = decaps(cipe.164, skCe.170) - z.2 = z.179 - z.3 = true - - 12. ~skC = ~skC.160 - certC = certC.161 - certT = cert(pk(x.316), x.317, z.179) - cip = encaps(z.175, pk(~skC.160)) - cipe = encaps(z.176, pk(skCe.170)) - r2 = r2.168 - s = sign(<'CA', cert(pk(x.316), x.317, z.179), certC.161, r2.168, - encaps(z.175, pk(~skC.160)), pk(skCe.170), encaps(z.176, pk(skCe.170))>, - x.316) - skCe = skCe.170 - z = z.175 - z.1 = z.176 - z.2 = z.179 - z.3 = true + 1. ~skC = ~skC.33 + certC = certC.34 + certT = certT.35 + cip = cip.36 + cipe = cipe.37 + r2 = r2.40 + s = s.41 + skCe = skCe.42 + z = decaps(cip.36, ~skC.33) + z.1 = decaps(cipe.37, skCe.42) + z.2 = verify(s.41, + <'CA', certT.35, certC.34, r2.40, cip.36, pk(skCe.42), cipe.37>, + cert_pk(certT.35)) + z.3 = cert_id(certT.35) + + 2. ~skC = ~skC.38 + certC = certC.39 + certT = certT.40 + cip = encaps(z.52, pk(~skC.38)) + cipe = cipe.42 + r2 = r2.45 + s = s.46 + skCe = skCe.47 + z = z.52 + z.1 = decaps(cipe.42, skCe.47) + z.2 = verify(s.46, + <'CA', certT.40, certC.39, r2.45, encaps(z.52, pk(~skC.38)), + pk(skCe.47), cipe.42>, + cert_pk(certT.40)) + z.3 = cert_id(certT.40) + + 3. ~skC = ~skC.39 + certC = certC.40 + certT = certT.41 + cip = cip.42 + cipe = encaps(z.54, pk(skCe.48)) + r2 = r2.46 + s = s.47 + skCe = skCe.48 + z = decaps(cip.42, ~skC.39) + z.1 = z.54 + z.2 = verify(s.47, + <'CA', certT.41, certC.40, r2.46, cip.42, pk(skCe.48), + encaps(z.54, pk(skCe.48))>, + cert_pk(certT.41)) + z.3 = cert_id(certT.41) + + 4. ~skC = ~skC.39 + certC = certC.40 + certT = certT.41 + cip = encaps(z.53, pk(~skC.39)) + cipe = encaps(z.54, pk(skCe.48)) + r2 = r2.46 + s = s.47 + skCe = skCe.48 + z = z.53 + z.1 = z.54 + z.2 = verify(s.47, + <'CA', certT.41, certC.40, r2.46, encaps(z.53, pk(~skC.39)), + pk(skCe.48), encaps(z.54, pk(skCe.48))>, + cert_pk(certT.41)) + z.3 = cert_id(certT.41) + + 5. ~skC = ~skC.151 + certC = certC.152 + certT = cert(x.298, x.299, z.171) + cip = cip.154 + cipe = cipe.155 + r2 = r2.158 + s = s.159 + skCe = skCe.160 + z = decaps(cip.154, ~skC.151) + z.1 = decaps(cipe.155, skCe.160) + z.2 = verify(s.159, + <'CA', cert(x.298, x.299, z.171), certC.152, r2.158, cip.154, + pk(skCe.160), cipe.155>, + x.298) + z.3 = z.171 + + 6. ~skC = ~skC.151 + certC = certC.152 + certT = cert(x.298, x.299, z.171) + cip = cip.154 + cipe = encaps(z.166, pk(skCe.160)) + r2 = r2.158 + s = s.159 + skCe = skCe.160 + z = decaps(cip.154, ~skC.151) + z.1 = z.166 + z.2 = verify(s.159, + <'CA', cert(x.298, x.299, z.171), certC.152, r2.158, cip.154, + pk(skCe.160), encaps(z.166, pk(skCe.160))>, + x.298) + z.3 = z.171 + + 7. ~skC = ~skC.152 + certC = certC.153 + certT = cert(pk(x.300), x.301, z.172) + cip = cip.155 + cipe = cipe.156 + r2 = r2.159 + s = sign(<'CA', cert(pk(x.300), x.301, z.172), certC.153, r2.159, + cip.155, pk(skCe.161), cipe.156>, + x.300) + skCe = skCe.161 + z = decaps(cip.155, ~skC.152) + z.1 = decaps(cipe.156, skCe.161) + z.2 = true + z.3 = z.172 + + 8. ~skC = ~skC.152 + certC = certC.153 + certT = cert(pk(x.300), x.301, z.172) + cip = cip.155 + cipe = encaps(z.167, pk(skCe.161)) + r2 = r2.159 + s = sign(<'CA', cert(pk(x.300), x.301, z.172), certC.153, r2.159, + cip.155, pk(skCe.161), encaps(z.167, pk(skCe.161))>, + x.300) + skCe = skCe.161 + z = decaps(cip.155, ~skC.152) + z.1 = z.167 + z.2 = true + z.3 = z.172 + + 9. ~skC = ~skC.153 + certC = certC.154 + certT = cert(x.302, x.303, z.173) + cip = encaps(z.167, pk(~skC.153)) + cipe = cipe.157 + r2 = r2.160 + s = s.161 + skCe = skCe.162 + z = z.167 + z.1 = decaps(cipe.157, skCe.162) + z.2 = verify(s.161, + <'CA', cert(x.302, x.303, z.173), certC.154, r2.160, + encaps(z.167, pk(~skC.153)), pk(skCe.162), cipe.157>, + x.302) + z.3 = z.173 + + 10. ~skC = ~skC.153 + certC = certC.154 + certT = cert(x.302, x.303, z.173) + cip = encaps(z.167, pk(~skC.153)) + cipe = encaps(z.168, pk(skCe.162)) + r2 = r2.160 + s = s.161 + skCe = skCe.162 + z = z.167 + z.1 = z.168 + z.2 = verify(s.161, + <'CA', cert(x.302, x.303, z.173), certC.154, r2.160, + encaps(z.167, pk(~skC.153)), pk(skCe.162), encaps(z.168, pk(skCe.162))>, + x.302) + z.3 = z.173 + + 11. ~skC = ~skC.153 + certC = certC.154 + certT = cert(pk(x.302), x.303, z.173) + cip = encaps(z.167, pk(~skC.153)) + cipe = cipe.157 + r2 = r2.160 + s = sign(<'CA', cert(pk(x.302), x.303, z.173), certC.154, r2.160, + encaps(z.167, pk(~skC.153)), pk(skCe.162), cipe.157>, + x.302) + skCe = skCe.162 + z = z.167 + z.1 = decaps(cipe.157, skCe.162) + z.2 = true + z.3 = z.173 + + 12. ~skC = ~skC.153 + certC = certC.154 + certT = cert(pk(x.302), x.303, z.173) + cip = encaps(z.167, pk(~skC.153)) + cipe = encaps(z.168, pk(skCe.162)) + r2 = r2.160 + s = sign(<'CA', cert(pk(x.302), x.303, z.173), certC.154, r2.160, + encaps(z.167, pk(~skC.153)), pk(skCe.162), encaps(z.168, pk(skCe.162))>, + x.302) + skCe = skCe.162 + z = z.167 + z.1 = z.168 + z.2 = true + z.3 = z.173 */ rule (modulo E) CA_FINISH_T: [ In( <kCNF_C, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -471,9 +447,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( cert_id(certC), $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) @@ -483,7 +456,7 @@ rule (modulo E) CA_FINISH_T: rule (modulo AC) CA_FINISH_T: [ In( <kCNF_C, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -494,19 +467,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( z, $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) ] variants (modulo AC) - 1. certC = certC.18 - z = cert_id(certC.18) + 1. certC = certC.19 + z = cert_id(certC.19) - 2. certC = cert(x.44, x.45, z.31) - z = z.31 + 2. certC = cert(x.29, x.30, z.24) + z = z.24 */ rule (modulo E) Verify_Transcript_C: @@ -4045,8 +4015,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -4063,7 +4032,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4102,7 +4071,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_INIT_C solve( !KU( sign(<'TA', ~id_c.2, ~r1.2>, x) ) @ #vk.42 ) case TA_RESPONSE_T - solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), z, 'terminal'>, ca_sk), z) + solve( !KU( cert(pk(~skT.2), sign(<pk(~skT.2), x, 'terminal'>, ca_sk), x) ) @ #vk.44 ) case CA_Sign_ltk solve( !KU( ~id_c.2 ) @ #vk.46 ) @@ -4162,8 +4131,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -4180,7 +4148,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4191,8 +4159,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1, - skCe.1 + solve( CAInitC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, r2.1, skCe.1 ) ▶₁ #i2 ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -4210,7 +4177,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, + solve( CAInitT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1) ) ▶₁ #j2 ) @@ -4276,9 +4243,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) solve( !KU( sign(<'TA', ~id_c.4, ~r1.4>, x) ) @ #vk.68 ) case TA_RESPONSE_T solve( !KU( cert(pk(~skT.3), - sign(<pk(~skT.3), z, 'terminal'>, + sign(<pk(~skT.3), x, 'terminal'>, ca_sk), - z) + x) ) @ #vk.70 ) case CA_Sign_ltk solve( !KU( ~id_c.4 ) @ #vk.72 ) @@ -4336,11 +4303,11 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) solve( !KU( cert(pk(~skT.4), sign(< pk(~skT.4), - z, + x, 'terminal' >, ca_sk), - z) + x) ) @ #vk.78 ) case CA_Sign_ltk solve( !KU( ~id_c.5 ) @ #vk.80 ) @@ -4404,6 +4371,93 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma aliveness: + all-traces + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) + case CA_INIT_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + A, role, B + ) @ #i ) + case CA_FINISH_C + by contradiction /* from formulas */ + next + case CA_FINISH_T + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe + ) ▶₁ #i ) + case CA_INIT_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + <~k, ~ke>) + ) @ #vk.1 ) + case CA_FINISH_C + by contradiction /* from formulas */ + next + case c_kdf + solve( !KU( ~k ) @ #vk.30 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.31 ) + case CA_INIT_T + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.16 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.32 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.32 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.39 ) + qed + qed + qed + qed + qed + qed + qed + qed +qed + lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. @@ -4421,8 +4475,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4433,7 +4486,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe ) ▶₁ #i ) @@ -4468,8 +4521,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4480,9 +4532,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case CA_INIT_T solve( !KU( kdf(<'CNF', @@ -4556,8 +4607,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4568,7 +4618,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe ) ▶₁ #i ) @@ -4649,8 +4699,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4661,9 +4710,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case CA_INIT_T solve( !KU( kdf(<'CNF', @@ -4720,95 +4768,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe qed qed -lemma aliveness: - all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) - case CA_INIT_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - A, role, B - ) @ #i ) - case CA_FINISH_C - by contradiction /* from formulas */ - next - case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe - ) ▶₁ #i ) - case CA_INIT_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - <~k, ~ke>) - ) @ #vk.1 ) - case CA_FINISH_C - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.30 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.31 ) - case CA_INIT_T - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.16 ) - case CA_INIT_C - solve( !KU( ~ltk.1 ) @ #vk.32 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.32 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.35 ) - case CA_INIT_C - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.39 ) - qed - qed - qed - qed - qed - qed - qed - qed -qed - lemma session_uniqueness: all-traces "∀ A B k sid sid2 role #i #j. @@ -4830,8 +4789,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -4845,9 +4803,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, - cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, - ~skCe + solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -4858,8 +4815,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -4871,9 +4827,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case CA_INIT_T by contradiction /* cyclic */ @@ -4886,8 +4841,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -4901,9 +4855,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, - cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, - ~skCe + solve( CAInitC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -4914,8 +4867,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -4927,9 +4879,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case CA_INIT_T by contradiction /* cyclic */ @@ -4943,8 +4894,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, B), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -4965,8 +4915,7 @@ next qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -4990,20 +4939,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -5016,7 +4966,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>, <ke, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5061,71 +5011,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~skT ) @ #vk.37 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.19 ) - case c_kdf - solve( !KU( ~k ) @ #vk.50 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.51 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.52 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.42 ) case Corrupt_ltk - solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.51 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.52 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.53 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.52 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.53 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.54 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -5142,8 +5035,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -5152,13 +5046,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -5175,7 +5069,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5218,80 +5112,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~skT ) @ #vk.38 ) case Corrupt_ltk - solve( !KU( kdf(<'KEY', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.6 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.51 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.52 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.53 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.43 ) case Corrupt_ltk - solve( !KU( sign(<'TA', ~id_c, ~r1>, ~ltk.1) ) @ #vk.18 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.52 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.53 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.54 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.53 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.54 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.55 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -5302,28 +5130,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1 ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !KU( ~iid ) @ #vk.6 ) - case CA_INIT_C - by contradiction /* cyclic */ - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5387,7 +5194,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5420,7 +5227,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -5442,8 +5249,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, r2, skCe - ) ▶₁ #i ) + solve( CAInitC( $C, cert(pk(x), x.1, T), id_c, r1, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -5460,7 +5266,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5594,21 +5400,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 138.92s + processing time: 115.06s session_exist (exists-trace): verified (24 steps) two_session_exist (exists-trace): verified (46 steps) + aliveness (all-traces): verified (21 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): verified (20 steps) agreement_C (all-traces): verified (20 steps) agreement_T (all-traces): verified (20 steps) - aliveness (all-traces): verified (21 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (35 steps) - key_secrecy (all-traces): verified (37 steps) - chip_hiding (all-traces): verified (4 steps) - nonRepudiation_terminal (exists-trace): verified (14 steps) - nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps) - pfs (all-traces): verified (27 steps) + consistency (all-traces): verified (21 steps) + key_secrecy (all-traces): verified (20 steps) + notNonRepudiation_C (exists-trace): verified (14 steps) + notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps) + forward_secrecy (all-traces): verified (27 steps) ============================================================================== diff --git a/results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN b/results/46092874.err.ForwardSecrecy_FastSigPQEAC similarity index 100% rename from results/45991739.err.PFS_ALL_FastSigPQEAC_TAMARIN rename to results/46092874.err.ForwardSecrecy_FastSigPQEAC diff --git a/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN b/results/46092874.out.ForwardSecrecy_FastSigPQEAC similarity index 87% rename from results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN rename to results/46092874.out.ForwardSecrecy_FastSigPQEAC index 03861b1..5beeefb 100644 --- a/results/45991739.out.PFS_ALL_FastSigPQEAC_TAMARIN +++ b/results/46092874.out.ForwardSecrecy_FastSigPQEAC @@ -71,49 +71,49 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: [ - In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ), - Fr( ~r2 ), !Cert( $C, certC, 'chip' ) + In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~skCe ), Fr( ~r2 ), + !Cert( $C, certC, 'chip' ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ - Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 ) + Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), + TAChallengeC( $C, certT, ~id_c, ~r1, ~skCe, ~r2 ) ] /* rule (modulo AC) TA_CHALLENGE_C: [ - In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ), Fr( ~skCe ), - Fr( ~r2 ), !Cert( $C, certC, 'chip' ) + In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~skCe ), Fr( ~r2 ), + !Cert( $C, certC, 'chip' ) ] --[ Eq( z, true ), Started( ) ]-> [ - Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), Out( ~iid ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~skCe, ~r2 ) + Out( <~id_c, ~r1, certC, ~r2, pk(~skCe), '2', 'c'> ), + TAChallengeC( $C, certT, ~id_c, ~r1, ~skCe, ~r2 ) ] variants (modulo AC) - 1. certT = certT.16 - z = verify(cert_sig(certT.16), - <cert_pk(certT.16), cert_id(certT.16), 'terminal'>, pk(ca_sk)) + 1. certT = certT.15 + z = verify(cert_sig(certT.15), + <cert_pk(certT.15), cert_id(certT.15), 'terminal'>, pk(ca_sk)) - 2. certT = cert(x.17, sign(<x.17, x.18, 'terminal'>, ca_sk), x.18) + 2. certT = cert(x.16, sign(<x.16, x.17, 'terminal'>, ca_sk), x.17) z = true - 3. certT = cert(x.18, x.19, x.20) - z = verify(x.19, <x.18, x.20, 'terminal'>, pk(ca_sk)) + 3. certT = cert(x.17, x.18, x.19) + z = verify(x.18, <x.17, x.19, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke ) ] @@ -126,7 +126,7 @@ rule (modulo E) TA_RESPONSE_T: ~skT), '3', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>, + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, cert_pk(certC))>, <~ke, encaps(~ke, pkCe)>, pkCe ) ] @@ -134,7 +134,7 @@ rule (modulo E) TA_RESPONSE_T: /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, certC, r2, pkCe, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke ) ] @@ -145,30 +145,30 @@ rule (modulo E) TA_RESPONSE_T: ~skT), '3', 't'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <~k, encaps(~k, z)>, + CAInitT( $T, id_c, certC, r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ] variants (modulo AC) - 1. certC = certC.22 - z = cert_pk(certC.22) - z.1 = verify(cert_sig(certC.22), - <cert_pk(certC.22), cert_id(certC.22), 'chip'>, pk(ca_sk)) + 1. certC = certC.21 + z = cert_pk(certC.21) + z.1 = verify(cert_sig(certC.21), + <cert_pk(certC.21), cert_id(certC.21), 'chip'>, pk(ca_sk)) - 2. certC = cert(z.59, sign(<z.59, x.102, 'chip'>, ca_sk), x.102) - z = z.59 + 2. certC = cert(z.58, sign(<z.58, x.101, 'chip'>, ca_sk), x.101) + z = z.58 z.1 = true - 3. certC = cert(z.60, x.103, x.104) - z = z.60 - z.1 = verify(x.103, <z.60, x.104, 'chip'>, pk(ca_sk)) + 3. certC = cert(z.59, x.102, x.103) + z = z.59 + z.1 = verify(x.102, <z.59, x.103, 'chip'>, pk(ca_sk)) */ rule (modulo E) TA_COMPLETE_C: [ In( <cip, cipe, s1, s2, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ), - !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) + TAChallengeC( $C, certT, id_c, r1, skCe, r2 ), !Ltk( $C, ~skC, 'chip' ), + !Cert( $C, certC, 'chip' ) ] --[ Eq( verify(s1, <'TA', id_c, r1>, cert_pk(certT)), true ), @@ -176,7 +176,6 @@ rule (modulo E) TA_COMPLETE_C: cert_pk(certT)), true ), - CompletedTA( $C, iid, cert_id(certT) ), Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT) @@ -187,19 +186,18 @@ rule (modulo E) TA_COMPLETE_C: kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), '4', 'c'> - ), - TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 ) + ) ] /* rule (modulo AC) TA_COMPLETE_C: [ In( <cip, cipe, s1, s2, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, skCe, r2 ), - !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) + TAChallengeC( $C, certT, id_c, r1, skCe, r2 ), !Ltk( $C, ~skC, 'chip' ), + !Cert( $C, certC, 'chip' ) ] --[ - Eq( z.2, true ), Eq( z.3, true ), CompletedTA( $C, iid, z.4 ), + Eq( z.2, true ), Eq( z.3, true ), Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.4 ) @@ -207,406 +205,405 @@ rule (modulo E) TA_COMPLETE_C: [ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), '4', 'c'> - ), - TACompleteC( <$C, iid>, certT, id_c, r1, skCe, r2 ) + ) ] variants (modulo AC) - 1. ~skC = ~skC.37 - certC = certC.38 - certT = certT.39 - cip = cip.40 - cipe = cipe.41 - id_c = id_c.42 - r1 = r1.44 - r2 = r2.45 - s1 = s1.46 - s2 = s2.47 - skCe = skCe.48 - z = decaps(cip.40, ~skC.37) - z.1 = decaps(cipe.41, skCe.48) - z.2 = verify(s1.46, <'TA', id_c.42, r1.44>, cert_pk(certT.39)) - z.3 = verify(s2.47, - <'CA', certT.39, certC.38, r2.45, cip.40, pk(skCe.48), cipe.41>, - cert_pk(certT.39)) - z.4 = cert_id(certT.39) - - 2. ~skC = ~skC.42 + 1. ~skC = ~skC.36 + certC = certC.37 + certT = certT.38 + cip = cip.39 + cipe = cipe.40 + id_c = id_c.41 + r1 = r1.42 + r2 = r2.43 + s1 = s1.44 + s2 = s2.45 + skCe = skCe.46 + z = decaps(cip.39, ~skC.36) + z.1 = decaps(cipe.40, skCe.46) + z.2 = verify(s1.44, <'TA', id_c.41, r1.42>, cert_pk(certT.38)) + z.3 = verify(s2.45, + <'CA', certT.38, certC.37, r2.43, cip.39, pk(skCe.46), cipe.40>, + cert_pk(certT.38)) + z.4 = cert_id(certT.38) + + 2. ~skC = ~skC.41 + certC = certC.42 + certT = certT.43 + cip = encaps(z.56, pk(~skC.41)) + cipe = cipe.45 + id_c = id_c.46 + r1 = r1.47 + r2 = r2.48 + s1 = s1.49 + s2 = s2.50 + skCe = skCe.51 + z = z.56 + z.1 = decaps(cipe.45, skCe.51) + z.2 = verify(s1.49, <'TA', id_c.46, r1.47>, cert_pk(certT.43)) + z.3 = verify(s2.50, + <'CA', certT.43, certC.42, r2.48, encaps(z.56, pk(~skC.41)), + pk(skCe.51), cipe.45>, + cert_pk(certT.43)) + z.4 = cert_id(certT.43) + + 3. ~skC = ~skC.42 certC = certC.43 certT = certT.44 - cip = encaps(z.58, pk(~skC.42)) - cipe = cipe.46 + cip = cip.45 + cipe = encaps(z.58, pk(skCe.52)) id_c = id_c.47 - r1 = r1.49 - r2 = r2.50 - s1 = s1.51 - s2 = s2.52 - skCe = skCe.53 - z = z.58 - z.1 = decaps(cipe.46, skCe.53) - z.2 = verify(s1.51, <'TA', id_c.47, r1.49>, cert_pk(certT.44)) - z.3 = verify(s2.52, - <'CA', certT.44, certC.43, r2.50, encaps(z.58, pk(~skC.42)), - pk(skCe.53), cipe.46>, + r1 = r1.48 + r2 = r2.49 + s1 = s1.50 + s2 = s2.51 + skCe = skCe.52 + z = decaps(cip.45, ~skC.42) + z.1 = z.58 + z.2 = verify(s1.50, <'TA', id_c.47, r1.48>, cert_pk(certT.44)) + z.3 = verify(s2.51, + <'CA', certT.44, certC.43, r2.49, cip.45, pk(skCe.52), + encaps(z.58, pk(skCe.52))>, cert_pk(certT.44)) z.4 = cert_id(certT.44) - 3. ~skC = ~skC.43 - certC = certC.44 - certT = certT.45 - cip = cip.46 - cipe = encaps(z.60, pk(skCe.54)) - id_c = id_c.48 - r1 = r1.50 - r2 = r2.51 - s1 = s1.52 - s2 = s2.53 - skCe = skCe.54 - z = decaps(cip.46, ~skC.43) - z.1 = z.60 - z.2 = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45)) - z.3 = verify(s2.53, - <'CA', certT.45, certC.44, r2.51, cip.46, pk(skCe.54), - encaps(z.60, pk(skCe.54))>, - cert_pk(certT.45)) - z.4 = cert_id(certT.45) - - 4. ~skC = ~skC.43 - certC = certC.44 - certT = certT.45 - cip = encaps(z.59, pk(~skC.43)) - cipe = encaps(z.60, pk(skCe.54)) - id_c = id_c.48 - r1 = r1.50 - r2 = r2.51 - s1 = s1.52 - s2 = s2.53 - skCe = skCe.54 - z = z.59 - z.1 = z.60 - z.2 = verify(s1.52, <'TA', id_c.48, r1.50>, cert_pk(certT.45)) - z.3 = verify(s2.53, - <'CA', certT.45, certC.44, r2.51, encaps(z.59, pk(~skC.43)), - pk(skCe.54), encaps(z.60, pk(skCe.54))>, - cert_pk(certT.45)) - z.4 = cert_id(certT.45) - - 5. ~skC = ~skC.171 - certC = certC.172 - certT = cert(x.338, x.339, z.193) - cip = cip.174 - cipe = cipe.175 - id_c = id_c.176 - r1 = r1.178 - r2 = r2.179 - s1 = s1.180 - s2 = s2.181 - skCe = skCe.182 - z = decaps(cip.174, ~skC.171) - z.1 = decaps(cipe.175, skCe.182) - z.2 = verify(s1.180, <'TA', id_c.176, r1.178>, x.338) - z.3 = verify(s2.181, - <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174, - pk(skCe.182), cipe.175>, - x.338) - z.4 = z.193 - - 6. ~skC = ~skC.171 - certC = certC.172 - certT = cert(x.338, x.339, z.193) - cip = cip.174 - cipe = encaps(z.188, pk(skCe.182)) - id_c = id_c.176 - r1 = r1.178 - r2 = r2.179 - s1 = s1.180 - s2 = s2.181 - skCe = skCe.182 - z = decaps(cip.174, ~skC.171) - z.1 = z.188 - z.2 = verify(s1.180, <'TA', id_c.176, r1.178>, x.338) - z.3 = verify(s2.181, - <'CA', cert(x.338, x.339, z.193), certC.172, r2.179, cip.174, - pk(skCe.182), encaps(z.188, pk(skCe.182))>, - x.338) - z.4 = z.193 - - 7. ~skC = ~skC.171 - certC = certC.172 - certT = cert(pk(x.338), x.339, z.193) - cip = cip.174 - cipe = cipe.175 - id_c = id_c.176 - r1 = r1.178 - r2 = r2.179 - s1 = sign(<'TA', id_c.176, r1.178>, x.338) - s2 = s2.181 - skCe = skCe.182 - z = decaps(cip.174, ~skC.171) - z.1 = decaps(cipe.175, skCe.182) + 4. ~skC = ~skC.42 + certC = certC.43 + certT = certT.44 + cip = encaps(z.57, pk(~skC.42)) + cipe = encaps(z.58, pk(skCe.52)) + id_c = id_c.47 + r1 = r1.48 + r2 = r2.49 + s1 = s1.50 + s2 = s2.51 + skCe = skCe.52 + z = z.57 + z.1 = z.58 + z.2 = verify(s1.50, <'TA', id_c.47, r1.48>, cert_pk(certT.44)) + z.3 = verify(s2.51, + <'CA', certT.44, certC.43, r2.49, encaps(z.57, pk(~skC.42)), + pk(skCe.52), encaps(z.58, pk(skCe.52))>, + cert_pk(certT.44)) + z.4 = cert_id(certT.44) + + 5. ~skC = ~skC.165 + certC = certC.166 + certT = cert(x.326, x.327, z.187) + cip = cip.168 + cipe = cipe.169 + id_c = id_c.170 + r1 = r1.171 + r2 = r2.172 + s1 = s1.173 + s2 = s2.174 + skCe = skCe.175 + z = decaps(cip.168, ~skC.165) + z.1 = decaps(cipe.169, skCe.175) + z.2 = verify(s1.173, <'TA', id_c.170, r1.171>, x.326) + z.3 = verify(s2.174, + <'CA', cert(x.326, x.327, z.187), certC.166, r2.172, cip.168, + pk(skCe.175), cipe.169>, + x.326) + z.4 = z.187 + + 6. ~skC = ~skC.165 + certC = certC.166 + certT = cert(x.326, x.327, z.187) + cip = cip.168 + cipe = encaps(z.181, pk(skCe.175)) + id_c = id_c.170 + r1 = r1.171 + r2 = r2.172 + s1 = s1.173 + s2 = s2.174 + skCe = skCe.175 + z = decaps(cip.168, ~skC.165) + z.1 = z.181 + z.2 = verify(s1.173, <'TA', id_c.170, r1.171>, x.326) + z.3 = verify(s2.174, + <'CA', cert(x.326, x.327, z.187), certC.166, r2.172, cip.168, + pk(skCe.175), encaps(z.181, pk(skCe.175))>, + x.326) + z.4 = z.187 + + 7. ~skC = ~skC.165 + certC = certC.166 + certT = cert(pk(x.326), x.327, z.187) + cip = cip.168 + cipe = cipe.169 + id_c = id_c.170 + r1 = r1.171 + r2 = r2.172 + s1 = sign(<'TA', id_c.170, r1.171>, x.326) + s2 = s2.174 + skCe = skCe.175 + z = decaps(cip.168, ~skC.165) + z.1 = decaps(cipe.169, skCe.175) z.2 = true - z.3 = verify(s2.181, - <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174, - pk(skCe.182), cipe.175>, - pk(x.338)) - z.4 = z.193 - - 8. ~skC = ~skC.171 - certC = certC.172 - certT = cert(pk(x.338), x.339, z.193) - cip = cip.174 - cipe = encaps(z.188, pk(skCe.182)) - id_c = id_c.176 - r1 = r1.178 - r2 = r2.179 - s1 = sign(<'TA', id_c.176, r1.178>, x.338) - s2 = s2.181 - skCe = skCe.182 - z = decaps(cip.174, ~skC.171) - z.1 = z.188 + z.3 = verify(s2.174, + <'CA', cert(pk(x.326), x.327, z.187), certC.166, r2.172, cip.168, + pk(skCe.175), cipe.169>, + pk(x.326)) + z.4 = z.187 + + 8. ~skC = ~skC.165 + certC = certC.166 + certT = cert(pk(x.326), x.327, z.187) + cip = cip.168 + cipe = encaps(z.181, pk(skCe.175)) + id_c = id_c.170 + r1 = r1.171 + r2 = r2.172 + s1 = sign(<'TA', id_c.170, r1.171>, x.326) + s2 = s2.174 + skCe = skCe.175 + z = decaps(cip.168, ~skC.165) + z.1 = z.181 z.2 = true - z.3 = verify(s2.181, - <'CA', cert(pk(x.338), x.339, z.193), certC.172, r2.179, cip.174, - pk(skCe.182), encaps(z.188, pk(skCe.182))>, - pk(x.338)) - z.4 = z.193 - - 9. ~skC = ~skC.172 - certC = certC.173 - certT = cert(pk(x.340), x.341, z.194) - cip = cip.175 - cipe = cipe.176 - id_c = id_c.177 - r1 = r1.179 - r2 = r2.180 - s1 = s1.181 - s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, - cip.175, pk(skCe.183), cipe.176>, - x.340) - skCe = skCe.183 - z = decaps(cip.175, ~skC.172) - z.1 = decaps(cipe.176, skCe.183) - z.2 = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340)) + z.3 = verify(s2.174, + <'CA', cert(pk(x.326), x.327, z.187), certC.166, r2.172, cip.168, + pk(skCe.175), encaps(z.181, pk(skCe.175))>, + pk(x.326)) + z.4 = z.187 + + 9. ~skC = ~skC.166 + certC = certC.167 + certT = cert(pk(x.328), x.329, z.188) + cip = cip.169 + cipe = cipe.170 + id_c = id_c.171 + r1 = r1.172 + r2 = r2.173 + s1 = s1.174 + s2 = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, + cip.169, pk(skCe.176), cipe.170>, + x.328) + skCe = skCe.176 + z = decaps(cip.169, ~skC.166) + z.1 = decaps(cipe.170, skCe.176) + z.2 = verify(s1.174, <'TA', id_c.171, r1.172>, pk(x.328)) z.3 = true - z.4 = z.194 - - 10. ~skC = ~skC.172 - certC = certC.173 - certT = cert(pk(x.340), x.341, z.194) - cip = cip.175 - cipe = cipe.176 - id_c = id_c.177 - r1 = r1.179 - r2 = r2.180 - s1 = sign(<'TA', id_c.177, r1.179>, x.340) - s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, - cip.175, pk(skCe.183), cipe.176>, - x.340) - skCe = skCe.183 - z = decaps(cip.175, ~skC.172) - z.1 = decaps(cipe.176, skCe.183) + z.4 = z.188 + + 10. ~skC = ~skC.166 + certC = certC.167 + certT = cert(pk(x.328), x.329, z.188) + cip = cip.169 + cipe = cipe.170 + id_c = id_c.171 + r1 = r1.172 + r2 = r2.173 + s1 = sign(<'TA', id_c.171, r1.172>, x.328) + s2 = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, + cip.169, pk(skCe.176), cipe.170>, + x.328) + skCe = skCe.176 + z = decaps(cip.169, ~skC.166) + z.1 = decaps(cipe.170, skCe.176) z.2 = true z.3 = true - z.4 = z.194 - - 11. ~skC = ~skC.172 - certC = certC.173 - certT = cert(pk(x.340), x.341, z.194) - cip = cip.175 - cipe = encaps(z.189, pk(skCe.183)) - id_c = id_c.177 - r1 = r1.179 - r2 = r2.180 - s1 = s1.181 - s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, - cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>, - x.340) - skCe = skCe.183 - z = decaps(cip.175, ~skC.172) - z.1 = z.189 - z.2 = verify(s1.181, <'TA', id_c.177, r1.179>, pk(x.340)) + z.4 = z.188 + + 11. ~skC = ~skC.166 + certC = certC.167 + certT = cert(pk(x.328), x.329, z.188) + cip = cip.169 + cipe = encaps(z.182, pk(skCe.176)) + id_c = id_c.171 + r1 = r1.172 + r2 = r2.173 + s1 = s1.174 + s2 = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, + cip.169, pk(skCe.176), encaps(z.182, pk(skCe.176))>, + x.328) + skCe = skCe.176 + z = decaps(cip.169, ~skC.166) + z.1 = z.182 + z.2 = verify(s1.174, <'TA', id_c.171, r1.172>, pk(x.328)) z.3 = true - z.4 = z.194 - - 12. ~skC = ~skC.172 - certC = certC.173 - certT = cert(pk(x.340), x.341, z.194) - cip = cip.175 - cipe = encaps(z.189, pk(skCe.183)) - id_c = id_c.177 - r1 = r1.179 - r2 = r2.180 - s1 = sign(<'TA', id_c.177, r1.179>, x.340) - s2 = sign(<'CA', cert(pk(x.340), x.341, z.194), certC.173, r2.180, - cip.175, pk(skCe.183), encaps(z.189, pk(skCe.183))>, - x.340) - skCe = skCe.183 - z = decaps(cip.175, ~skC.172) - z.1 = z.189 + z.4 = z.188 + + 12. ~skC = ~skC.166 + certC = certC.167 + certT = cert(pk(x.328), x.329, z.188) + cip = cip.169 + cipe = encaps(z.182, pk(skCe.176)) + id_c = id_c.171 + r1 = r1.172 + r2 = r2.173 + s1 = sign(<'TA', id_c.171, r1.172>, x.328) + s2 = sign(<'CA', cert(pk(x.328), x.329, z.188), certC.167, r2.173, + cip.169, pk(skCe.176), encaps(z.182, pk(skCe.176))>, + x.328) + skCe = skCe.176 + z = decaps(cip.169, ~skC.166) + z.1 = z.182 z.2 = true z.3 = true - z.4 = z.194 - - 13. ~skC = ~skC.173 - certC = certC.174 - certT = cert(x.342, x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = cipe.177 - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = s1.182 - s2 = s2.183 - skCe = skCe.184 - z = z.189 - z.1 = decaps(cipe.177, skCe.184) - z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, x.342) - z.3 = verify(s2.183, - <'CA', cert(x.342, x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>, - x.342) - z.4 = z.195 - - 14. ~skC = ~skC.173 - certC = certC.174 - certT = cert(x.342, x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = encaps(z.190, pk(skCe.184)) - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = s1.182 - s2 = s2.183 - skCe = skCe.184 - z = z.189 - z.1 = z.190 - z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, x.342) - z.3 = verify(s2.183, - <'CA', cert(x.342, x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>, - x.342) - z.4 = z.195 - - 15. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = cipe.177 - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = s1.182 - s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>, - x.342) - skCe = skCe.184 - z = z.189 - z.1 = decaps(cipe.177, skCe.184) - z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342)) + z.4 = z.188 + + 13. ~skC = ~skC.167 + certC = certC.168 + certT = cert(x.330, x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = cipe.171 + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = s1.175 + s2 = s2.176 + skCe = skCe.177 + z = z.182 + z.1 = decaps(cipe.171, skCe.177) + z.2 = verify(s1.175, <'TA', id_c.172, r1.173>, x.330) + z.3 = verify(s2.176, + <'CA', cert(x.330, x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>, + x.330) + z.4 = z.189 + + 14. ~skC = ~skC.167 + certC = certC.168 + certT = cert(x.330, x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = encaps(z.183, pk(skCe.177)) + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = s1.175 + s2 = s2.176 + skCe = skCe.177 + z = z.182 + z.1 = z.183 + z.2 = verify(s1.175, <'TA', id_c.172, r1.173>, x.330) + z.3 = verify(s2.176, + <'CA', cert(x.330, x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>, + x.330) + z.4 = z.189 + + 15. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = cipe.171 + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = s1.175 + s2 = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>, + x.330) + skCe = skCe.177 + z = z.182 + z.1 = decaps(cipe.171, skCe.177) + z.2 = verify(s1.175, <'TA', id_c.172, r1.173>, pk(x.330)) z.3 = true - z.4 = z.195 - - 16. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = cipe.177 - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = sign(<'TA', id_c.178, r1.180>, x.342) - s2 = s2.183 - skCe = skCe.184 - z = z.189 - z.1 = decaps(cipe.177, skCe.184) + z.4 = z.189 + + 16. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = cipe.171 + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = sign(<'TA', id_c.172, r1.173>, x.330) + s2 = s2.176 + skCe = skCe.177 + z = z.182 + z.1 = decaps(cipe.171, skCe.177) z.2 = true - z.3 = verify(s2.183, - <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>, - pk(x.342)) - z.4 = z.195 - - 17. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = cipe.177 - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = sign(<'TA', id_c.178, r1.180>, x.342) - s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), cipe.177>, - x.342) - skCe = skCe.184 - z = z.189 - z.1 = decaps(cipe.177, skCe.184) + z.3 = verify(s2.176, + <'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>, + pk(x.330)) + z.4 = z.189 + + 17. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = cipe.171 + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = sign(<'TA', id_c.172, r1.173>, x.330) + s2 = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), cipe.171>, + x.330) + skCe = skCe.177 + z = z.182 + z.1 = decaps(cipe.171, skCe.177) z.2 = true z.3 = true - z.4 = z.195 - - 18. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = encaps(z.190, pk(skCe.184)) - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = s1.182 - s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>, - x.342) - skCe = skCe.184 - z = z.189 - z.1 = z.190 - z.2 = verify(s1.182, <'TA', id_c.178, r1.180>, pk(x.342)) + z.4 = z.189 + + 18. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = encaps(z.183, pk(skCe.177)) + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = s1.175 + s2 = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>, + x.330) + skCe = skCe.177 + z = z.182 + z.1 = z.183 + z.2 = verify(s1.175, <'TA', id_c.172, r1.173>, pk(x.330)) z.3 = true - z.4 = z.195 - - 19. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = encaps(z.190, pk(skCe.184)) - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = sign(<'TA', id_c.178, r1.180>, x.342) - s2 = s2.183 - skCe = skCe.184 - z = z.189 - z.1 = z.190 + z.4 = z.189 + + 19. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = encaps(z.183, pk(skCe.177)) + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = sign(<'TA', id_c.172, r1.173>, x.330) + s2 = s2.176 + skCe = skCe.177 + z = z.182 + z.1 = z.183 z.2 = true - z.3 = verify(s2.183, - <'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>, - pk(x.342)) - z.4 = z.195 - - 20. ~skC = ~skC.173 - certC = certC.174 - certT = cert(pk(x.342), x.343, z.195) - cip = encaps(z.189, pk(~skC.173)) - cipe = encaps(z.190, pk(skCe.184)) - id_c = id_c.178 - r1 = r1.180 - r2 = r2.181 - s1 = sign(<'TA', id_c.178, r1.180>, x.342) - s2 = sign(<'CA', cert(pk(x.342), x.343, z.195), certC.174, r2.181, - encaps(z.189, pk(~skC.173)), pk(skCe.184), encaps(z.190, pk(skCe.184))>, - x.342) - skCe = skCe.184 - z = z.189 - z.1 = z.190 + z.3 = verify(s2.176, + <'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>, + pk(x.330)) + z.4 = z.189 + + 20. ~skC = ~skC.167 + certC = certC.168 + certT = cert(pk(x.330), x.331, z.189) + cip = encaps(z.182, pk(~skC.167)) + cipe = encaps(z.183, pk(skCe.177)) + id_c = id_c.172 + r1 = r1.173 + r2 = r2.174 + s1 = sign(<'TA', id_c.172, r1.173>, x.330) + s2 = sign(<'CA', cert(pk(x.330), x.331, z.189), certC.168, r2.174, + encaps(z.182, pk(~skC.167)), pk(skCe.177), encaps(z.183, pk(skCe.177))>, + x.330) + skCe = skCe.177 + z = z.182 + z.1 = z.183 z.2 = true z.3 = true - z.4 = z.195 + z.4 = z.189 */ rule (modulo E) CA_FINISH_T: [ In( <kCNF_C, '4', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -617,9 +614,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( cert_id(certC), $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) @@ -629,7 +623,7 @@ rule (modulo E) CA_FINISH_T: rule (modulo AC) CA_FINISH_T: [ In( <kCNF_C, '4', 'c'> ), - CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -640,19 +634,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( z, $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) ] variants (modulo AC) - 1. certC = certC.18 - z = cert_id(certC.18) + 1. certC = certC.19 + z = cert_id(certC.19) - 2. certC = cert(x.44, x.45, z.31) - z = z.31 + 2. certC = cert(x.29, x.30, z.24) + z = z.24 */ rule (modulo E) Verify_Transcript_C: @@ -4191,7 +4182,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4209,7 +4200,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4298,7 +4289,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4316,7 +4307,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4327,8 +4318,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, cert(pk(x), x.1, $T), id_c.1, r1.1, - skCe.1, r2.1 + solve( TAChallengeC( $C, cert(pk(x), x.1, $T), id_c.1, r1.1, skCe.1, r2.1 ) ▶₁ #i2 ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -4346,7 +4336,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, + solve( CAInitT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1) ) ▶₁ #j2 ) @@ -4504,6 +4494,93 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma aliveness: + all-traces + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) + case TA_RESPONSE_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + A, role, B + ) @ #i ) + case CA_FINISH_T + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe + ) ▶₁ #i ) + case TA_RESPONSE_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + <~k, ~ke>) + ) @ #vk.1 ) + case TA_COMPLETE_C + by contradiction /* from formulas */ + next + case c_kdf + solve( !KU( ~k ) @ #vk.28 ) + case TA_RESPONSE_T + solve( !KU( ~ke ) @ #vk.29 ) + case TA_RESPONSE_T + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.17 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.30 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.30 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.31 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.31 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.37 ) + qed + qed + qed + qed + qed + qed + next + case TA_COMPLETE_C + by contradiction /* from formulas */ + qed + qed +qed + lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. @@ -4521,8 +4598,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4533,7 +4609,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, skCe, r2 ) ▶₁ #i ) @@ -4568,8 +4644,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4580,9 +4655,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -4656,8 +4730,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4668,7 +4741,7 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, skCe, r2 ) ▶₁ #i ) @@ -4749,8 +4822,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) +solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -4761,9 +4833,8 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, + <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -4820,95 +4891,6 @@ solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe qed qed -lemma aliveness: - all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #t ) - case TA_RESPONSE_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - A, role, B - ) @ #i ) - case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe - ) ▶₁ #i ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - <~k, ~ke>) - ) @ #vk.1 ) - case TA_COMPLETE_C - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.28 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.29 ) - case TA_RESPONSE_T - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.17 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.30 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.30 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.33 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.31 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.31 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.37 ) - qed - qed - qed - qed - qed - qed - next - case TA_COMPLETE_C - by contradiction /* from formulas */ - qed - qed -qed - lemma session_uniqueness: all-traces "∀ A B k sid sid2 role #i #j. @@ -4930,8 +4912,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -4943,9 +4924,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -4955,7 +4935,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4970,7 +4950,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, + solve( TAChallengeC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe, ~r2 ) ▶₁ #j ) @@ -4986,8 +4966,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -4999,9 +4978,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( CAInitT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, + <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -5011,7 +4989,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5026,7 +5004,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid.1>, + solve( TAChallengeC( $C, cert(pk(x), sign(<pk(x), B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~skCe, ~r2 ) ▶₁ #j ) @@ -5043,8 +5021,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe - ) ▶₁ #i ) + solve( CAInitT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk @@ -5062,7 +5039,7 @@ next qed next case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, B), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, B), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5090,19 +5067,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5116,7 +5095,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>, <ke, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5161,76 +5140,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~ltk.1 ) @ #vk.48 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.22 ) - case c_kdf - solve( !KU( ~k ) @ #vk.53 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.54 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.55 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.33 ) case Corrupt_ltk - solve( !KU( sign(<'CA', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - ~ltk.1) - ) @ #vk.8 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.17 ) - case c_kdf - solve( !KU( ~k ) @ #vk.46 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.47 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.48 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.20 ) - case c_kdf - solve( !KU( ~k ) @ #vk.48 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.49 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.50 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -5247,8 +5164,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -5257,12 +5175,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5280,7 +5199,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5323,150 +5242,14 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case c_sign solve( !KU( ~ltk.1 ) @ #vk.49 ) case Corrupt_ltk - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.6 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.54 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.55 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.56 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed next case c_sign solve( !KU( ~ltk.1 ) @ #vk.34 ) case Corrupt_ltk - solve( !KU( sign(<'CA', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - ~ltk.1) - ) @ #vk.9 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'KEY', - cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.47 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.48 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.49 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next - case c_sign - solve( !KU( kdf(<'KEY', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.5 ) - case Reveal_session - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.49 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.50 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.51 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed -qed - -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) - case CA_Sign_ltk - solve( !KU( sign(<'TA', ~id_c, ~r1>, x) ) @ #vk.5 ) - case c_sign - solve( !KU( sign(<'CA', - cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, - x) - ) @ #vk.7 ) - case c_sign - solve( !KU( cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T) - ) @ #vk.16 ) - case CA_Sign_ltk - solve( !KU( ~ltk ) @ #vk.22 ) - case Corrupt_ltk - solve( splitEqs(0) ) - case split_case_1 - solve( !KU( ~iid ) @ #vk.21 ) - case TA_CHALLENGE_C - solve( !KU( ~id_c ) @ #vk.26 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.27 ) - case TA_CHALLENGE_C - solve( !KU( ~r2 ) @ #vk.30 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~ltk.1), sign(<pk(~ltk.1), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case CA_Sign_ltk - solve( !KU( pk(~skCe) ) @ #vk.31 ) - case TA_CHALLENGE_C - SOLVED // trace found - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -5477,7 +5260,7 @@ solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 qed qed -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5541,7 +5324,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5574,7 +5357,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -5596,7 +5379,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C - solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), id_c, r1, skCe, r2 + solve( TAChallengeC( $C, cert(pk(x), x.1, T), id_c, r1, skCe, r2 ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5614,7 +5397,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, + solve( CAInitT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5793,21 +5576,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 981.75s + processing time: 830.37s session_exist (exists-trace): verified (21 steps) two_session_exist (exists-trace): verified (40 steps) + aliveness (all-traces): verified (21 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): verified (20 steps) agreement_C (all-traces): verified (20 steps) agreement_T (all-traces): verified (20 steps) - aliveness (all-traces): verified (21 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (35 steps) - key_secrecy (all-traces): verified (37 steps) - chip_hiding (all-traces): falsified - found trace (16 steps) - nonRepudiation_terminal (exists-trace): verified (14 steps) - nonRepudiation_chip (exists-trace): falsified - no trace found (7 steps) - pfs (all-traces): verified (37 steps) + consistency (all-traces): verified (21 steps) + key_secrecy (all-traces): verified (20 steps) + notNonRepudiation_C (exists-trace): verified (14 steps) + notNonRepudiation_T (exists-trace): falsified - no trace found (7 steps) + forward_secrecy (all-traces): verified (37 steps) ============================================================================== diff --git a/results/45991793.err.ALL_KemPQEAC_TAMARIN b/results/46092875.err.ForwardSecrecy_KemPQEAC similarity index 100% rename from results/45991793.err.ALL_KemPQEAC_TAMARIN rename to results/46092875.err.ForwardSecrecy_KemPQEAC diff --git a/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN b/results/46092875.out.ForwardSecrecy_KemPQEAC similarity index 79% rename from results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN rename to results/46092875.out.ForwardSecrecy_KemPQEAC index 2221843..9f4c872 100644 --- a/results/45991549.out.PFS_ALL_KemPQEAC_TAMARIN +++ b/results/46092875.out.ForwardSecrecy_KemPQEAC @@ -74,56 +74,53 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid ) - ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, - <~kTA, encaps(~kTA, cert_pk(certT))> + TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, cert_pk(certT))> ) ] /* rule (modulo AC) TA_CHALLENGE_C: - [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~iid ) - ] + [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ) ] --[ Eq( z.1, true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, z), '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> ) + TAChallengeC( $C, certT, ~id_c, ~r1, <~kTA, encaps(~kTA, z)> ) ] variants (modulo AC) - 1. certT = certT.14 - z = cert_pk(certT.14) - z.1 = verify(cert_sig(certT.14), - <cert_pk(certT.14), cert_id(certT.14), 'terminal'>, pk(ca_sk)) + 1. certT = certT.13 + z = cert_pk(certT.13) + z.1 = verify(cert_sig(certT.13), + <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk)) - 2. certT = cert(z.27, sign(<z.27, x.44, 'terminal'>, ca_sk), x.44) - z = z.27 + 2. certT = cert(z.26, sign(<z.26, x.43, 'terminal'>, ca_sk), x.43) + z = z.26 z.1 = true - 3. certT = cert(z.28, x.45, x.46) - z = z.28 - z.1 = verify(x.45, <z.28, x.46, 'terminal'>, pk(ca_sk)) + 3. certT = cert(z.27, x.44, x.45) + z = z.27 + z.1 = verify(x.44, <z.27, x.45, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <kdf(<'TCNF', r1>, decaps(cTA, ~skT)), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)), + TAResponseT( $T, id_c, kdf(<'TMAC', r1>, decaps(cTA, ~skT)), kdf(<'TENC', r1>, decaps(cTA, ~skT)) ) ] @@ -131,78 +128,51 @@ rule (modulo E) TA_RESPONSE_T: /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( <$T, iid> ), + In( <id_c, r1, cTA, '2', 'c'> ), TAInitT( $T ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <kdf(<'TCNF', r1>, z), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) - ) + TAResponseT( $T, id_c, kdf(<'TMAC', r1>, z), kdf(<'TENC', r1>, z) ) ] variants (modulo AC) - 1. ~skT = ~skT.14 - cTA = cTA.15 - z = decaps(cTA.15, ~skT.14) + 1. ~skT = ~skT.13 + cTA = cTA.14 + z = decaps(cTA.14, ~skT.13) - 2. ~skT = ~skT.22 - cTA = encaps(z.31, pk(~skT.22)) - z = z.31 + 2. ~skT = ~skT.20 + cTA = encaps(z.28, pk(~skT.20)) + z = z.28 */ rule (modulo E) TA_COMPLETE_C: [ In( <kTCNF_T, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) + TAChallengeC( $C, certT, id_c, r1, <kTA, cTA> ) ] - --[ - Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), - CompletedTA( $C, iid, cert_id(certT) ) - ]-> + --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ) ]-> [ - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, - kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA) + TACompleteC( $C, certT, id_c, r1, <kTA, cTA>, kdf(<'TMAC', r1>, kTA), + kdf(<'TENC', r1>, kTA) ) ] - /* - rule (modulo AC) TA_COMPLETE_C: - [ - In( <kTCNF_T, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) - ] - --[ Eq( kTCNF_T, kdf(<'TCNF', r1>, kTA) ), CompletedTA( $C, iid, z ) ]-> - [ - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, - kdf(<'TMAC', r1>, kTA), kdf(<'TENC', r1>, kTA) - ) - ] - variants (modulo AC) - 1. certT = certT.16 - z = cert_id(certT.16) - - 2. certT = cert(x.26, x.27, z.21) - z = z.21 - */ + /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_C: - [ - !Cert( $C, certC, 'chip' ), Fr( ~r2 ), Fr( ~skCe ), - TACompleteC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC ) - ] + [ !Cert( $C, certC, 'chip' ), Fr( ~r2 ), Fr( ~skCe ) ] --> [ Out( <senc(<certC, ~r2, pk(~skCe)>, kTENC), '4', 'c'> ), - Out( senc(iid, kTENC) ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe - ) + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, ~r2, ~skCe ) ] /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_T: [ - In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ), + In( <cCA, '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ), !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke ) ] --[ Eq( verify_cert(fst(sdec(cCA, kTENC)), 'chip'), true ) ]-> @@ -214,7 +184,7 @@ rule (modulo E) CA_INIT_T: kTMAC), encaps(~ke, snd(snd(sdec(cCA, kTENC)))), '5', 't'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)), + CAInitT( $T, id_c, kTMAC, kTENC, fst(sdec(cCA, kTENC)), fst(snd(sdec(cCA, kTENC))), <~k, encaps(~k, cert_pk(fst(sdec(cCA, kTENC))))>, <~ke, encaps(~ke, snd(snd(sdec(cCA, kTENC))))>, @@ -225,7 +195,7 @@ rule (modulo E) CA_INIT_T: /* rule (modulo AC) CA_INIT_T: [ - In( <cCA, '4', 'c'> ), TAResponseT( <$T, iid>, id_c, kTMAC, kTENC ), + In( <cCA, '4', 'c'> ), TAResponseT( $T, id_c, kTMAC, kTENC ), !Cert( $T, certT, 'terminal' ), Fr( ~k ), Fr( ~ke ) ] --[ Eq( z.4, true ) ]-> @@ -235,91 +205,90 @@ rule (modulo E) CA_INIT_T: kTMAC), encaps(~ke, z.3), '5', 't'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)>, + CAInitT( $T, id_c, kTMAC, kTENC, z.1, z.2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, z.3)>, z.3 ) ] variants (modulo AC) - 1. cCA = cCA.26 + 1. cCA = cCA.24 + kTENC = kTENC.27 + z = cert_pk(fst(sdec(cCA.24, kTENC.27))) + z.1 = fst(sdec(cCA.24, kTENC.27)) + z.2 = fst(snd(sdec(cCA.24, kTENC.27))) + z.3 = snd(snd(sdec(cCA.24, kTENC.27))) + z.4 = verify(cert_sig(fst(sdec(cCA.24, kTENC.27))), + <cert_pk(fst(sdec(cCA.24, kTENC.27))), + cert_id(fst(sdec(cCA.24, kTENC.27))), 'chip'>, + pk(ca_sk)) + + 2. cCA = senc(x.164, kTENC.86) + kTENC = kTENC.86 + z = cert_pk(fst(x.164)) + z.1 = fst(x.164) + z.2 = fst(snd(x.164)) + z.3 = snd(snd(x.164)) + z.4 = verify(cert_sig(fst(x.164)), + <cert_pk(fst(x.164)), cert_id(fst(x.164)), 'chip'>, pk(ca_sk)) + + 3. cCA = senc(<z.37, z.38, z.39>, kTENC.30) kTENC = kTENC.30 - z = cert_pk(fst(sdec(cCA.26, kTENC.30))) - z.1 = fst(sdec(cCA.26, kTENC.30)) - z.2 = fst(snd(sdec(cCA.26, kTENC.30))) - z.3 = snd(snd(sdec(cCA.26, kTENC.30))) - z.4 = verify(cert_sig(fst(sdec(cCA.26, kTENC.30))), - <cert_pk(fst(sdec(cCA.26, kTENC.30))), - cert_id(fst(sdec(cCA.26, kTENC.30))), 'chip'>, + z = cert_pk(z.37) + z.1 = z.37 + z.2 = z.38 + z.3 = z.39 + z.4 = verify(cert_sig(z.37), <cert_pk(z.37), cert_id(z.37), 'chip'>, pk(ca_sk)) - 2. cCA = senc(x.165, kTENC.87) + 4. cCA = senc(<z.94, x.166>, kTENC.87) kTENC = kTENC.87 - z = cert_pk(fst(x.165)) - z.1 = fst(x.165) - z.2 = fst(snd(x.165)) - z.3 = snd(snd(x.165)) - z.4 = verify(cert_sig(fst(x.165)), - <cert_pk(fst(x.165)), cert_id(fst(x.165)), 'chip'>, pk(ca_sk)) - - 3. cCA = senc(<z.38, z.39, z.40>, kTENC.31) - kTENC = kTENC.31 - z = cert_pk(z.38) - z.1 = z.38 - z.2 = z.39 - z.3 = z.40 - z.4 = verify(cert_sig(z.38), <cert_pk(z.38), cert_id(z.38), 'chip'>, + z = cert_pk(z.94) + z.1 = z.94 + z.2 = fst(x.166) + z.3 = snd(x.166) + z.4 = verify(cert_sig(z.94), <cert_pk(z.94), cert_id(z.94), 'chip'>, pk(ca_sk)) - 4. cCA = senc(<z.95, x.167>, kTENC.88) + 5. cCA = senc(<cert(z.92, sign(<z.92, x.166, 'chip'>, ca_sk), x.166), + z.95, z.96>, + kTENC.87) + kTENC = kTENC.87 + z = z.92 + z.1 = cert(z.92, sign(<z.92, x.166, 'chip'>, ca_sk), x.166) + z.2 = z.95 + z.3 = z.96 + z.4 = true + + 6. cCA = senc(<cert(z.93, x.167, x.168), z.96, z.97>, kTENC.88) kTENC = kTENC.88 - z = cert_pk(z.95) - z.1 = z.95 - z.2 = fst(x.167) - z.3 = snd(x.167) - z.4 = verify(cert_sig(z.95), <cert_pk(z.95), cert_id(z.95), 'chip'>, - pk(ca_sk)) + z = z.93 + z.1 = cert(z.93, x.167, x.168) + z.2 = z.96 + z.3 = z.97 + z.4 = verify(x.167, <z.93, x.168, 'chip'>, pk(ca_sk)) - 5. cCA = senc(<cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167), - z.96, z.97>, + 7. cCA = senc(<cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167), + x.168>, kTENC.88) kTENC = kTENC.88 z = z.93 z.1 = cert(z.93, sign(<z.93, x.167, 'chip'>, ca_sk), x.167) - z.2 = z.96 - z.3 = z.97 + z.2 = fst(x.168) + z.3 = snd(x.168) z.4 = true - 6. cCA = senc(<cert(z.94, x.168, x.169), z.97, z.98>, kTENC.89) + 8. cCA = senc(<cert(z.94, x.168, x.169), x.170>, kTENC.89) kTENC = kTENC.89 z = z.94 z.1 = cert(z.94, x.168, x.169) - z.2 = z.97 - z.3 = z.98 + z.2 = fst(x.170) + z.3 = snd(x.170) z.4 = verify(x.168, <z.94, x.169, 'chip'>, pk(ca_sk)) - - 7. cCA = senc(<cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168), - x.169>, - kTENC.89) - kTENC = kTENC.89 - z = z.94 - z.1 = cert(z.94, sign(<z.94, x.168, 'chip'>, ca_sk), x.168) - z.2 = fst(x.169) - z.3 = snd(x.169) - z.4 = true - - 8. cCA = senc(<cert(z.95, x.169, x.170), x.171>, kTENC.90) - kTENC = kTENC.90 - z = z.95 - z.1 = cert(z.95, x.169, x.170) - z.2 = fst(x.171) - z.3 = snd(x.171) - z.4 = verify(x.169, <z.95, x.170, 'chip'>, pk(ca_sk)) */ rule (modulo E) CA_FINISH_C: [ In( <cip, s, cipe, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe - ), + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -334,10 +303,6 @@ rule (modulo E) CA_FINISH_C: kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), '6', 'c'> - ), - CAFinishC( $C, cert_id(certT), - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, - <decaps(cip, ~skC), decaps(cipe, skCe)>) ) ] @@ -345,8 +310,7 @@ rule (modulo E) CA_FINISH_C: rule (modulo AC) CA_FINISH_C: [ In( <cip, s, cipe, '5', 't'> ), - CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe - ), + CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ @@ -358,9 +322,6 @@ rule (modulo E) CA_FINISH_C: [ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), '6', 'c'> - ), - CAFinishC( $C, z.2, - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>) ) ] variants (modulo AC) @@ -368,81 +329,79 @@ rule (modulo E) CA_FINISH_C: certT = certT.44 cip = cip.45 cipe = cipe.46 - skCe = skCe.55 + skCe = skCe.54 z = decaps(cip.45, ~skC.41) - z.1 = decaps(cipe.46, skCe.55) + z.1 = decaps(cipe.46, skCe.54) z.2 = cert_id(certT.44) 2. ~skC = ~skC.46 certT = certT.49 - cip = encaps(z.65, pk(~skC.46)) + cip = encaps(z.64, pk(~skC.46)) cipe = cipe.51 - skCe = skCe.60 - z = z.65 - z.1 = decaps(cipe.51, skCe.60) + skCe = skCe.59 + z = z.64 + z.1 = decaps(cipe.51, skCe.59) z.2 = cert_id(certT.49) 3. ~skC = ~skC.47 certT = certT.50 cip = cip.51 - cipe = encaps(z.67, pk(skCe.61)) - skCe = skCe.61 + cipe = encaps(z.66, pk(skCe.60)) + skCe = skCe.60 z = decaps(cip.51, ~skC.47) - z.1 = z.67 + z.1 = z.66 z.2 = cert_id(certT.50) 4. ~skC = ~skC.47 certT = certT.50 - cip = encaps(z.66, pk(~skC.47)) - cipe = encaps(z.67, pk(skCe.61)) - skCe = skCe.61 - z = z.66 - z.1 = z.67 + cip = encaps(z.65, pk(~skC.47)) + cipe = encaps(z.66, pk(skCe.60)) + skCe = skCe.60 + z = z.65 + z.1 = z.66 z.2 = cert_id(certT.50) - 5. ~skC = ~skC.210 - certT = cert(x.416, x.417, z.233) - cip = cip.214 - cipe = cipe.215 - skCe = skCe.224 - z = decaps(cip.214, ~skC.210) - z.1 = decaps(cipe.215, skCe.224) - z.2 = z.233 + 5. ~skC = ~skC.204 + certT = cert(x.404, x.405, z.228) + cip = cip.208 + cipe = cipe.209 + skCe = skCe.217 + z = decaps(cip.208, ~skC.204) + z.1 = decaps(cipe.209, skCe.217) + z.2 = z.228 - 6. ~skC = ~skC.210 - certT = cert(x.416, x.417, z.233) - cip = cip.214 - cipe = encaps(z.230, pk(skCe.224)) - skCe = skCe.224 - z = decaps(cip.214, ~skC.210) - z.1 = z.230 - z.2 = z.233 + 6. ~skC = ~skC.204 + certT = cert(x.404, x.405, z.228) + cip = cip.208 + cipe = encaps(z.223, pk(skCe.217)) + skCe = skCe.217 + z = decaps(cip.208, ~skC.204) + z.1 = z.223 + z.2 = z.228 - 7. ~skC = ~skC.213 - certT = cert(x.422, x.423, z.236) - cip = encaps(z.232, pk(~skC.213)) - cipe = cipe.218 - skCe = skCe.227 - z = z.232 - z.1 = decaps(cipe.218, skCe.227) - z.2 = z.236 + 7. ~skC = ~skC.207 + certT = cert(x.410, x.411, z.231) + cip = encaps(z.225, pk(~skC.207)) + cipe = cipe.212 + skCe = skCe.220 + z = z.225 + z.1 = decaps(cipe.212, skCe.220) + z.2 = z.231 - 8. ~skC = ~skC.213 - certT = cert(x.422, x.423, z.236) - cip = encaps(z.232, pk(~skC.213)) - cipe = encaps(z.233, pk(skCe.227)) - skCe = skCe.227 - z = z.232 - z.1 = z.233 - z.2 = z.236 + 8. ~skC = ~skC.207 + certT = cert(x.410, x.411, z.231) + cip = encaps(z.225, pk(~skC.207)) + cipe = encaps(z.226, pk(skCe.220)) + skCe = skCe.220 + z = z.225 + z.1 = z.226 + z.2 = z.231 */ rule (modulo E) CA_FINISH_T: [ In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, - pkCe - ), + CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -453,9 +412,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( cert_id(certC), $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) @@ -465,9 +421,7 @@ rule (modulo E) CA_FINISH_T: rule (modulo AC) CA_FINISH_T: [ In( <kCNF_c, '6', 'c'> ), - CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, - pkCe - ), + CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -478,19 +432,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( z, $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) ] variants (modulo AC) - 1. certC = certC.20 - z = cert_id(certC.20) + 1. certC = certC.21 + z = cert_id(certC.21) - 2. certC = cert(x.46, x.47, z.33) - z = z.33 + 2. certC = cert(x.31, x.32, z.26) + z = z.26 */ rule (modulo E) Verify_Transcript_C: @@ -2544,33 +2495,28 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, T, 'terminal'>, ca_sk), T), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), - <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, + <z, z.1>), + <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + cip, pk(~skCe), cipe>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, - <z.2, cipe>, pk(~skCe) + solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1, + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, + <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) case CA_INIT_T - solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j ) case CA_Sign_ltk solve( splitEqs(2) ) case split_case_1 @@ -2578,77 +2524,26 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - kdf(<'TMAC', ~r1>, ~kTA)) + kTMAC) ) @ #vk.3 ) - case c_mac - solve( !KU( ~r2 ) @ #vk.43 ) + case CA_INIT_T + solve( !KU( senc(< + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe)>, + kdf(<'TENC', r1>, decaps(cTA, ~skT))) + ) @ #vk.20 ) case CA_INIT_C - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( !KU( senc(< - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - pk(~skCe)>, - kdf(<'TENC', r1.1>, decaps(cTA, ~skT))) - ) @ #vk.36 ) - case c_senc - solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.44 ) - case c_kdf - solve( !KU( ~kTA ) @ #vk.56 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.58 ) - case Corrupt_ltk - solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.52 ) - case c_kdf - solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.57 ) - case TA_CHALLENGE_C - solve( !KU( kdf(<'TENC', r1.1>, decaps(cTA, ~skT)) ) @ #vk.58 ) - case c_kdf - solve( !KU( decaps(cTA, ~skT) ) @ #vk.62 ) - case c_decaps - solve( !KU( ~skT ) @ #vk.63 ) - case Corrupt_ltk - solve( !KU( ~r1 ) @ #vk.59 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~ltk.1), - sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T) - ) @ #vk.38 ) - case CA_Sign_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), - sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), - $T), - cert(pk(~ltk), - sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), - ~r2, encaps(~k, pk(~ltk)), pk(~skCe), - encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.43 ) - case CA_FINISH_C - solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.31 ) - case CA_INIT_T - solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.35 ) - case CA_INIT_T - solve( !KU( cert(pk(~ltk), - sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C) - ) @ #vk.59 ) - case CA_Sign_ltk - solve( !KU( pk(~skCe) ) @ #vk.60 ) - case CA_INIT_C - SOLVED // trace found - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.11 ) + case CA_FINISH_C + solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.6 ) + case CA_INIT_T + solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.9 ) + case CA_INIT_T + SOLVED // trace found qed qed qed @@ -2686,63 +2581,55 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, T, 'terminal'>, ca_sk), T), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), - <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, + <z, z.1>), + <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + cip, pk(~skCe), cipe>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, - <z.2, cipe>, pk(~skCe) + solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1, + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, + <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) case CA_INIT_T - solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, - <kTA.1, cTA>, kTMAC, kTENC, r2.1, skCe.1 + solve( CAInitC( $C, cert(x, x.1, $T), id_c.1, r1.1, <kTA.1, cTA.1>, + kTMAC.1, kTENC.1, r2.1, skCe.1 ) ▶₁ #i2 ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T), + solve( Completed( kdf(<'KEY', cert(x, x.1, $T), cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, cip, pk(~skCe.1), cipe>, <z, z.1>), - <cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T), + <cert(x, x.1, $T), cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, cip, pk(~skCe.1), cipe>, $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, id_c.3, kTMAC, kTENC, + solve( CAInitT( $T, id_c.3, kTMAC.2, kTENC.2, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1) ) ▶₁ #j2 ) case CA_INIT_T - solve( !Cert( $T, cert(x, sign(<x, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j2 ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j2 ) case CA_Sign_ltk solve( splitEqs(2) ) case split_case_1 @@ -2754,218 +2641,80 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe)) >, - kdf(<'TMAC', ~r1>, ~kTA)) + kTMAC) ) @ #vk.3 ) - case c_mac - solve( !KU( ~r2 ) @ #vk.63 ) + case CA_INIT_T + solve( !KU( senc(< + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), + ~r2, pk(~skCe)>, + kdf(<'TENC', r1>, z)) + ) @ #vk.28 ) case CA_INIT_C - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.22 ) - case TA_RESPONSE_T + solve( !KU( mac(<'CA', + cert(pk(~ltk.2), + sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T), + cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C), + ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1), + encaps(~ke.1, pk(~skCe.1))>, + kTMAC) + ) @ #vk.35 ) + case CA_INIT_T solve( !KU( senc(< - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), + cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), $C), - ~r2, pk(~skCe)>, - kdf(<'TENC', r1.2>, decaps(cTA, ~skT))) - ) @ #vk.46 ) - case c_senc - solve( !KU( mac(<'CA', - cert(pk(~ltk.2), - sign(<pk(~ltk.2), $T, 'terminal'>, ca_sk), $T), - cert(pk(~skC), sign(<pk(~skC), $C, 'chip'>, ca_sk), - $C), - ~r2.1, encaps(~k.1, pk(~skC)), pk(~skCe.1), - encaps(~ke.1, pk(~skCe.1))>, - kdf(<'TMAC', ~r1.1>, ~kTA.1)) - ) @ #vk.55 ) - case CA_INIT_T - solve( !KU( senc(< - cert(pk(~skC), - sign(<pk(~skC), $C, 'chip'>, ca_sk), $C), - ~r2.1, pk(~skCe.1)>, - kdf(<'TENC', ~r1.1>, ~kTA.1)) - ) @ #vk.62 ) - case CA_INIT_C - solve( !KU( encaps(~kTA.1, pk(~skT.1)) ) @ #vk.65 ) - case TA_CHALLENGE_C - solve( !KU( kdf(<'TMAC', ~r1>, ~kTA) ) @ #vk.66 ) - case c_kdf - solve( !KU( ~kTA ) @ #vk.76 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.78 ) - case Corrupt_ltk - solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.72 ) - case c_kdf - solve( !KU( encaps(~kTA, pk(~skT.2)) ) @ #vk.77 ) - case TA_CHALLENGE_C - solve( !KU( kdf(<'TENC', r1.2>, decaps(cTA, ~skT.1)) - ) @ #vk.78 ) - case c_kdf - solve( !KU( decaps(cTA, ~skT.1) ) @ #vk.82 ) - case c_decaps - solve( !KU( ~skT.1 ) @ #vk.83 ) - case Corrupt_ltk - solve( !KU( ~r1 ) @ #vk.79 ) - case TA_CHALLENGE_C - solve( !KU( ~r1.1 ) @ #vk.75 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~ltk.1), - sign(<pk(~ltk.1), $T, - 'terminal'>, - ca_sk), - $T) - ) @ #vk.53 ) - case CA_Sign_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), - sign(<pk(~ltk.1), - $T, 'terminal' - >, - ca_sk), - $T), - cert(pk(~ltk), - sign(<pk(~ltk), $C, - 'chip'>, - ca_sk), - $C), - ~r2, - encaps(~k, pk(~ltk)), - pk(~skCe), - encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.56 ) - case CA_FINISH_C - solve( !KU( encaps(~k, pk(~ltk)) - ) @ #vk.41 ) - case CA_INIT_T - solve( !KU( encaps(~ke, pk(~skCe)) - ) @ #vk.45 ) - case CA_INIT_T - solve( !KU( kdf(<'TCNF', ~r1.1>, - ~kTA.1) - ) @ #vk.74 ) - case TA_RESPONSE_T - solve( !KU( encaps(~kTA.1, - pk(~skT.2)) - ) @ #vk.88 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~skT), - sign(< - pk(~skT), - $T, - 'terminal' - >, - ca_sk), - $T) - ) @ #vk.76 ) - case CA_Sign_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~skT), - sign(< - pk(~skT), - $T, - 'terminal' - >, - ca_sk), - $T), - cert(pk(~skC), - sign(< - pk(~skC), - $C, - 'chip' - >, - ca_sk), - $C), - ~r2.1, - encaps(~k.1, - pk(~skC)), - pk(~skCe.1), - encaps(~ke.1, - pk(~skCe.1)) - >, - <~k.1, ~ke.1>) - ) @ #vk.77 ) - case CA_FINISH_C - solve( !KU( encaps(~k.1, - pk(~skC)) - ) @ #vk.76 ) - case CA_INIT_T - solve( !KU( encaps(~ke.1, - pk(~skCe.1)) - ) @ #vk.77 ) - case CA_INIT_T - solve( !KU( cert(pk(~ltk), - sign(< - pk(~ltk), - $C, - 'chip' - >, - ca_sk), - $C) - ) @ #vk.80 ) - case CA_INIT_C - solve( !KU( kdf(< - 'TENC', - ~r1.3 - >, - ~kTA.2) - ) @ #vk.88 ) - case c_kdf - solve( !KU( ~kTA.2 - ) @ #vk.92 ) - case TA_CHALLENGE_C - solve( !KU( kdf(< - 'TCNF', - ~r1.3 - >, - ~kTA.2) - ) @ #vk.91 ) - case TA_RESPONSE_T - solve( !KU( cert(pk(sk), - sign(< - pk(sk), - z, - 'terminal' - >, - ca_sk), - z) - ) @ #vk.93 ) - case CA_Sign_ltk - solve( !KU( ~ltk.5 - ) @ #vk.97 ) - case Corrupt_ltk - solve( !KU( encaps(~kTA.2, - pk(~skT.2)) - ) @ #vk.99 ) - case TA_CHALLENGE_C - solve( !KU( ~r1.3 - ) @ #vk.98 ) - case TA_CHALLENGE_C - solve( !KU( pk(~skCe) - ) @ #vk.93 ) - case CA_INIT_C - SOLVED // trace found - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed + ~r2.1, pk(~skCe.1)>, + kdf(<'TENC', r1.2>, z.1)) + ) @ #vk.38 ) + case CA_INIT_C + solve( !KU( encaps(z, pk(~skT)) ) @ #vk.34 ) + case TA_CHALLENGE_C + solve( !KU( encaps(z, pk(~skT.1)) ) @ #vk.42 ) + case TA_CHALLENGE_C + solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk), + x) + ) @ #vk.45 ) + case CA_Sign_ltk + solve( !KU( cert(pk(~skT.1), + sign(<pk(~skT.1), x, 'terminal'>, ca_sk), x) + ) @ #vk.47 ) + case CA_Sign_ltk + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), + sign(<pk(~ltk.1), $T, 'terminal'>, + ca_sk), + $T), + cert(pk(~ltk), + sign(<pk(~ltk), $C, 'chip'>, ca_sk), + $C), + ~r2, encaps(~k, pk(~ltk)), pk(~skCe), + encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.30 ) + case CA_FINISH_C + solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.23 ) + case CA_INIT_T + solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.26 ) + case CA_INIT_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.2), + sign(<pk(~ltk.2), $T, 'terminal'>, + ca_sk), + $T), + cert(pk(~skC), + sign(<pk(~skC), $C, 'chip'>, + ca_sk), + $C), + ~r2.1, encaps(~k.1, pk(~skC)), + pk(~skCe.1), encaps(~ke.1, pk(~skCe.1)) + >, + <~k.1, ~ke.1>) + ) @ #vk.44 ) + case CA_FINISH_C + solve( !KU( encaps(~k.1, pk(~skC)) ) @ #vk.43 ) + case CA_INIT_T + solve( !KU( encaps(~ke.1, pk(~skCe.1)) ) @ #vk.44 ) + case CA_INIT_T + SOLVED // trace found qed qed qed @@ -2997,25 +2746,23 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma weak_agreement_C: +lemma aliveness: all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3024,59 +2771,14 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, - C, 'chip', T.1 + A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, - <kTA, cTA>, kTMAC, kTENC, r2, skCe - ) ▶₁ #i ) - case CA_INIT_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' - ) ▶₃ #i ) - case CA_Sign_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed -qed - -lemma weak_agreement_T: - all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe - ) ▶₁ #t ) - case CA_INIT_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - T.1, 'terminal', C - ) @ #i ) + by contradiction /* from formulas */ + next case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case CA_INIT_T @@ -3086,7 +2788,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, <~k, ~ke>) ) @ #vk.1 ) @@ -3098,12 +2800,21 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T solve( !KU( ~ke ) @ #vk.32 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, pk(sk.1)>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.15 ) + case CA_INIT_C + solve( !KU( ~r2 ) @ #vk.30 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.28 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -3118,7 +2829,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.39 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -3143,7 +2854,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), encaps(~ke, snd(x))>, <~k, ~ke>) ) @ #vk.1 ) @@ -3160,7 +2871,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, <~k, ~ke>) ) @ #vk.1 ) @@ -3172,7 +2883,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T solve( !KU( ~ke ) @ #vk.32 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, pk(sk.1)>, kdf(<'TENC', r1>, z)) ) @ #vk.15 ) @@ -3192,7 +2903,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( splitEqs(12) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3207,7 +2918,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3226,7 +2937,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3241,7 +2952,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3263,7 +2974,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( splitEqs(12) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3278,7 +2989,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3297,7 +3008,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3312,7 +3023,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3335,7 +3046,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T_case_2 solve( splitEqs(11) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3350,7 +3061,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3369,7 +3080,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -3384,7 +3095,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -3404,7 +3115,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -3419,7 +3130,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.44 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -3438,7 +3149,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -3453,7 +3164,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -3479,7 +3190,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), encaps(~ke, snd(x))>, <~k, ~ke>) ) @ #vk.1 ) @@ -3496,11 +3207,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed qed -lemma agreement_C: +lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -3508,13 +3219,13 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3526,7 +3237,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) @@ -3536,65 +3247,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( splitEqs(1) ) - case split_case_1 - solve( splitEqs(3) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~r2 ) @ #vk.43 ) - case CA_INIT_C - solve( !KU( ~k ) @ #vk.45 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.46 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.48 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed - next - case split_case_2 - solve( splitEqs(3) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.1 ) - case c_kdf - solve( !KU( ~r2 ) @ #vk.43 ) - case CA_INIT_C - solve( !KU( ~k ) @ #vk.45 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.46 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.48 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -3602,11 +3255,11 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed qed -lemma agreement_T: +lemma weak_agreement_T: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -3614,13 +3267,13 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3632,7 +3285,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) @@ -3659,6 +3312,15 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, pk(sk.1)>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.15 ) + case CA_INIT_C + solve( !KU( ~r2 ) @ #vk.30 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next case c_senc solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.28 ) @@ -4053,23 +3715,25 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed qed -lemma aliveness: +lemma agreement_C: all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" + "∀ k sid C T #i #t. + ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid C T #i #t. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" + (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -4078,14 +3742,117 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, - A, role, B + C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - by contradiction /* from formulas */ - next + solve( CAInitC( $C, + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, + <kTA, cTA>, kTMAC, kTENC, r2, skCe + ) ▶₁ #i ) + case CA_INIT_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), 'chip' + ) ▶₃ #i ) + case CA_Sign_ltk + solve( splitEqs(1) ) + case split_case_1 + solve( splitEqs(3) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~r2 ) @ #vk.36 ) + case CA_INIT_C + solve( !KU( ~k ) @ #vk.38 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.39 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.41 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + next + case split_case_2 + solve( splitEqs(3) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.1 ) + case c_kdf + solve( !KU( ~r2 ) @ #vk.36 ) + case CA_INIT_C + solve( !KU( ~k ) @ #vk.38 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.39 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.41 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed + qed +qed + +lemma agreement_T: + all-traces + "∀ k sid C T #i #t. + ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid C T #i #t. + (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe + ) ▶₁ #t ) + case CA_INIT_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + T.1, 'terminal', C + ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T.1, iid>, id_c, kTMAC, kTENC, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>, + solve( CAInitT( $T.1, id_c, kTMAC, kTENC, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case CA_INIT_T @@ -4095,7 +3862,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, <~k, ~ke>) ) @ #vk.1 ) @@ -4107,12 +3874,21 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T solve( !KU( ~ke ) @ #vk.32 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, pk(sk.1)>, kdf(<'TENC', r1>, decaps(cTA, ~skT))) ) @ #vk.15 ) + case CA_INIT_C + solve( !KU( ~r2 ) @ #vk.30 ) + case CA_INIT_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.28 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -4127,7 +3903,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.39 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.39 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -4152,7 +3928,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), + cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), encaps(~ke, snd(x))>, <~k, ~ke>) ) @ #vk.1 ) @@ -4169,7 +3945,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, + cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, encaps(~k, z), pkCe, encaps(~ke, pkCe)>, <~k, ~ke>) ) @ #vk.1 ) @@ -4181,7 +3957,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T solve( !KU( ~ke ) @ #vk.32 ) case CA_INIT_T - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C), r2, pk(sk.1)>, kdf(<'TENC', r1>, z)) ) @ #vk.15 ) @@ -4201,7 +3977,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_1 solve( splitEqs(12) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4216,7 +3992,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4235,7 +4011,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4250,7 +4026,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4272,7 +4048,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( splitEqs(12) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4287,7 +4063,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4306,7 +4082,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.34 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4321,7 +4097,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4344,7 +4120,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case CA_INIT_T_case_2 solve( splitEqs(11) ) case split_case_1 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4359,7 +4135,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4378,7 +4154,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case split_case_2 - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.33 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.39 ) @@ -4393,7 +4169,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.47 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.47 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.40 ) case Corrupt_ltk @@ -4413,7 +4189,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case TA_CHALLENGE_C - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -4428,7 +4204,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.44 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.44 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -4447,7 +4223,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_encaps - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + solve( !KU( cert(pk(sk), sign(<pk(sk), C, 'chip'>, ca_sk), C) ) @ #vk.30 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.35 ) @@ -4462,7 +4238,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, qed next case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.41 ) + solve( !KU( sign(<pk(sk), C, 'chip'>, ca_sk) ) @ #vk.41 ) case CA_INIT_C solve( !KU( ~ltk.1 ) @ #vk.36 ) case Corrupt_ltk @@ -4488,7 +4264,7 @@ solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, case split_case_2 solve( !KU( kdf(<'CNF', cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), fst(x), encaps(~k, z), snd(x), + cert(z, sign(<z, C, 'chip'>, ca_sk), C), fst(x), encaps(~k, z), snd(x), encaps(~ke, snd(x))>, <~k, ~ke>) ) @ #vk.1 ) @@ -4526,24 +4302,22 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), + <z, z.1>), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), - id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe + solve( CAInitC( $C, certT, id_c.1, r1.1, <kTA.1, cTA.1>, kTMAC.1, + kTENC.1, ~r2, ~skCe ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -4554,8 +4328,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -4568,7 +4342,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) @@ -4583,24 +4357,22 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), + <z, z.1>), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), - id_c.1, r1.1, <kTA.1, cTA>, kTMAC, kTENC, ~r2, ~skCe + solve( CAInitC( $C, certT, id_c.1, r1.1, <kTA.1, cTA.1>, kTMAC.1, + kTENC.1, ~r2, ~skCe ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ @@ -4611,8 +4383,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -4625,7 +4397,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC, kTENC, cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) @@ -4641,19 +4413,17 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), + <z, z.1>), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C @@ -4664,8 +4434,8 @@ next qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, id_c, kTMAC, kTENC, certC, r2, <k, cip>, - <ke, cipe>, pkCe + solve( CAInitT( $T, id_c, kTMAC, kTENC, certC, r2, <k, cip>, <ke, cipe>, + pkCe ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -4690,20 +4460,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4711,20 +4482,17 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk solve( Completed( k2, - <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, + <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + cip, pk(~skCe), cipe>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, + solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>, <ke, cipe>, pk(~skCe) ) ▶₁ #j ) case CA_INIT_T - solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j ) case CA_Sign_ltk solve( splitEqs(0) ) case split_case_1 @@ -4737,54 +4505,48 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - kdf(<'TMAC', ~r1>, ~kTA)) + kTMAC) ) @ #vk.3 ) - case c_mac - solve( !KU( ~r2 ) @ #vk.43 ) - case CA_INIT_C - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.55 ) + case CA_INIT_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.10 ) + case c_kdf + solve( !KU( ~r2 ) @ #vk.36 ) + case CA_INIT_C + solve( !KU( ~k ) @ #vk.38 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.56 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.57 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed + solve( !KU( ~ltk ) @ #vk.41 ) + case Corrupt_ltk + by contradiction /* from formulas */ qed qed qed - next + qed + qed + next + case c_mac + solve( !KU( ~r2 ) @ #vk.36 ) + case CA_INIT_C + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.14 ) case c_kdf - solve( !KU( ~kTA ) @ #vk.47 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.50 ) - case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.27 ) - case c_kdf - solve( !KU( ~k ) @ #vk.54 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.55 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.56 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + solve( !KU( ~k ) @ #vk.42 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.43 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.44 ) + case Corrupt_ltk + by contradiction /* from formulas */ qed qed qed @@ -4797,7 +4559,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - kdf(<'TMAC', ~r1>, ~kTA)) + kTMAC) ) @ #vk.3 ) case CA_INIT_T solve( !KU( kdf(<'CNF', @@ -4805,15 +4567,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, <~k, ~ke>) - ) @ #vk.18 ) + ) @ #vk.10 ) case c_kdf - solve( !KU( ~r2 ) @ #vk.43 ) + solve( !KU( ~r2 ) @ #vk.36 ) case CA_INIT_C - solve( !KU( ~k ) @ #vk.45 ) + solve( !KU( ~k ) @ #vk.38 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.46 ) + solve( !KU( ~ke ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.48 ) + solve( !KU( ~ltk ) @ #vk.41 ) case Corrupt_ltk by contradiction /* from formulas */ qed @@ -4823,51 +4585,22 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case c_mac - solve( !KU( ~r2 ) @ #vk.43 ) + solve( !KU( ~r2 ) @ #vk.36 ) case CA_INIT_C - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.55 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.56 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.57 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next + solve( !KU( kdf(<'CNF', + cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, + <~k, ~ke>) + ) @ #vk.14 ) case c_kdf - solve( !KU( ~kTA ) @ #vk.47 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.50 ) - case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.27 ) - case c_kdf - solve( !KU( ~k ) @ #vk.54 ) - case CA_INIT_T - solve( !KU( ~ke ) @ #vk.55 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.56 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed + solve( !KU( ~k ) @ #vk.42 ) + case CA_INIT_T + solve( !KU( ~ke ) @ #vk.43 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.44 ) + case Corrupt_ltk + by contradiction /* from formulas */ qed qed qed @@ -4889,8 +4622,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -4899,38 +4633,34 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, T, 'terminal'>, ca_sk), T), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), - <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, + <z, z.1>), + <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + cip, pk(~skCe), cipe>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, - <z.2, cipe>, pk(~skCe) + solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1, + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, + <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) case CA_INIT_T - solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j ) case CA_Sign_ltk solve( splitEqs(2) ) case split_case_1 @@ -4944,13 +4674,13 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) by contradiction /* from formulas */ next case c_kdf - solve( !KU( ~r2 ) @ #vk.44 ) + solve( !KU( ~r2 ) @ #vk.37 ) case CA_INIT_C - solve( !KU( ~k ) @ #vk.46 ) + solve( !KU( ~k ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.47 ) + solve( !KU( ~ke ) @ #vk.40 ) case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.49 ) + solve( !KU( ~ltk ) @ #vk.42 ) case Corrupt_ltk by contradiction /* from formulas */ qed @@ -4970,13 +4700,13 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) by contradiction /* from formulas */ next case c_kdf - solve( !KU( ~r2 ) @ #vk.44 ) + solve( !KU( ~r2 ) @ #vk.37 ) case CA_INIT_C - solve( !KU( ~k ) @ #vk.46 ) + solve( !KU( ~k ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.47 ) + solve( !KU( ~ke ) @ #vk.40 ) case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.49 ) + solve( !KU( ~ltk ) @ #vk.42 ) case Corrupt_ltk by contradiction /* from formulas */ qed @@ -4993,28 +4723,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, certT, id_c, r1, <kTA, cTA> ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !KU( ~iid ) @ #vk.6 ) - case CA_INIT_C - by contradiction /* cyclic */ - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5039,40 +4748,50 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) solve( !KU( senc(<cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z>, kdf(<'TENC', r1>, kTA)) ) @ #vk.11 ) - case c_senc + case CA_INIT_C solve( !KU( mac(<'CA', cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), - cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>, + cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), + <~r2, pk(~skCe)>, cip, pk(skCe.1), cipe>, kdf(<'TMAC', r1>, kTA)) ) @ #vk.15 ) case c_mac - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), - cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1), z, cip, pk(skCe), cipe>, - <z.1, z.2>) - ) @ #vk.21 ) - case c_kdf - solve( !KU( cert(x, sign(<x, $A.1, 'chip'>, ca_sk), $A.1) ) @ #vk.30 ) - case CA_Sign_ltk + solve( !KU( ~r2 ) @ #vk.32 ) + case CA_INIT_C + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $A, 'terminal'>, ca_sk), $A), + cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), $A.1), + <~r2, pk(~skCe)>, cip, pk(skCe.1), cipe>, + <z, z.1>) + ) @ #vk.24 ) + case c_kdf solve( splitEqs(0) ) case split_case_3 - solve( !KU( encaps(z.1, pk(~ltk.2)) ) @ #vk.23 ) + solve( !KU( encaps(z, pk(~ltk.2)) ) @ #vk.23 ) case c_encaps - solve( !KU( decaps(cipe, skCe) ) @ #vk.39 ) + solve( !KU( decaps(cipe, skCe.1) ) @ #vk.40 ) case c_decaps - solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.25 ) + solve( !KU( kdf(<'TCNF', r1>, kTA) ) @ #vk.26 ) case c_kdf - solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.34 ) + solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.34 ) case c_kdf - solve( !KU( kdf(<'TMAC', r1>, kTA) ) @ #vk.37 ) - case c_kdf - solve( !KU( pk(skCe) ) @ #vk.40 ) - case CA_Sign_ltk_case_1 - solve( !KU( ~ltk.3 ) @ #vk.38 ) - case Corrupt_ltk - solve( !KU( pk(~ltk.2) ) @ #vk.43 ) - case CA_Sign_ltk - SOLVED // trace found + solve( !KU( pk(skCe.1) ) @ #vk.39 ) + case CA_INIT_C_case_1 + solve( !KU( ~ltk.3 ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( kdf(<'TENC', r1>, kTA) ) @ #vk.40 ) + case c_kdf + solve( !KU( cert(pk(~ltk.1), sign(<pk(~ltk.1), $A.1, 'chip'>, ca_sk), + $A.1) + ) @ #vk.40 ) + case CA_INIT_C + solve( !KU( pk(~skCe) ) @ #vk.41 ) + case CA_INIT_C + solve( !KU( pk(~ltk.2) ) @ #vk.44 ) + case CA_INIT_C + SOLVED // trace found + qed + qed qed qed qed @@ -5090,7 +4809,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -5129,7 +4848,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) ) @ #vk.21 ) case c_kdf solve( !KU( cert(x, sign(<x, C, 'chip'>, ca_sk), C) ) @ #vk.30 ) - case CA_Sign_ltk + case CA_INIT_C solve( splitEqs(0) ) case split_case_4 solve( !KU( encaps(z, pk(~ltk.1)) ) @ #vk.21 ) @@ -5140,7 +4859,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) case c_kdf solve( !KU( kdf(<'TMAC', r1>, z) ) @ #vk.35 ) case c_kdf - solve( !KU( pk(~ltk.1) ) @ #vk.42 ) + solve( !KU( pk(~ltk.1) ) @ #vk.43 ) case CA_Sign_ltk SOLVED // trace found qed @@ -5157,7 +4876,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -5179,33 +4898,28 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, - skCe + solve( CAInitC( $C, certT, id_c, r1, <kTA, cTA>, kTMAC, kTENC, r2, skCe ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( kdf(<'KEY', - cert(z, sign(<z, T, 'terminal'>, ca_sk), T), + solve( Completed( kdf(<'KEY', certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, pk(~skCe), cipe>, - <z.1, z.2>), - <cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, + <z, z.1>), + <certT, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, + cip, pk(~skCe), cipe>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, id_c.1, kTMAC, kTENC, - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, - <z.2, cipe>, pk(~skCe) + solve( CAInitT( $T, id_c.1, kTMAC.1, kTENC.1, + cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z, cip>, + <z.1, cipe>, pk(~skCe) ) ▶₁ #j ) case CA_INIT_T - solve( !Cert( $T, cert(z, sign(<z, $T, 'terminal'>, ca_sk), $T), - 'terminal' - ) ▶₂ #j ) + solve( !Cert( $T, cert(x, x.1, $T), 'terminal' ) ▶₂ #j ) case CA_Sign_ltk solve( splitEqs(2) ) case split_case_1 @@ -5219,15 +4933,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) by contradiction /* from formulas */ next case c_kdf - solve( !KU( ~r2 ) @ #vk.44 ) + solve( !KU( ~r2 ) @ #vk.37 ) case CA_INIT_C - solve( !KU( ~k ) @ #vk.46 ) + solve( !KU( ~k ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.47 ) + solve( !KU( ~ke ) @ #vk.40 ) case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.49 ) + solve( !KU( ~ltk ) @ #vk.42 ) case Corrupt_ltk - by solve( !KU( ~skCe ) @ #vk.50 ) + by solve( !KU( ~skCe ) @ #vk.43 ) qed qed qed @@ -5245,15 +4959,15 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) by contradiction /* from formulas */ next case c_kdf - solve( !KU( ~r2 ) @ #vk.44 ) + solve( !KU( ~r2 ) @ #vk.37 ) case CA_INIT_C - solve( !KU( ~k ) @ #vk.46 ) + solve( !KU( ~k ) @ #vk.39 ) case CA_INIT_T - solve( !KU( ~ke ) @ #vk.47 ) + solve( !KU( ~ke ) @ #vk.40 ) case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.49 ) + solve( !KU( ~ltk ) @ #vk.42 ) case Corrupt_ltk - by solve( !KU( ~skCe ) @ #vk.50 ) + by solve( !KU( ~skCe ) @ #vk.43 ) qed qed qed @@ -5304,7 +5018,23 @@ qed -/* All wellformedness checks were successful. */ +/* +WARNING: the following wellformedness checks failed! + +Unbound variables +================= + + rule `CA_INIT_C' has unbound variables: + cTA, certT, id_c, kTA, kTENC, kTMAC, r1 + +Message Derivation Checks +========================= + + The variables of the follwing rule(s) are not derivable from their premises, you may be performing unintended pattern matching. + +Rule CA_INIT_C: +Failed to derive Variable(s): cTA, certT, id_c, kTA, kTENC, kTMAC, r1 +*/ /* Generated from: @@ -5321,21 +5051,23 @@ summary of summaries: analyzed: tmp.spthy - processing time: 327.25s + processing time: 192.97s + + WARNING: 2 wellformedness check failed! + The analysis results might be wrong! - session_exist (exists-trace): verified (29 steps) - two_session_exist (exists-trace): verified (54 steps) + session_exist (exists-trace): verified (15 steps) + two_session_exist (exists-trace): verified (32 steps) + aliveness (all-traces): verified (135 steps) weak_agreement_C (all-traces): verified (8 steps) - weak_agreement_T (all-traces): verified (131 steps) + weak_agreement_T (all-traces): verified (134 steps) agreement_C (all-traces): verified (24 steps) - agreement_T (all-traces): verified (131 steps) - aliveness (all-traces): verified (132 steps) + agreement_T (all-traces): verified (134 steps) session_uniqueness (all-traces): verified (37 steps) - consistency (all-traces): verified (47 steps) + consistency (all-traces): verified (37 steps) key_secrecy (all-traces): verified (23 steps) - chip_hiding (all-traces): verified (4 steps) - nonRepudiation_terminal (exists-trace): verified (18 steps) - nonRepudiation_chip (exists-trace): verified (15 steps) - pfs (all-traces): verified (23 steps) + notNonRepudiation_C (exists-trace): verified (20 steps) + notNonRepudiation_T (exists-trace): verified (15 steps) + forward_secrecy (all-traces): verified (23 steps) ============================================================================== diff --git a/results/45991794.err.ALL_FastKemPQEAC_TAMARIN b/results/46092876.err.ForwardSecrecy_FastKemPQEAC similarity index 100% rename from results/45991794.err.ALL_FastKemPQEAC_TAMARIN rename to results/46092876.err.ForwardSecrecy_FastKemPQEAC diff --git a/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN b/results/46092876.out.ForwardSecrecy_FastKemPQEAC similarity index 88% rename from results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN rename to results/46092876.out.ForwardSecrecy_FastKemPQEAC index 77c0026..527cf25 100644 --- a/results/45991550.out.PFS_ALL_FastKemPQEAC_TAMARIN +++ b/results/46092876.out.ForwardSecrecy_FastKemPQEAC @@ -74,24 +74,23 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ) ] --[ Started( ) ]-> - [ Out( <certT, '1', 't'> ), Out( ~iid ), TAInitT( <$T, ~iid> ) ] + [ Out( <certT, '1', 't'> ), TAInitT( $T ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ), - Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' ) + Fr( ~skCe ), !Cert( $C, certC, 'chip' ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, cert_pk(certT)), senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'> ), - Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe, + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, ~skCe, kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA) ) ] @@ -100,38 +99,36 @@ rule (modulo E) TA_CHALLENGE_C: rule (modulo AC) TA_CHALLENGE_C: [ In( <certT, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~kTA ), Fr( ~r2 ), - Fr( ~skCe ), Fr( ~iid ), !Cert( $C, certC, 'chip' ) + Fr( ~skCe ), !Cert( $C, certC, 'chip' ) ] --[ Eq( z.1, true ), Started( ) ]-> [ Out( <~id_c, ~r1, encaps(~kTA, z), senc(<certC, ~r2, pk(~skCe)>, kdf(<'TENC', ~r1>, ~kTA)), '2', 'c'> ), - Out( senc(~iid, kdf(<'TENC', ~r1>, ~kTA)) ), - TAChallengeC( <$C, ~iid>, certT, ~id_c, ~r1, ~r2, ~skCe, + TAChallengeC( $C, certT, ~id_c, ~r1, ~r2, ~skCe, kdf(<'TMAC', ~r1>, ~kTA), kdf(<'TCNF', ~r1>, ~kTA) ) ] variants (modulo AC) - 1. certT = certT.21 - z = cert_pk(certT.21) - z.1 = verify(cert_sig(certT.21), - <cert_pk(certT.21), cert_id(certT.21), 'terminal'>, pk(ca_sk)) + 1. certT = certT.20 + z = cert_pk(certT.20) + z.1 = verify(cert_sig(certT.20), + <cert_pk(certT.20), cert_id(certT.20), 'terminal'>, pk(ca_sk)) - 2. certT = cert(z.71, sign(<z.71, x.128, 'terminal'>, ca_sk), x.128) - z = z.71 + 2. certT = cert(z.70, sign(<z.70, x.127, 'terminal'>, ca_sk), x.127) + z = z.70 z.1 = true - 3. certT = cert(z.72, x.129, x.130) - z = z.72 - z.1 = verify(x.129, <z.72, x.130, 'terminal'>, pk(ca_sk)) + 3. certT = cert(z.71, x.128, x.129) + z = z.71 + z.1 = verify(x.128, <z.71, x.129, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), - TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ), - !Cert( $T, certT, 'terminal' ) + In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), TAInitT( $T ), + !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( verify_cert(fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))), @@ -153,7 +150,7 @@ rule (modulo E) TA_RESPONSE_T: encaps(~ke, snd(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))))), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, + TAResponseT( $T, id_c, fst(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT)))), fst(snd(sdec(cCA, kdf(<'TENC', r1>, decaps(cTA, ~skT))))), <~k, @@ -168,9 +165,8 @@ rule (modulo E) TA_RESPONSE_T: /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), - TAInitT( <$T, iid> ), !Ltk( $T, ~skT, 'terminal' ), - !Cert( $T, certT, 'terminal' ) + In( <id_c, r1, cTA, cCA, '2', 'c'> ), Fr( ~k ), Fr( ~ke ), TAInitT( $T ), + !Ltk( $T, ~skT, 'terminal' ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( z.5, true ) ]-> [ @@ -179,232 +175,231 @@ rule (modulo E) TA_RESPONSE_T: kdf(<'TMAC', r1>, z)), encaps(~ke, z.4), '3', 't'> ), - TAResponseT( <$T, iid>, id_c, z.2, z.3, <~k, encaps(~k, z.1)>, + TAResponseT( $T, id_c, z.2, z.3, <~k, encaps(~k, z.1)>, <~ke, encaps(~ke, z.4)>, z.4 ) ] variants (modulo AC) - 1. ~skT = ~skT.32 - cCA = cCA.33 - cTA = cTA.34 - r1 = r1.38 - z = decaps(cTA.34, ~skT.32) - z.1 = cert_pk(fst(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))) - z.2 = fst(sdec(cCA.33, kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32)))) - z.3 = fst(snd(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))) - z.4 = snd(snd(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))) - z.5 = verify(cert_sig(fst(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))), + 1. ~skT = ~skT.30 + cCA = cCA.31 + cTA = cTA.32 + r1 = r1.35 + z = decaps(cTA.32, ~skT.30) + z.1 = cert_pk(fst(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))) + z.2 = fst(sdec(cCA.31, kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30)))) + z.3 = fst(snd(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))) + z.4 = snd(snd(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))) + z.5 = verify(cert_sig(fst(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))), < - cert_pk(fst(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))), - cert_id(fst(sdec(cCA.33, - kdf(<'TENC', r1.38>, decaps(cTA.34, ~skT.32))))), + cert_pk(fst(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))), + cert_id(fst(sdec(cCA.31, + kdf(<'TENC', r1.35>, decaps(cTA.32, ~skT.30))))), 'chip'>, pk(ca_sk)) - 2. ~skT = ~skT.37 - cCA = cCA.38 - cTA = encaps(z.48, pk(~skT.37)) - r1 = r1.43 - z = z.48 - z.1 = cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))) - z.2 = fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48))) - z.3 = fst(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))) - z.4 = snd(snd(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))) - z.5 = verify(cert_sig(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), - <cert_pk(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), - cert_id(fst(sdec(cCA.38, kdf(<'TENC', r1.43>, z.48)))), 'chip'>, + 2. ~skT = ~skT.35 + cCA = cCA.36 + cTA = encaps(z.45, pk(~skT.35)) + r1 = r1.40 + z = z.45 + z.1 = cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))) + z.2 = fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45))) + z.3 = fst(snd(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))) + z.4 = snd(snd(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))) + z.5 = verify(cert_sig(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))), + <cert_pk(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))), + cert_id(fst(sdec(cCA.36, kdf(<'TENC', r1.40>, z.45)))), 'chip'>, pk(ca_sk)) - 3. ~skT = ~skT.42 - cCA = senc(<z.56, z.57, z.58>, kdf(<'TENC', r1.48>, z.53)) - cTA = encaps(z.53, pk(~skT.42)) - r1 = r1.48 - z = z.53 - z.1 = cert_pk(z.56) - z.2 = z.56 - z.3 = z.57 - z.4 = z.58 - z.5 = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>, + 3. ~skT = ~skT.40 + cCA = senc(<z.53, z.54, z.55>, kdf(<'TENC', r1.45>, z.50)) + cTA = encaps(z.50, pk(~skT.40)) + r1 = r1.45 + z = z.50 + z.1 = cert_pk(z.53) + z.2 = z.53 + z.3 = z.54 + z.4 = z.55 + z.5 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>, pk(ca_sk)) - 4. ~skT = ~skT.42 - cCA = senc(<z.56, z.57, z.58>, - kdf(<'TENC', r1.48>, decaps(cTA.44, ~skT.42))) - cTA = cTA.44 - r1 = r1.48 - z = decaps(cTA.44, ~skT.42) - z.1 = cert_pk(z.56) - z.2 = z.56 - z.3 = z.57 - z.4 = z.58 - z.5 = verify(cert_sig(z.56), <cert_pk(z.56), cert_id(z.56), 'chip'>, + 4. ~skT = ~skT.40 + cCA = senc(<z.53, z.54, z.55>, + kdf(<'TENC', r1.45>, decaps(cTA.42, ~skT.40))) + cTA = cTA.42 + r1 = r1.45 + z = decaps(cTA.42, ~skT.40) + z.1 = cert_pk(z.53) + z.2 = z.53 + z.3 = z.54 + z.4 = z.55 + z.5 = verify(cert_sig(z.53), <cert_pk(z.53), cert_id(z.53), 'chip'>, pk(ca_sk)) - 5. ~skT = ~skT.174 - cCA = senc(x.343, kdf(<'TENC', r1.180>, z.185)) - cTA = encaps(z.185, pk(~skT.174)) - r1 = r1.180 - z = z.185 - z.1 = cert_pk(fst(x.343)) - z.2 = fst(x.343) - z.3 = fst(snd(x.343)) - z.4 = snd(snd(x.343)) - z.5 = verify(cert_sig(fst(x.343)), - <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk)) - - 6. ~skT = ~skT.174 - cCA = senc(x.343, kdf(<'TENC', r1.180>, decaps(cTA.176, ~skT.174))) - cTA = cTA.176 - r1 = r1.180 - z = decaps(cTA.176, ~skT.174) - z.1 = cert_pk(fst(x.343)) - z.2 = fst(x.343) - z.3 = fst(snd(x.343)) - z.4 = snd(snd(x.343)) - z.5 = verify(cert_sig(fst(x.343)), - <cert_pk(fst(x.343)), cert_id(fst(x.343)), 'chip'>, pk(ca_sk)) - - 7. ~skT = ~skT.175 - cCA = senc(<z.189, x.345>, kdf(<'TENC', r1.181>, z.186)) - cTA = encaps(z.186, pk(~skT.175)) - r1 = r1.181 - z = z.186 - z.1 = cert_pk(z.189) - z.2 = z.189 - z.3 = fst(x.345) - z.4 = snd(x.345) - z.5 = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>, + 5. ~skT = ~skT.166 + cCA = senc(x.327, kdf(<'TENC', r1.171>, z.176)) + cTA = encaps(z.176, pk(~skT.166)) + r1 = r1.171 + z = z.176 + z.1 = cert_pk(fst(x.327)) + z.2 = fst(x.327) + z.3 = fst(snd(x.327)) + z.4 = snd(snd(x.327)) + z.5 = verify(cert_sig(fst(x.327)), + <cert_pk(fst(x.327)), cert_id(fst(x.327)), 'chip'>, pk(ca_sk)) + + 6. ~skT = ~skT.166 + cCA = senc(x.327, kdf(<'TENC', r1.171>, decaps(cTA.168, ~skT.166))) + cTA = cTA.168 + r1 = r1.171 + z = decaps(cTA.168, ~skT.166) + z.1 = cert_pk(fst(x.327)) + z.2 = fst(x.327) + z.3 = fst(snd(x.327)) + z.4 = snd(snd(x.327)) + z.5 = verify(cert_sig(fst(x.327)), + <cert_pk(fst(x.327)), cert_id(fst(x.327)), 'chip'>, pk(ca_sk)) + + 7. ~skT = ~skT.167 + cCA = senc(<z.180, x.329>, kdf(<'TENC', r1.172>, z.177)) + cTA = encaps(z.177, pk(~skT.167)) + r1 = r1.172 + z = z.177 + z.1 = cert_pk(z.180) + z.2 = z.180 + z.3 = fst(x.329) + z.4 = snd(x.329) + z.5 = verify(cert_sig(z.180), <cert_pk(z.180), cert_id(z.180), 'chip'>, pk(ca_sk)) - 8. ~skT = ~skT.175 - cCA = senc(<z.189, x.345>, - kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175))) - cTA = cTA.177 - r1 = r1.181 - z = decaps(cTA.177, ~skT.175) - z.1 = cert_pk(z.189) - z.2 = z.189 - z.3 = fst(x.345) - z.4 = snd(x.345) - z.5 = verify(cert_sig(z.189), <cert_pk(z.189), cert_id(z.189), 'chip'>, + 8. ~skT = ~skT.167 + cCA = senc(<z.180, x.329>, + kdf(<'TENC', r1.172>, decaps(cTA.169, ~skT.167))) + cTA = cTA.169 + r1 = r1.172 + z = decaps(cTA.169, ~skT.167) + z.1 = cert_pk(z.180) + z.2 = z.180 + z.3 = fst(x.329) + z.4 = snd(x.329) + z.5 = verify(cert_sig(z.180), <cert_pk(z.180), cert_id(z.180), 'chip'>, pk(ca_sk)) - 9. ~skT = ~skT.175 - cCA = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345), - z.190, z.191>, - kdf(<'TENC', r1.181>, z.186)) - cTA = encaps(z.186, pk(~skT.175)) - r1 = r1.181 - z = z.186 - z.1 = z.187 - z.2 = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345) - z.3 = z.190 - z.4 = z.191 + 9. ~skT = ~skT.167 + cCA = senc(<cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329), + z.181, z.182>, + kdf(<'TENC', r1.172>, z.177)) + cTA = encaps(z.177, pk(~skT.167)) + r1 = r1.172 + z = z.177 + z.1 = z.178 + z.2 = cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329) + z.3 = z.181 + z.4 = z.182 z.5 = true - 10. ~skT = ~skT.175 - cCA = senc(<cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345), - z.190, z.191>, - kdf(<'TENC', r1.181>, decaps(cTA.177, ~skT.175))) - cTA = cTA.177 - r1 = r1.181 - z = decaps(cTA.177, ~skT.175) - z.1 = z.187 - z.2 = cert(z.187, sign(<z.187, x.345, 'chip'>, ca_sk), x.345) - z.3 = z.190 - z.4 = z.191 + 10. ~skT = ~skT.167 + cCA = senc(<cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329), + z.181, z.182>, + kdf(<'TENC', r1.172>, decaps(cTA.169, ~skT.167))) + cTA = cTA.169 + r1 = r1.172 + z = decaps(cTA.169, ~skT.167) + z.1 = z.178 + z.2 = cert(z.178, sign(<z.178, x.329, 'chip'>, ca_sk), x.329) + z.3 = z.181 + z.4 = z.182 z.5 = true - 11. ~skT = ~skT.176 - cCA = senc(<cert(z.188, x.346, x.347), z.191, z.192>, - kdf(<'TENC', r1.182>, z.187)) - cTA = encaps(z.187, pk(~skT.176)) - r1 = r1.182 - z = z.187 - z.1 = z.188 - z.2 = cert(z.188, x.346, x.347) - z.3 = z.191 - z.4 = z.192 - z.5 = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk)) - - 12. ~skT = ~skT.176 - cCA = senc(<cert(z.188, x.346, x.347), z.191, z.192>, - kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176))) - cTA = cTA.178 - r1 = r1.182 - z = decaps(cTA.178, ~skT.176) - z.1 = z.188 - z.2 = cert(z.188, x.346, x.347) - z.3 = z.191 - z.4 = z.192 - z.5 = verify(x.346, <z.188, x.347, 'chip'>, pk(ca_sk)) - - 13. ~skT = ~skT.176 - cCA = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346), - x.347>, - kdf(<'TENC', r1.182>, z.187)) - cTA = encaps(z.187, pk(~skT.176)) - r1 = r1.182 - z = z.187 - z.1 = z.188 - z.2 = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346) - z.3 = fst(x.347) - z.4 = snd(x.347) + 11. ~skT = ~skT.168 + cCA = senc(<cert(z.179, x.330, x.331), z.182, z.183>, + kdf(<'TENC', r1.173>, z.178)) + cTA = encaps(z.178, pk(~skT.168)) + r1 = r1.173 + z = z.178 + z.1 = z.179 + z.2 = cert(z.179, x.330, x.331) + z.3 = z.182 + z.4 = z.183 + z.5 = verify(x.330, <z.179, x.331, 'chip'>, pk(ca_sk)) + + 12. ~skT = ~skT.168 + cCA = senc(<cert(z.179, x.330, x.331), z.182, z.183>, + kdf(<'TENC', r1.173>, decaps(cTA.170, ~skT.168))) + cTA = cTA.170 + r1 = r1.173 + z = decaps(cTA.170, ~skT.168) + z.1 = z.179 + z.2 = cert(z.179, x.330, x.331) + z.3 = z.182 + z.4 = z.183 + z.5 = verify(x.330, <z.179, x.331, 'chip'>, pk(ca_sk)) + + 13. ~skT = ~skT.168 + cCA = senc(<cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330), + x.331>, + kdf(<'TENC', r1.173>, z.178)) + cTA = encaps(z.178, pk(~skT.168)) + r1 = r1.173 + z = z.178 + z.1 = z.179 + z.2 = cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330) + z.3 = fst(x.331) + z.4 = snd(x.331) z.5 = true - 14. ~skT = ~skT.176 - cCA = senc(<cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346), - x.347>, - kdf(<'TENC', r1.182>, decaps(cTA.178, ~skT.176))) - cTA = cTA.178 - r1 = r1.182 - z = decaps(cTA.178, ~skT.176) - z.1 = z.188 - z.2 = cert(z.188, sign(<z.188, x.346, 'chip'>, ca_sk), x.346) - z.3 = fst(x.347) - z.4 = snd(x.347) + 14. ~skT = ~skT.168 + cCA = senc(<cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330), + x.331>, + kdf(<'TENC', r1.173>, decaps(cTA.170, ~skT.168))) + cTA = cTA.170 + r1 = r1.173 + z = decaps(cTA.170, ~skT.168) + z.1 = z.179 + z.2 = cert(z.179, sign(<z.179, x.330, 'chip'>, ca_sk), x.330) + z.3 = fst(x.331) + z.4 = snd(x.331) z.5 = true - 15. ~skT = ~skT.177 - cCA = senc(<cert(z.189, x.347, x.348), x.349>, - kdf(<'TENC', r1.183>, z.188)) - cTA = encaps(z.188, pk(~skT.177)) - r1 = r1.183 - z = z.188 - z.1 = z.189 - z.2 = cert(z.189, x.347, x.348) - z.3 = fst(x.349) - z.4 = snd(x.349) - z.5 = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk)) - - 16. ~skT = ~skT.177 - cCA = senc(<cert(z.189, x.347, x.348), x.349>, - kdf(<'TENC', r1.183>, decaps(cTA.179, ~skT.177))) - cTA = cTA.179 - r1 = r1.183 - z = decaps(cTA.179, ~skT.177) - z.1 = z.189 - z.2 = cert(z.189, x.347, x.348) - z.3 = fst(x.349) - z.4 = snd(x.349) - z.5 = verify(x.347, <z.189, x.348, 'chip'>, pk(ca_sk)) + 15. ~skT = ~skT.169 + cCA = senc(<cert(z.180, x.331, x.332), x.333>, + kdf(<'TENC', r1.174>, z.179)) + cTA = encaps(z.179, pk(~skT.169)) + r1 = r1.174 + z = z.179 + z.1 = z.180 + z.2 = cert(z.180, x.331, x.332) + z.3 = fst(x.333) + z.4 = snd(x.333) + z.5 = verify(x.331, <z.180, x.332, 'chip'>, pk(ca_sk)) + + 16. ~skT = ~skT.169 + cCA = senc(<cert(z.180, x.331, x.332), x.333>, + kdf(<'TENC', r1.174>, decaps(cTA.171, ~skT.169))) + cTA = cTA.171 + r1 = r1.174 + z = decaps(cTA.171, ~skT.169) + z.1 = z.180 + z.2 = cert(z.180, x.331, x.332) + z.3 = fst(x.333) + z.4 = snd(x.333) + z.5 = verify(x.331, <z.180, x.332, 'chip'>, pk(ca_sk)) */ rule (modulo E) TA_COMPLETE_C: [ In( <kTCNF_T, cip, s, cipe, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ), + TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ), - CompletedTA( $C, iid, cert_id(certT) ), Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', cert_id(certT) @@ -419,10 +414,6 @@ rule (modulo E) TA_COMPLETE_C: kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <decaps(cip, ~skC), decaps(cipe, skCe)>), '4', 'c'> - ), - TACompleteC( <$C, iid>, - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, - <decaps(cip, ~skC), decaps(cipe, skCe)>) ) ] @@ -430,13 +421,12 @@ rule (modulo E) TA_COMPLETE_C: rule (modulo AC) TA_COMPLETE_C: [ In( <kTCNF_T, cip, s, cipe, '3', 't'> ), - TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ), + TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( kTCNF_T, kTCNF ), Eq( s, mac(<'CA', certT, certC, r2, cip, pk(skCe), cipe>, kTMAC) ), - CompletedTA( $C, iid, z.2 ), Completed( kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), <certT, certC, r2, cip, pk(skCe), cipe>, $C, 'chip', z.2 ), @@ -447,89 +437,86 @@ rule (modulo E) TA_COMPLETE_C: [ Out( <kdf(<'CNF', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>), '4', 'c'> - ), - TACompleteC( <$C, iid>, - kdf(<'KEY', certT, certC, r2, cip, pk(skCe), cipe>, <z, z.1>) ) ] variants (modulo AC) - 1. ~skC = ~skC.41 - certT = certT.43 - cip = cip.44 - cipe = cipe.45 - skCe = skCe.54 - z = decaps(cip.44, ~skC.41) - z.1 = decaps(cipe.45, skCe.54) - z.2 = cert_id(certT.43) - - 2. ~skC = ~skC.46 - certT = certT.48 - cip = encaps(z.64, pk(~skC.46)) - cipe = cipe.50 - skCe = skCe.59 - z = z.64 - z.1 = decaps(cipe.50, skCe.59) - z.2 = cert_id(certT.48) - - 3. ~skC = ~skC.47 - certT = certT.49 - cip = cip.50 - cipe = encaps(z.66, pk(skCe.60)) - skCe = skCe.60 - z = decaps(cip.50, ~skC.47) - z.1 = z.66 - z.2 = cert_id(certT.49) - - 4. ~skC = ~skC.47 - certT = certT.49 - cip = encaps(z.65, pk(~skC.47)) - cipe = encaps(z.66, pk(skCe.60)) - skCe = skCe.60 - z = z.65 - z.1 = z.66 - z.2 = cert_id(certT.49) - - 5. ~skC = ~skC.204 - certT = cert(x.404, x.405, z.228) - cip = cip.207 - cipe = cipe.208 - skCe = skCe.217 - z = decaps(cip.207, ~skC.204) - z.1 = decaps(cipe.208, skCe.217) - z.2 = z.228 - - 6. ~skC = ~skC.204 - certT = cert(x.404, x.405, z.228) - cip = cip.207 - cipe = encaps(z.223, pk(skCe.217)) - skCe = skCe.217 - z = decaps(cip.207, ~skC.204) - z.1 = z.223 - z.2 = z.228 - - 7. ~skC = ~skC.206 - certT = cert(x.408, x.409, z.230) - cip = encaps(z.224, pk(~skC.206)) - cipe = cipe.210 - skCe = skCe.219 - z = z.224 - z.1 = decaps(cipe.210, skCe.219) - z.2 = z.230 - - 8. ~skC = ~skC.206 - certT = cert(x.408, x.409, z.230) - cip = encaps(z.224, pk(~skC.206)) - cipe = encaps(z.225, pk(skCe.219)) - skCe = skCe.219 - z = z.224 - z.1 = z.225 - z.2 = z.230 + 1. ~skC = ~skC.39 + certT = certT.41 + cip = cip.42 + cipe = cipe.43 + skCe = skCe.51 + z = decaps(cip.42, ~skC.39) + z.1 = decaps(cipe.43, skCe.51) + z.2 = cert_id(certT.41) + + 2. ~skC = ~skC.44 + certT = certT.46 + cip = encaps(z.61, pk(~skC.44)) + cipe = cipe.48 + skCe = skCe.56 + z = z.61 + z.1 = decaps(cipe.48, skCe.56) + z.2 = cert_id(certT.46) + + 3. ~skC = ~skC.45 + certT = certT.47 + cip = cip.48 + cipe = encaps(z.63, pk(skCe.57)) + skCe = skCe.57 + z = decaps(cip.48, ~skC.45) + z.1 = z.63 + z.2 = cert_id(certT.47) + + 4. ~skC = ~skC.45 + certT = certT.47 + cip = encaps(z.62, pk(~skC.45)) + cipe = encaps(z.63, pk(skCe.57)) + skCe = skCe.57 + z = z.62 + z.1 = z.63 + z.2 = cert_id(certT.47) + + 5. ~skC = ~skC.196 + certT = cert(x.388, x.389, z.219) + cip = cip.199 + cipe = cipe.200 + skCe = skCe.208 + z = decaps(cip.199, ~skC.196) + z.1 = decaps(cipe.200, skCe.208) + z.2 = z.219 + + 6. ~skC = ~skC.196 + certT = cert(x.388, x.389, z.219) + cip = cip.199 + cipe = encaps(z.214, pk(skCe.208)) + skCe = skCe.208 + z = decaps(cip.199, ~skC.196) + z.1 = z.214 + z.2 = z.219 + + 7. ~skC = ~skC.198 + certT = cert(x.392, x.393, z.221) + cip = encaps(z.215, pk(~skC.198)) + cipe = cipe.202 + skCe = skCe.210 + z = z.215 + z.1 = decaps(cipe.202, skCe.210) + z.2 = z.221 + + 8. ~skC = ~skC.198 + certT = cert(x.392, x.393, z.221) + cip = encaps(z.215, pk(~skC.198)) + cipe = encaps(z.216, pk(skCe.210)) + skCe = skCe.210 + z = z.215 + z.1 = z.216 + z.2 = z.221 */ rule (modulo E) CA_FINISH_T: [ In( <kCNF_C, '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -540,9 +527,6 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( cert_id(certC), $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) @@ -552,7 +536,7 @@ rule (modulo E) CA_FINISH_T: rule (modulo AC) CA_FINISH_T: [ In( <kCNF_C, '4', 'c'> ), - TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), + TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ), !Cert( $T, certT, 'terminal' ) ] --[ @@ -563,19 +547,16 @@ rule (modulo E) CA_FINISH_T: Finished( <certT, certC, r2, cip, pkCe, cipe> ) ]-> [ - CAFinishT( z, $T, - kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) - ), !SessionReveal( <certT, certC, r2, cip, pkCe, cipe>, kdf(<'KEY', certT, certC, r2, cip, pkCe, cipe>, <k, ke>) ) ] variants (modulo AC) - 1. certC = certC.18 - z = cert_id(certC.18) + 1. certC = certC.19 + z = cert_id(certC.19) - 2. certC = cert(x.44, x.45, z.31) - z = z.31 + 2. certC = cert(x.29, x.30, z.24) + z = z.24 */ rule (modulo E) Verify_Transcript_C: @@ -2629,7 +2610,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2647,7 +2628,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -2758,7 +2739,7 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -2776,7 +2757,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -2787,8 +2768,8 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, cert(x, x.1, $T), id_c.1, r1.1, r2.1, - skCe.1, kTMAC, kTCNF + solve( TAChallengeC( $C, cert(x, x.1, $T), id_c.1, r1.1, r2.1, skCe.1, + kTMAC, kTCNF ) ▶₁ #i2 ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) @@ -2806,7 +2787,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.3>, id_c.3, + solve( TAResponseT( $T, id_c.3, cert(pk(~ltk.2), sign(<pk(~ltk.2), $C, 'chip'>, ca_sk), $C), ~r2.1, <z, cip>, <z.1, cipe>, pk(~skCe.1) ) ▶₁ #j2 ) @@ -3082,6 +3063,155 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma aliveness: + all-traces + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe + ) ▶₁ #t ) + case TA_RESPONSE_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k.1, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + A, role, B + ) @ #i ) + case CA_FINISH_T + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe + ) ▶₁ #i ) + case TA_RESPONSE_T + solve( !KU( kdf(<'CNF', + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, + encaps(~ke, pkCe)>, + <~k, ~ke>) + ) @ #vk.1 ) + case TA_COMPLETE_C + by contradiction /* from formulas */ + next + case c_kdf + solve( !KU( ~k ) @ #vk.29 ) + case TA_RESPONSE_T + solve( !KU( ~ke ) @ #vk.30 ) + case TA_RESPONSE_T + solve( splitEqs(1) ) + case split_case_1 + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, + pk(sk.1)>, + kdf(<'TENC', r1>, decaps(cTA, ~skT))) + ) @ #vk.19 ) + case c_senc + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.28 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.34 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.34 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.41 ) + qed + qed + qed + next + case split_case_2 + solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, + pk(sk.1)>, + kdf(<'TENC', r1>, z)) + ) @ #vk.19 ) + case TA_CHALLENGE_C + solve( !KU( ~r2 ) @ #vk.29 ) + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.31 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next + case c_senc + solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) + ) @ #vk.28 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.33 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_cert + solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) + case CA_Sign_ltk + solve( !KU( ~ltk.1 ) @ #vk.34 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case TA_CHALLENGE_C + solve( !KU( ~ltk.1 ) @ #vk.34 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.41 ) + qed + qed + qed + qed + qed + qed + qed + qed + next + case TA_COMPLETE_C_case_1 + by contradiction /* from formulas */ + next + case TA_COMPLETE_C_case_2 + by contradiction /* from formulas */ + qed + qed +qed + lemma weak_agreement_C: all-traces "∀ k sid C T #i #t. @@ -3099,8 +3229,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe +solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3112,7 +3241,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) @@ -3128,7 +3257,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) @@ -3163,8 +3292,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe +solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3176,9 +3304,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), + r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -3310,8 +3437,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe +solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3323,7 +3449,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, C, 'chip', T.1 ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) @@ -3397,7 +3523,7 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, + solve( TAChallengeC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) @@ -3490,8 +3616,7 @@ guarded formula characterizing all counter-examples: (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe +solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #t ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) @@ -3503,9 +3628,8 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, C, 'chip'>, ca_sk), C), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe + solve( TAResponseT( $T.1, id_c, cert(z, sign(<z, C, 'chip'>, ca_sk), C), + r2, <k.1, encaps(~k, z)>, <ke.1, encaps(~ke, pkCe)>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !KU( kdf(<'CNF', @@ -3620,157 +3744,6 @@ solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, qed qed -lemma aliveness: - all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe - ) ▶₁ #t ) - case TA_RESPONSE_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k.1, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, z.1, 'chip'>, ca_sk), z.1), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - A, role, B - ) @ #i ) - case CA_FINISH_T - solve( TAResponseT( <$T.1, iid>, id_c, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <k.1, encaps(~k, z)>, - <ke.1, encaps(~ke, pkCe)>, pkCe - ) ▶₁ #i ) - case TA_RESPONSE_T - solve( !KU( kdf(<'CNF', - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, encaps(~k, z), pkCe, - encaps(~ke, pkCe)>, - <~k, ~ke>) - ) @ #vk.1 ) - case TA_COMPLETE_C - by contradiction /* from formulas */ - next - case c_kdf - solve( !KU( ~k ) @ #vk.29 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.30 ) - case TA_RESPONSE_T - solve( splitEqs(1) ) - case split_case_1 - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, - pk(sk.1)>, - kdf(<'TENC', r1>, decaps(cTA, ~skT))) - ) @ #vk.19 ) - case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.28 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.34 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.34 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.41 ) - qed - qed - qed - next - case split_case_2 - solve( !KU( senc(<cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B), r2, - pk(sk.1)>, - kdf(<'TENC', r1>, z)) - ) @ #vk.19 ) - case TA_CHALLENGE_C - solve( !KU( ~r2 ) @ #vk.29 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.31 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - next - case c_senc - solve( !KU( cert(pk(sk), sign(<pk(sk), B, 'chip'>, ca_sk), B) - ) @ #vk.28 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.33 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_cert - solve( !KU( sign(<pk(sk), B, 'chip'>, ca_sk) ) @ #vk.37 ) - case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.34 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.34 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.41 ) - qed - qed - qed - qed - qed - qed - qed - qed - next - case TA_COMPLETE_C_case_1 - by contradiction /* from formulas */ - next - case TA_COMPLETE_C_case_2 - by contradiction /* from formulas */ - qed - qed -qed - lemma session_uniqueness: all-traces "∀ A B k sid sid2 role #i #j. @@ -3792,8 +3765,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe + solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -3806,9 +3778,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -3818,7 +3789,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3833,18 +3804,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3855,7 +3824,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3870,18 +3839,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3895,8 +3862,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe + solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -3909,9 +3875,8 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, - cert(z, sign(<z, B, 'chip'>, ca_sk), B), r2, <~k, encaps(~k, z)>, - <~ke, encaps(~ke, pkCe)>, pkCe + solve( TAResponseT( $T, id_c.1, cert(z, sign(<z, B, 'chip'>, ca_sk), B), + r2, <~k, encaps(~k, z)>, <~ke, encaps(~ke, pkCe)>, pkCe ) ▶₁ #j ) case TA_RESPONSE_T by contradiction /* cyclic */ @@ -3921,7 +3886,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3936,18 +3901,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3958,7 +3921,7 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -3973,18 +3936,16 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) sid2, $C, 'chip', B ) @ #j ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid.1>, - cert(z, sign(<z, B, 'terminal'>, ca_sk), B), id_c.1, r1.1, ~r2, ~skCe, - kTMAC, kTCNF + solve( TAChallengeC( $C, cert(z, sign(<z, B, 'terminal'>, ca_sk), B), + id_c.1, r1.1, ~r2, ~skCe, kTMAC, kTCNF ) ▶₁ #j ) case TA_CHALLENGE_C by contradiction /* cyclic */ @@ -3999,8 +3960,7 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_T - solve( TAResponseT( <$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, - pkCe + solve( TAResponseT( $T, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe ) ▶₁ #i ) case TA_RESPONSE_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) @@ -4019,7 +3979,7 @@ next qed next case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4044,7 +4004,7 @@ next qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4075,19 +4035,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4101,7 +4063,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>, <ke, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4175,24 +4137,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.46 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.50 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.51 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.52 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -4281,24 +4226,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.46 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.50 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.51 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.52 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -4314,7 +4242,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4328,7 +4256,7 @@ next T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <k, cip>, <ke, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4402,24 +4330,7 @@ next case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.46 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.50 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.51 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.52 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -4508,24 +4419,7 @@ next case TA_CHALLENGE_C solve( !KU( ~ltk.1 ) @ #vk.46 ) case Corrupt_ltk - solve( !KU( kdf(<'CNF', - cert(pk(~ltk.1), sign(<pk(~ltk.1), $T, 'terminal'>, ca_sk), $T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, - encaps(~k, pk(~ltk)), pk(~skCe), encaps(~ke, pk(~skCe))>, - <~k, ~ke>) - ) @ #vk.25 ) - case c_kdf - solve( !KU( ~k ) @ #vk.50 ) - case TA_RESPONSE_T - solve( !KU( ~ke ) @ #vk.51 ) - case TA_RESPONSE_T - solve( !KU( ~ltk ) @ #vk.52 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -4546,8 +4440,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -4556,12 +4451,13 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4579,7 +4475,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4649,7 +4545,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -4667,7 +4563,7 @@ next T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -4737,94 +4633,7 @@ next qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) - case CA_Sign_ltk - solve( !KU( ~iid ) @ #vk.13 ) - case TA_CHALLENGE_C - solve( !KU( mac(<'CA', cert(z, sign(<z, T, 'terminal'>, ca_sk), T), - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, cip, - pk(~skCe), cipe>, - kdf(<'TMAC', ~r1>, ~kTA)) - ) @ #vk.6 ) - case TA_RESPONSE_T - solve( splitEqs(0) ) - case split_case_1 - solve( !KU( kdf(<'TENC', ~r1>, ~kTA) ) @ #vk.16 ) - case c_kdf - solve( !KU( ~kTA ) @ #vk.29 ) - case TA_CHALLENGE_C - solve( !KU( ~ltk.1 ) @ #vk.31 ) - case Corrupt_ltk - solve( !KU( encaps(~kTA, pk(~skT)) ) @ #vk.25 ) - case TA_CHALLENGE_C - solve( !KU( senc(< - cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, pk(~skCe) - >, - kdf(<'TENC', ~r1>, ~kTA)) - ) @ #vk.27 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.25 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~skT), sign(<pk(~skT), $T, 'terminal'>, ca_sk), $T) - ) @ #vk.24 ) - case CA_Sign_ltk - solve( !KU( kdf(<'TCNF', ~r1>, ~kTA) ) @ #vk.17 ) - case TA_RESPONSE_T - solve( splitEqs(2) ) - case split_case_1 - solve( !KU( encaps(~kTA, pk(~skT.1)) ) @ #vk.37 ) - case TA_CHALLENGE_C - solve( !KU( senc(<cert(z, sign(<z, x, 'chip'>, ca_sk), x), x.1>, - kdf(<'TENC', ~r1>, ~kTA)) - ) @ #vk.37 ) - case c_senc - solve( !KU( cert(z, sign(<z, x, 'chip'>, ca_sk), x) ) @ #vk.39 ) - case CA_Sign_ltk - solve( !KU( encaps(~k, pk(~ltk)) ) @ #vk.25 ) - case TA_RESPONSE_T - solve( !KU( encaps(~ke, pk(~skCe)) ) @ #vk.28 ) - case TA_RESPONSE_T - SOLVED // trace found - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -4900,7 +4709,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -4967,7 +4776,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -4989,7 +4798,7 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case TA_COMPLETE_C_case_1 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5007,7 +4816,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5077,7 +4886,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed next case TA_COMPLETE_C_case_2 - solve( TAChallengeC( <$C, iid>, certT, id_c, r1, r2, skCe, kTMAC, kTCNF + solve( TAChallengeC( $C, certT, id_c, r1, r2, skCe, kTMAC, kTCNF ) ▶₁ #i ) case TA_CHALLENGE_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) @@ -5095,7 +4904,7 @@ next T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( TAResponseT( <$T, iid.1>, id_c.1, + solve( TAResponseT( $T, id_c.1, cert(pk(~ltk), sign(<pk(~ltk), $C, 'chip'>, ca_sk), $C), ~r2, <z.1, cip>, <z.2, cipe>, pk(~skCe) ) ▶₁ #j ) @@ -5218,21 +5027,20 @@ summary of summaries: analyzed: tmp.spthy - processing time: 1715.21s + processing time: 1520.43s session_exist (exists-trace): verified (26 steps) two_session_exist (exists-trace): verified (52 steps) + aliveness (all-traces): verified (39 steps) weak_agreement_C (all-traces): verified (12 steps) weak_agreement_T (all-traces): verified (37 steps) agreement_C (all-traces): verified (44 steps) agreement_T (all-traces): verified (37 steps) - aliveness (all-traces): verified (39 steps) session_uniqueness (all-traces): verified (64 steps) - consistency (all-traces): verified (116 steps) + consistency (all-traces): verified (100 steps) key_secrecy (all-traces): verified (44 steps) - chip_hiding (all-traces): falsified - found trace (22 steps) - nonRepudiation_terminal (exists-trace): verified (18 steps) - nonRepudiation_chip (exists-trace): verified (15 steps) - pfs (all-traces): verified (44 steps) + notNonRepudiation_C (exists-trace): verified (18 steps) + notNonRepudiation_T (exists-trace): verified (15 steps) + forward_secrecy (all-traces): verified (44 steps) ============================================================================== diff --git a/results/45992234.err.ALL_SigPQEAC_TAMARIN b/results/46109591.err.CLASSIC_EAC similarity index 81% rename from results/45992234.err.ALL_SigPQEAC_TAMARIN rename to results/46109591.err.CLASSIC_EAC index 3503e35..35cf59a 100644 --- a/results/45992234.err.ALL_SigPQEAC_TAMARIN +++ b/results/46109591.err.CLASSIC_EAC @@ -30,5 +30,5 @@ [Saturating Sources] Step 2/5 [Saturating Sources] Step 1/5 [Saturating Sources] Step 2/5 -/var/spool/slurmd/job45992234/slurm_script: line 29: output/hw/45992234.cpu: No such file or directory -/var/spool/slurmd/job45992234/slurm_script: line 30: output/hw/45992234.processor: No such file or directory +WARNING: you should run this program as super-user. +WARNING: output may be incomplete or inaccurate, you should run this program as super-user. diff --git a/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN b/results/46109591.out.CLASSIC_EAC similarity index 83% rename from results/45991167.out.ALL_CLASSIC_EAC_TAMARIN rename to results/46109591.out.CLASSIC_EAC index 9db40ed..0b768c4 100644 --- a/results/45991167.out.ALL_CLASSIC_EAC_TAMARIN +++ b/results/46109591.out.CLASSIC_EAC @@ -36,7 +36,7 @@ rule (modulo E) Publish_ca_pk: rule (modulo E) Generate_chip_key_pair: [ Fr( ~ltk ) ] - --[ TestMe( ) ]-> + --> [ !Pk( $A, 'g'^~ltk, 'chip' ), !Ltk( $A, ~ltk, 'chip' ), Out( 'g'^~ltk ) ] @@ -73,677 +73,652 @@ rule (modulo E) Reveal_session: /* has exactly the trivial AC variant */ rule (modulo E) TA_INIT_T: - [ !Cert( $T, certT, 'terminal' ), Fr( ~skTe ), Fr( ~iid ) ] + [ !Cert( $T, certT, 'terminal' ), Fr( ~skTe ) ] --[ Started( ) ]-> - [ - Out( <certT, 'g'^~skTe, '1', 't'> ), Out( ~iid ), - TAInitT( <$T, ~iid>, ~skTe ) - ] + [ Out( <certT, 'g'^~skTe, '1', 't'> ), TAInitT( $T, ~skTe ) ] /* has exactly the trivial AC variant */ rule (modulo E) TA_CHALLENGE_C: - [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( verify_cert(certT, 'terminal'), true ), Started( ) ]-> [ Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 ) + TAChallengeC( $C, certT, pkTe, ~id_c, ~r1 ) ] /* rule (modulo AC) TA_CHALLENGE_C: - [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ), Fr( ~iid ) ] + [ In( <certT, pkTe, '1', 't'> ), Fr( ~r1 ), Fr( ~id_c ) ] --[ Eq( z, true ), Started( ) ]-> [ Out( <~id_c, ~r1, '2', 'c'> ), - TAChallengeC( <$C, ~iid>, certT, pkTe, ~id_c, ~r1 ) + TAChallengeC( $C, certT, pkTe, ~id_c, ~r1 ) ] variants (modulo AC) - 1. certT = certT.13 - z = verify(cert_sig(certT.13), - <cert_pk(certT.13), cert_id(certT.13), 'terminal'>, pk(ca_sk)) + 1. certT = certT.12 + z = verify(cert_sig(certT.12), + <cert_pk(certT.12), cert_id(certT.12), 'terminal'>, pk(ca_sk)) - 2. certT = cert(x.14, sign(<x.14, x.15, 'terminal'>, ca_sk), x.15) + 2. certT = cert(x.13, sign(<x.13, x.14, 'terminal'>, ca_sk), x.14) z = true - 3. certT = cert(x.15, x.16, x.17) - z = verify(x.16, <x.15, x.17, 'terminal'>, pk(ca_sk)) + 3. certT = cert(x.14, x.15, x.16) + z = verify(x.15, <x.14, x.16, 'terminal'>, pk(ca_sk)) */ rule (modulo E) TA_RESPONSE_T: [ - In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ), + In( <id_c, r1, '2', 'c'> ), TAInitT( $T, skTe ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <sign(<id_c, r1, 'g'^skTe>, ~skT), '3', 't'> ), - TAResponseT( <$T, iid>, skTe, id_c ) + TAResponseT( $T, skTe, id_c ) ] /* rule (modulo AC) TA_RESPONSE_T: [ - In( <id_c, r1, '2', 'c'> ), TAInitT( <$T, iid>, skTe ), + In( <id_c, r1, '2', 'c'> ), TAInitT( $T, skTe ), !Ltk( $T, ~skT, 'terminal' ) ] --> [ Out( <sign(<id_c, r1, z>, ~skT), '3', 't'> ), - TAResponseT( <$T, iid>, skTe, id_c ) + TAResponseT( $T, skTe, id_c ) ] variants (modulo AC) - 1. skTe = skTe.12 - z = 'g'^skTe.12 + 1. skTe = skTe.11 + z = 'g'^skTe.11 2. skTe = one z = 'g' */ rule (modulo E) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ] - --[ - Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ), - CompletedTA( $C, iid, cert_id(certT) ) - ]-> - [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, pkTe, id_c, r1 ) ] + --[ Eq( verify(s, <id_c, r1, pkTe>, cert_pk(certT)), true ) ]-> + [ TACompleteC( $C, certT, pkTe, id_c, r1 ) ] /* rule (modulo AC) TA_COMPLETE_C: - [ In( <s, '3', 't'> ), TAChallengeC( <$C, iid>, certT, pkTe, id_c, r1 ) ] - --[ Eq( z, true ), CompletedTA( $C, iid, z.1 ) ]-> - [ TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) ] + [ In( <s, '3', 't'> ), TAChallengeC( $C, certT, pkTe, id_c, r1 ) ] + --[ Eq( z, true ) ]-> + [ TACompleteC( $C, certT, pkTe, id_c, r1 ) ] variants (modulo AC) - 1. certT = certT.18 - id_c = id_c.19 + 1. certT = certT.15 + id_c = id_c.16 + pkTe = pkTe.17 + r1 = r1.18 + s = s.19 + z = verify(s.19, <id_c.16, r1.18, pkTe.17>, cert_pk(certT.15)) + + 2. certT = cert(x.34, x.35, x.36) + id_c = id_c.20 pkTe = pkTe.21 r1 = r1.22 s = s.23 - z = verify(s.23, <id_c.19, r1.22, pkTe.21>, cert_pk(certT.18)) - z.1 = cert_id(certT.18) - - 2. certT = cert(x.41, x.42, z.31) - id_c = id_c.23 - pkTe = pkTe.25 - r1 = r1.26 - s = s.27 - z = verify(s.27, <id_c.23, r1.26, pkTe.25>, x.41) - z.1 = z.31 - - 3. certT = cert(pk(x.41), x.42, z.31) - id_c = id_c.23 - pkTe = pkTe.25 - r1 = r1.26 - s = sign(<id_c.23, r1.26, pkTe.25>, x.41) + z = verify(s.23, <id_c.20, r1.22, pkTe.21>, x.34) + + 3. certT = cert(pk(x.34), x.35, x.36) + id_c = id_c.20 + pkTe = pkTe.21 + r1 = r1.22 + s = sign(<id_c.20, r1.22, pkTe.21>, x.34) z = true - z.1 = z.31 */ rule (modulo E) CA_INIT_C: [ !Cert( $C, certC, 'chip' ), Fr( ~r2 ), - TACompleteC( <$C, iid>, certT, pkTe, id_c, r1 ) + TACompleteC( $C, certT, pkTe, id_c, r1 ) ] --> [ - Out( <certC, ~r2, '4', 'c'> ), Out( iid ), - CAInitC( <$C, iid>, certT, pkTe, id_c, r1, ~r2 ) + Out( <certC, ~r2, '4', 'c'> ), CAInitC( $C, certT, pkTe, id_c, r1, ~r2 ) ] /* has exactly the trivial AC variant */ rule (modulo E) CA_INIT_T: - [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ] + [ In( <certC, r2, '4', 'c'> ), TAResponseT( $T, skTe, id_c ) ] --[ Eq( verify_cert(certC, 'chip'), true ) ]-> - [ Out( <'g'^skTe, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ] + [ Out( <'g'^skTe, '5', 't'> ), CAInitT( $T, skTe, id_c, certC ) ] /* rule (modulo AC) CA_INIT_T: - [ In( <certC, r2, '4', 'c'> ), TAResponseT( <$T, iid>, skTe, id_c ) ] + [ In( <certC, r2, '4', 'c'> ), TAResponseT( $T, skTe, id_c ) ] --[ Eq( z.1, true ) ]-> - [ Out( <z, '5', 't'> ), CAInitT( <$T, iid>, skTe, id_c, certC ) ] + [ Out( <z, '5', 't'> ), CAInitT( $T, skTe, id_c, certC ) ] variants (modulo AC) - 1. certC = certC.14 + 1. certC = certC.13 skTe = one z = 'g' - z.1 = verify(cert_sig(certC.14), - <cert_pk(certC.14), cert_id(certC.14), 'chip'>, pk(ca_sk)) + z.1 = verify(cert_sig(certC.13), + <cert_pk(certC.13), cert_id(certC.13), 'chip'>, pk(ca_sk)) - 2. certC = certC.18 - skTe = skTe.22 - z = 'g'^skTe.22 - z.1 = verify(cert_sig(certC.18), - <cert_pk(certC.18), cert_id(certC.18), 'chip'>, pk(ca_sk)) + 2. certC = certC.16 + skTe = skTe.19 + z = 'g'^skTe.19 + z.1 = verify(cert_sig(certC.16), + <cert_pk(certC.16), cert_id(certC.16), 'chip'>, pk(ca_sk)) - 3. certC = cert(x.15, sign(<x.15, x.16, 'chip'>, ca_sk), x.16) + 3. certC = cert(x.14, sign(<x.14, x.15, 'chip'>, ca_sk), x.15) skTe = one z = 'g' z.1 = true - 4. certC = cert(x.16, x.17, x.18) + 4. certC = cert(x.15, x.16, x.17) skTe = one z = 'g' - z.1 = verify(x.17, <x.16, x.18, 'chip'>, pk(ca_sk)) + z.1 = verify(x.16, <x.15, x.17, 'chip'>, pk(ca_sk)) - 5. certC = cert(x.64, sign(<x.64, x.65, 'chip'>, ca_sk), x.65) - skTe = skTe.36 - z = 'g'^skTe.36 + 5. certC = cert(x.63, sign(<x.63, x.64, 'chip'>, ca_sk), x.64) + skTe = skTe.35 + z = 'g'^skTe.35 z.1 = true - 6. certC = cert(x.65, x.66, x.67) - skTe = skTe.37 - z = 'g'^skTe.37 - z.1 = verify(x.66, <x.65, x.67, 'chip'>, pk(ca_sk)) + 6. certC = cert(x.64, x.65, x.66) + skTe = skTe.36 + z = 'g'^skTe.36 + z.1 = verify(x.65, <x.64, x.66, 'chip'>, pk(ca_sk)) */ rule (modulo E) CA_FINISH_C: [ - In( <pkTe_t, '5', 't'> ), - CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), + In( <pkTe_t, '5', 't'> ), CAInitC( $C, certT, pkTe, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( pkTe_t, pkTe ), - Completed( <kdf_enc(pkTe^~skC, r2), kdf_mac(pkTe^~skC, r2)>, + Completed( kdf_enc(pkTe^~skC, r2), <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', cert_id(certT) ) ]-> - [ - Out( <r2, mac(pkTe, kdf_mac(pkTe^~skC, r2)), '6', 'c'> ), - CAFinishC( $C, cert_id(certT), kdf_enc(pkTe^~skC, r2) ) - ] + [ Out( <r2, mac(pkTe, kdf_mac(pkTe^~skC, r2)), '6', 'c'> ) ] /* rule (modulo AC) CA_FINISH_C: [ - In( <pkTe_t, '5', 't'> ), - CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ), + In( <pkTe_t, '5', 't'> ), CAInitC( $C, certT, pkTe, id_c, r1, r2 ), !Ltk( $C, ~skC, 'chip' ), !Cert( $C, certC, 'chip' ) ] --[ Eq( pkTe_t, pkTe ), - Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, - <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, 'chip', z.1 + Completed( kdf_enc(z, r2), <certT, certC, pkTe, 'g'^~skC, id_c, r2>, $C, + 'chip', z.1 ) ]-> - [ - Out( <r2, mac(pkTe, kdf_mac(z, r2)), '6', 'c'> ), - CAFinishC( $C, z.1, kdf_enc(z, r2) ) - ] + [ Out( <r2, mac(pkTe, kdf_mac(z, r2)), '6', 'c'> ) ] variants (modulo AC) - 1. ~skC = ~skC.24 - certT = certT.26 - pkTe = pkTe.29 - z = pkTe.29^~skC.24 - z.1 = cert_id(certT.26) - - 2. ~skC = ~skC.31 - certT = certT.33 - pkTe = z.43^inv(~skC.31) - z = z.43 - z.1 = cert_id(certT.33) - - 3. ~skC = ~skC.170 - certT = certT.172 - pkTe = x.336^x.337 - z = x.336^(~skC.170*x.337) - z.1 = cert_id(certT.172) - - 4. ~skC = ~skC.170 - certT = cert(x.336, x.337, z.185) - pkTe = pkTe.175 - z = pkTe.175^~skC.170 - z.1 = z.185 - - 5. ~skC = ~skC.172 - certT = cert(x.340, x.341, z.187) - pkTe = z.184^inv(~skC.172) - z = z.184 - z.1 = z.187 - - 6. ~skC = ~skC.175 - certT = certT.177 - pkTe = x.346^inv((~skC.175*x.347)) - z = x.346^inv(x.347) - z.1 = cert_id(certT.177) - - 7. ~skC = ~skC.175 - certT = certT.177 - pkTe = x.346^(x.347*inv(~skC.175)) - z = x.346^x.347 - z.1 = cert_id(certT.177) - - 8. ~skC = ~skC.175 - certT = cert(x.341, x.342, z.190) - pkTe = x.346^x.347 - z = x.346^(~skC.175*x.347) - z.1 = z.190 - - 9. ~skC = ~skC.176 - certT = certT.178 - pkTe = x.347^(x.348*inv((~skC.176*x.349))) - z = x.347^(x.348*inv(x.349)) - z.1 = cert_id(certT.178) - - 10. ~skC = ~skC.177 - certT = cert(x.345, x.346, z.192) - pkTe = x.350^inv((~skC.177*x.351)) - z = x.350^inv(x.351) - z.1 = z.192 - - 11. ~skC = ~skC.177 - certT = cert(x.345, x.346, z.192) - pkTe = x.350^(x.351*inv(~skC.177)) - z = x.350^x.351 - z.1 = z.192 - - 12. ~skC = ~skC.178 - certT = cert(x.346, x.347, z.193) - pkTe = x.351^(x.352*inv((~skC.178*x.353))) - z = x.351^(x.352*inv(x.353)) - z.1 = z.193 + 1. ~skC = ~skC.23 + certT = certT.25 + pkTe = pkTe.27 + z = pkTe.27^~skC.23 + z.1 = cert_id(certT.25) + + 2. ~skC = ~skC.30 + certT = certT.32 + pkTe = z.41^inv(~skC.30) + z = z.41 + z.1 = cert_id(certT.32) + + 3. ~skC = ~skC.162 + certT = certT.164 + pkTe = x.320^x.321 + z = x.320^(~skC.162*x.321) + z.1 = cert_id(certT.164) + + 4. ~skC = ~skC.162 + certT = cert(x.320, x.321, z.177) + pkTe = pkTe.166 + z = pkTe.166^~skC.162 + z.1 = z.177 + + 5. ~skC = ~skC.164 + certT = cert(x.324, x.325, z.179) + pkTe = z.175^inv(~skC.164) + z = z.175 + z.1 = z.179 + + 6. ~skC = ~skC.166 + certT = certT.168 + pkTe = x.328^inv((~skC.166*x.329)) + z = x.328^inv(x.329) + z.1 = cert_id(certT.168) + + 7. ~skC = ~skC.166 + certT = certT.168 + pkTe = x.328^(x.329*inv(~skC.166)) + z = x.328^x.329 + z.1 = cert_id(certT.168) + + 8. ~skC = ~skC.166 + certT = cert(x.324, x.325, z.181) + pkTe = x.328^x.329 + z = x.328^(~skC.166*x.329) + z.1 = z.181 + + 9. ~skC = ~skC.167 + certT = certT.169 + pkTe = x.329^(x.330*inv((~skC.167*x.331))) + z = x.329^(x.330*inv(x.331)) + z.1 = cert_id(certT.169) + + 10. ~skC = ~skC.168 + certT = cert(x.328, x.329, z.183) + pkTe = x.332^inv((~skC.168*x.333)) + z = x.332^inv(x.333) + z.1 = z.183 + + 11. ~skC = ~skC.168 + certT = cert(x.328, x.329, z.183) + pkTe = x.332^(x.333*inv(~skC.168)) + z = x.332^x.333 + z.1 = z.183 + + 12. ~skC = ~skC.169 + certT = cert(x.329, x.330, z.184) + pkTe = x.333^(x.334*inv((~skC.169*x.335))) + z = x.333^(x.334*inv(x.335)) + z.1 = z.184 13. certT = certT.19 pkTe = DH_neutral z = DH_neutral z.1 = cert_id(certT.19) - 14. certT = cert(x.201, x.202, z.110) + 14. certT = cert(x.185, x.186, z.102) pkTe = DH_neutral z = DH_neutral - z.1 = z.110 + z.1 = z.102 */ rule (modulo E) CA_FINISH_T: [ - In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ), + In( <r2, tag, '6', 'c'> ), CAInitT( $T, skTe, id_c, certC ), !Cert( $T, certT, 'terminal' ) ] --[ Eq( tag, mac('g'^skTe, kdf_mac(cert_pk(certC)^skTe, r2)) ), - Completed( <kdf_enc(cert_pk(certC)^skTe, r2), - kdf_mac(cert_pk(certC)^skTe, r2)>, + Completed( kdf_enc(cert_pk(certC)^skTe, r2), <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>, $T, 'terminal', cert_id(certC) ), Finished( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2> ) ]-> [ - CAFinishT( cert_id(certC), $T, kdf_enc(cert_pk(certC)^skTe, r2) ), !SessionReveal( <certT, certC, 'g'^skTe, cert_pk(certC), id_c, r2>, - <kdf_enc(cert_pk(certC)^skTe, r2), kdf_mac(cert_pk(certC)^skTe, r2)> + kdf_enc(cert_pk(certC)^skTe, r2) ) ] /* rule (modulo AC) CA_FINISH_T: [ - In( <r2, tag, '6', 'c'> ), CAInitT( <$T, iid>, skTe, id_c, certC ), + In( <r2, tag, '6', 'c'> ), CAInitT( $T, skTe, id_c, certC ), !Cert( $T, certT, 'terminal' ) ] --[ - Eq( tag, mac(z.2, kdf_mac(z.1, r2)) ), - Completed( <kdf_enc(z.1, r2), kdf_mac(z.1, r2)>, - <certT, certC, z.2, z.3, id_c, r2>, $T, 'terminal', z + Eq( tag, mac(z, kdf_mac(z.2, r2)) ), + Completed( kdf_enc(z.2, r2), <certT, certC, z, z.1, id_c, r2>, $T, + 'terminal', z.3 ), - Finished( <certT, certC, z.2, z.3, id_c, r2> ) + Finished( <certT, certC, z, z.1, id_c, r2> ) ]-> - [ - CAFinishT( z, $T, kdf_enc(z.1, r2) ), - !SessionReveal( <certT, certC, z.2, z.3, id_c, r2>, - <kdf_enc(z.1, r2), kdf_mac(z.1, r2)> - ) - ] + [ !SessionReveal( <certT, certC, z, z.1, id_c, r2>, kdf_enc(z.2, r2) ) ] variants (modulo AC) - 1. certC = certC.17 + 1. certC = certC.16 skTe = one - z = cert_id(certC.17) - z.1 = cert_pk(certC.17) - z.2 = 'g' - z.3 = cert_pk(certC.17) - - 2. certC = certC.22 - skTe = skTe.27 - z = cert_id(certC.22) - z.1 = cert_pk(certC.22)^skTe.27 - z.2 = 'g'^skTe.27 - z.3 = cert_pk(certC.22) - - 3. certC = cert(z.27, x.39, z.26) + z = 'g' + z.1 = cert_pk(certC.16) + z.2 = cert_pk(certC.16) + z.3 = cert_id(certC.16) + + 2. certC = certC.20 + skTe = skTe.24 + z = 'g'^skTe.24 + z.1 = cert_pk(certC.20) + z.2 = cert_pk(certC.20)^skTe.24 + z.3 = cert_id(certC.20) + + 3. certC = cert(z.23, x.33, z.25) skTe = one - z = z.26 - z.1 = z.27 - z.2 = 'g' + z = 'g' + z.1 = z.23 + z.2 = z.23 + z.3 = z.25 + + 4. certC = cert(z.41, x.63, z.43) + skTe = skTe.35 + z = 'g'^skTe.35 + z.1 = z.41 + z.2 = z.41^skTe.35 + z.3 = z.43 + + 5. certC = cert(DH_neutral, x.61, z.42) + skTe = skTe.34 + z = 'g'^skTe.34 + z.1 = DH_neutral + z.2 = DH_neutral + z.3 = z.42 + + 6. certC = cert(z.22^x.29, x.30, z.23) + skTe = inv(x.29) + z = 'g'^inv(x.29) + z.1 = z.22^x.29 + z.2 = z.22 + z.3 = z.23 + + 7. certC = cert(z.23^(x.30*inv(x.31)), x.32, z.24) + skTe = (x.31*inv(x.30)) + z = 'g'^(x.31*inv(x.30)) + z.1 = z.23^(x.30*inv(x.31)) + z.2 = z.23 + z.3 = z.24 + + 8. certC = cert(x.24^(x.25*x.26), x.27, z.21) + skTe = inv(x.25) + z = 'g'^inv(x.25) + z.1 = x.24^(x.25*x.26) + z.2 = x.24^x.26 + z.3 = z.21 + + 9. certC = cert(x.25^(x.26*x.27*inv(x.28)), x.29, z.22) + skTe = (x.28*inv(x.27)) + z = 'g'^(x.28*inv(x.27)) + z.1 = x.25^(x.26*x.27*inv(x.28)) + z.2 = x.25^x.26 + z.3 = z.22 + + 10. certC = cert(x.25^(x.26*inv((x.27*x.28))), x.29, z.22) + skTe = (x.28*inv(x.26)) + z = 'g'^(x.28*inv(x.26)) + z.1 = x.25^(x.26*inv((x.27*x.28))) + z.2 = x.25^inv(x.27) + z.3 = z.22 + + 11. certC = cert(x.26^(x.27*x.28*inv((x.29*x.30))), x.31, z.23) + skTe = (x.30*inv(x.28)) + z = 'g'^(x.30*inv(x.28)) + z.1 = x.26^(x.27*x.28*inv((x.29*x.30))) + z.2 = x.26^(x.27*inv(x.29)) + z.3 = z.23 + + 12. certC = cert(x.28^x.29, x.30, z.25) + skTe = inv((x.29*x.35)) + z = 'g'^inv((x.29*x.35)) + z.1 = x.28^x.29 + z.2 = x.28^inv(x.35) + z.3 = z.25 + + 13. certC = cert(x.28^x.29, x.30, z.25) + skTe = (x.35*inv(x.29)) + z = 'g'^(x.35*inv(x.29)) + z.1 = x.28^x.29 + z.2 = x.28^x.35 + z.3 = z.25 + + 14. certC = cert(x.28^inv(x.29), x.30, z.25) + skTe = inv(x.35) + z = 'g'^inv(x.35) + z.1 = x.28^inv(x.29) + z.2 = x.28^inv((x.29*x.35)) + z.3 = z.25 + + 15. certC = cert(x.28^inv(x.29), x.30, z.25) + skTe = (x.29*x.35) + z = 'g'^(x.29*x.35) + z.1 = x.28^inv(x.29) + z.2 = x.28^x.35 + z.3 = z.25 + + 16. certC = cert(x.29^x.30, x.31, z.26) + skTe = (x.36*inv((x.30*x.37))) + z = 'g'^(x.36*inv((x.30*x.37))) + z.1 = x.29^x.30 + z.2 = x.29^(x.36*inv(x.37)) + z.3 = z.26 + + 17. certC = cert(x.29^inv(x.30), x.31, z.26) + skTe = (x.36*inv(x.37)) + z = 'g'^(x.36*inv(x.37)) + z.1 = x.29^inv(x.30) + z.2 = x.29^(x.36*inv((x.30*x.37))) + z.3 = z.26 + + 18. certC = cert(x.29^inv((x.30*x.31)), x.32, z.26) + skTe = (x.30*x.37) + z = 'g'^(x.30*x.37) + z.1 = x.29^inv((x.30*x.31)) + z.2 = x.29^(x.37*inv(x.31)) + z.3 = z.26 + + 19. certC = cert(x.29^inv((x.30*x.31)), x.32, z.26) + skTe = (x.30*inv(x.37)) + z = 'g'^(x.30*inv(x.37)) + z.1 = x.29^inv((x.30*x.31)) + z.2 = x.29^inv((x.31*x.37)) + z.3 = z.26 + + 20. certC = cert(x.29^(x.30*x.31), x.32, z.26) + skTe = inv((x.30*x.37)) + z = 'g'^inv((x.30*x.37)) + z.1 = x.29^(x.30*x.31) + z.2 = x.29^(x.31*inv(x.37)) + z.3 = z.26 + + 21. certC = cert(x.29^(x.30*x.31), x.32, z.26) + skTe = (x.37*inv(x.30)) + z = 'g'^(x.37*inv(x.30)) + z.1 = x.29^(x.30*x.31) + z.2 = x.29^(x.31*x.37) + z.3 = z.26 + + 22. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26) + skTe = inv(x.37) + z = 'g'^inv(x.37) + z.1 = x.29^(x.30*inv(x.31)) + z.2 = x.29^(x.30*inv((x.31*x.37))) + z.3 = z.26 + + 23. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26) + skTe = inv((x.30*x.37)) + z = 'g'^inv((x.30*x.37)) + z.1 = x.29^(x.30*inv(x.31)) + z.2 = x.29^inv((x.31*x.37)) + z.3 = z.26 + + 24. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26) + skTe = (x.31*x.37) + z = 'g'^(x.31*x.37) + z.1 = x.29^(x.30*inv(x.31)) + z.2 = x.29^(x.30*x.37) + z.3 = z.26 + + 25. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26) + skTe = (x.31*x.37*inv(x.30)) + z = 'g'^(x.31*x.37*inv(x.30)) + z.1 = x.29^(x.30*inv(x.31)) + z.2 = x.29^x.37 + z.3 = z.26 + + 26. certC = cert(x.29^(x.30*inv(x.31)), x.32, z.26) + skTe = (x.31*inv((x.30*x.37))) + z = 'g'^(x.31*inv((x.30*x.37))) + z.1 = x.29^(x.30*inv(x.31)) + z.2 = x.29^inv(x.37) + z.3 = z.26 + + 27. certC = cert(x.30^inv((x.31*x.32)), x.33, z.27) + skTe = (x.31*x.38*inv(x.39)) + z = 'g'^(x.31*x.38*inv(x.39)) + z.1 = x.30^inv((x.31*x.32)) + z.2 = x.30^(x.38*inv((x.32*x.39))) + z.3 = z.27 + + 28. certC = cert(x.30^(x.31*x.32), x.33, z.27) + skTe = (x.38*inv((x.31*x.39))) + z = 'g'^(x.38*inv((x.31*x.39))) + z.1 = x.30^(x.31*x.32) + z.2 = x.30^(x.32*x.38*inv(x.39)) + z.3 = z.27 + + 29. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27) + skTe = inv((x.32*x.39)) + z = 'g'^inv((x.32*x.39)) + z.1 = x.30^(x.31*x.32*inv(x.33)) + z.2 = x.30^(x.31*inv((x.33*x.39))) + z.3 = z.27 + + 30. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27) + skTe = (x.33*x.39*inv(x.31)) + z = 'g'^(x.33*x.39*inv(x.31)) + z.1 = x.30^(x.31*x.32*inv(x.33)) + z.2 = x.30^(x.32*x.39) + z.3 = z.27 + + 31. certC = cert(x.30^(x.31*x.32*inv(x.33)), x.34, z.27) + skTe = (x.33*inv((x.31*x.39))) + z = 'g'^(x.33*inv((x.31*x.39))) + z.1 = x.30^(x.31*x.32*inv(x.33)) + z.2 = x.30^(x.32*inv(x.39)) + z.3 = z.27 + + 32. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27) + skTe = (x.32*x.38*inv((x.31*x.39))) + z = 'g'^(x.32*x.38*inv((x.31*x.39))) + z.1 = x.30^(x.31*inv(x.32)) + z.2 = x.30^(x.38*inv(x.39)) z.3 = z.27 - 4. certC = cert(z.44, x.64, z.41) + 33. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27) + skTe = (x.38*inv(x.39)) + z = 'g'^(x.38*inv(x.39)) + z.1 = x.30^(x.31*inv(x.32)) + z.2 = x.30^(x.31*x.38*inv((x.32*x.39))) + z.3 = z.27 + + 34. certC = cert(x.30^(x.31*inv(x.32)), x.33, z.27) + skTe = (x.38*inv((x.31*x.39))) + z = 'g'^(x.38*inv((x.31*x.39))) + z.1 = x.30^(x.31*inv(x.32)) + z.2 = x.30^(x.38*inv((x.32*x.39))) + z.3 = z.27 + + 35. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27) + skTe = (x.32*x.39) + z = 'g'^(x.32*x.39) + z.1 = x.30^(x.31*inv((x.32*x.33))) + z.2 = x.30^(x.31*x.39*inv(x.33)) + z.3 = z.27 + + 36. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27) + skTe = (x.32*x.39*inv(x.31)) + z = 'g'^(x.32*x.39*inv(x.31)) + z.1 = x.30^(x.31*inv((x.32*x.33))) + z.2 = x.30^(x.39*inv(x.33)) + z.3 = z.27 + + 37. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27) + skTe = (x.32*inv(x.39)) + z = 'g'^(x.32*inv(x.39)) + z.1 = x.30^(x.31*inv((x.32*x.33))) + z.2 = x.30^(x.31*inv((x.33*x.39))) + z.3 = z.27 + + 38. certC = cert(x.30^(x.31*inv((x.32*x.33))), x.34, z.27) + skTe = (x.32*inv((x.31*x.39))) + z = 'g'^(x.32*inv((x.31*x.39))) + z.1 = x.30^(x.31*inv((x.32*x.33))) + z.2 = x.30^inv((x.33*x.39)) + z.3 = z.27 + + 39. certC = cert(x.31^(x.32*x.33*inv(x.34)), x.35, z.28) + skTe = (x.34*x.40*inv((x.32*x.41))) + z = 'g'^(x.34*x.40*inv((x.32*x.41))) + z.1 = x.31^(x.32*x.33*inv(x.34)) + z.2 = x.31^(x.33*x.40*inv(x.41)) + z.3 = z.28 + + 40. certC = cert(x.31^(x.32*x.33*inv(x.34)), x.35, z.28) + skTe = (x.40*inv((x.32*x.41))) + z = 'g'^(x.40*inv((x.32*x.41))) + z.1 = x.31^(x.32*x.33*inv(x.34)) + z.2 = x.31^(x.33*x.40*inv((x.34*x.41))) + z.3 = z.28 + + 41. certC = cert(x.31^(x.32*x.33*inv((x.34*x.35))), x.36, z.28) + skTe = (x.34*x.41*inv(x.32)) + z = 'g'^(x.34*x.41*inv(x.32)) + z.1 = x.31^(x.32*x.33*inv((x.34*x.35))) + z.2 = x.31^(x.33*x.41*inv(x.35)) + z.3 = z.28 + + 42. certC = cert(x.31^(x.32*x.33*inv((x.34*x.35))), x.36, z.28) + skTe = (x.34*inv((x.32*x.41))) + z = 'g'^(x.34*inv((x.32*x.41))) + z.1 = x.31^(x.32*x.33*inv((x.34*x.35))) + z.2 = x.31^(x.33*inv((x.35*x.41))) + z.3 = z.28 + + 43. certC = cert(x.31^(x.32*inv((x.33*x.34))), x.35, z.28) + skTe = (x.33*x.40*inv(x.41)) + z = 'g'^(x.33*x.40*inv(x.41)) + z.1 = x.31^(x.32*inv((x.33*x.34))) + z.2 = x.31^(x.32*x.40*inv((x.34*x.41))) + z.3 = z.28 + + 44. certC = cert(x.31^(x.32*inv((x.33*x.34))), x.35, z.28) + skTe = (x.33*x.40*inv((x.32*x.41))) + z = 'g'^(x.33*x.40*inv((x.32*x.41))) + z.1 = x.31^(x.32*inv((x.33*x.34))) + z.2 = x.31^(x.40*inv((x.34*x.41))) + z.3 = z.28 + + 45. certC = cert(x.32^(x.33*x.34*inv((x.35*x.36))), x.37, z.29) + skTe = (x.35*x.42*inv((x.33*x.43))) + z = 'g'^(x.35*x.42*inv((x.33*x.43))) + z.1 = x.32^(x.33*x.34*inv((x.35*x.36))) + z.2 = x.32^(x.34*x.42*inv((x.36*x.43))) + z.3 = z.29 + + 46. certC = cert(z.43^inv(skTe.36), x.65, z.44) skTe = skTe.36 - z = z.41 - z.1 = z.44^skTe.36 - z.2 = 'g'^skTe.36 + z = 'g'^skTe.36 + z.1 = z.43^inv(skTe.36) + z.2 = z.43 z.3 = z.44 - 5. certC = cert(DH_neutral, x.62, z.40) - skTe = skTe.35 - z = z.40 - z.1 = DH_neutral - z.2 = 'g'^skTe.35 - z.3 = DH_neutral - - 6. certC = cert(z.28^x.40, x.41, z.27) - skTe = inv(x.40) - z = z.27 - z.1 = z.28 - z.2 = 'g'^inv(x.40) - z.3 = z.28^x.40 - - 7. certC = cert(z.29^(x.41*inv(x.42)), x.43, z.28) - skTe = (x.42*inv(x.41)) - z = z.28 - z.1 = z.29 - z.2 = 'g'^(x.42*inv(x.41)) - z.3 = z.29^(x.41*inv(x.42)) - - 8. certC = cert(x.40^(x.41*x.42), x.43, z.28) - skTe = inv(x.41) - z = z.28 - z.1 = x.40^x.42 - z.2 = 'g'^inv(x.41) - z.3 = x.40^(x.41*x.42) - - 9. certC = cert(x.41^(x.42*x.43*inv(x.44)), x.45, z.29) - skTe = (x.44*inv(x.43)) - z = z.29 - z.1 = x.41^x.42 - z.2 = 'g'^(x.44*inv(x.43)) - z.3 = x.41^(x.42*x.43*inv(x.44)) - - 10. certC = cert(x.41^(x.42*inv((x.43*x.44))), x.45, z.29) - skTe = (x.44*inv(x.42)) - z = z.29 - z.1 = x.41^inv(x.43) - z.2 = 'g'^(x.44*inv(x.42)) - z.3 = x.41^(x.42*inv((x.43*x.44))) - - 11. certC = cert(x.42^(x.43*x.44*inv((x.45*x.46))), x.47, z.30) - skTe = (x.46*inv(x.44)) - z = z.30 - z.1 = x.42^(x.43*inv(x.45)) - z.2 = 'g'^(x.46*inv(x.44)) - z.3 = x.42^(x.43*x.44*inv((x.45*x.46))) - - 12. certC = cert(z.43^inv(skTe.37), x.66, z.42) - skTe = skTe.37 - z = z.42 - z.1 = z.43 - z.2 = 'g'^skTe.37 - z.3 = z.43^inv(skTe.37) - - 13. certC = cert(x.45^x.46, x.47, z.33) - skTe = inv((x.46*x.53)) - z = z.33 - z.1 = x.45^inv(x.53) - z.2 = 'g'^inv((x.46*x.53)) - z.3 = x.45^x.46 - - 14. certC = cert(x.45^x.46, x.47, z.33) - skTe = (x.53*inv(x.46)) - z = z.33 - z.1 = x.45^x.53 - z.2 = 'g'^(x.53*inv(x.46)) - z.3 = x.45^x.46 - - 15. certC = cert(x.45^inv(x.46), x.47, z.33) - skTe = inv(x.53) - z = z.33 - z.1 = x.45^inv((x.46*x.53)) - z.2 = 'g'^inv(x.53) - z.3 = x.45^inv(x.46) - - 16. certC = cert(x.45^inv(x.46), x.47, z.33) - skTe = (x.46*x.53) - z = z.33 - z.1 = x.45^x.53 - z.2 = 'g'^(x.46*x.53) - z.3 = x.45^inv(x.46) - - 17. certC = cert(x.46^x.47, x.48, z.34) - skTe = (x.54*inv((x.47*x.55))) - z = z.34 - z.1 = x.46^(x.54*inv(x.55)) - z.2 = 'g'^(x.54*inv((x.47*x.55))) - z.3 = x.46^x.47 - - 18. certC = cert(x.46^inv(x.47), x.48, z.34) - skTe = (x.54*inv(x.55)) - z = z.34 - z.1 = x.46^(x.54*inv((x.47*x.55))) - z.2 = 'g'^(x.54*inv(x.55)) - z.3 = x.46^inv(x.47) - - 19. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34) - skTe = (x.47*x.55) - z = z.34 - z.1 = x.46^(x.55*inv(x.48)) - z.2 = 'g'^(x.47*x.55) - z.3 = x.46^inv((x.47*x.48)) - - 20. certC = cert(x.46^inv((x.47*x.48)), x.49, z.34) - skTe = (x.47*inv(x.55)) - z = z.34 - z.1 = x.46^inv((x.48*x.55)) - z.2 = 'g'^(x.47*inv(x.55)) - z.3 = x.46^inv((x.47*x.48)) - - 21. certC = cert(x.46^(x.47*x.48), x.49, z.34) - skTe = inv((x.47*x.55)) - z = z.34 - z.1 = x.46^(x.48*inv(x.55)) - z.2 = 'g'^inv((x.47*x.55)) - z.3 = x.46^(x.47*x.48) - - 22. certC = cert(x.46^(x.47*x.48), x.49, z.34) - skTe = (x.55*inv(x.47)) - z = z.34 - z.1 = x.46^(x.48*x.55) - z.2 = 'g'^(x.55*inv(x.47)) - z.3 = x.46^(x.47*x.48) - - 23. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34) - skTe = inv(x.55) - z = z.34 - z.1 = x.46^(x.47*inv((x.48*x.55))) - z.2 = 'g'^inv(x.55) - z.3 = x.46^(x.47*inv(x.48)) - - 24. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34) - skTe = inv((x.47*x.55)) - z = z.34 - z.1 = x.46^inv((x.48*x.55)) - z.2 = 'g'^inv((x.47*x.55)) - z.3 = x.46^(x.47*inv(x.48)) - - 25. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34) - skTe = (x.48*x.55) - z = z.34 - z.1 = x.46^(x.47*x.55) - z.2 = 'g'^(x.48*x.55) - z.3 = x.46^(x.47*inv(x.48)) - - 26. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34) - skTe = (x.48*x.55*inv(x.47)) - z = z.34 - z.1 = x.46^x.55 - z.2 = 'g'^(x.48*x.55*inv(x.47)) - z.3 = x.46^(x.47*inv(x.48)) - - 27. certC = cert(x.46^(x.47*inv(x.48)), x.49, z.34) - skTe = (x.48*inv((x.47*x.55))) - z = z.34 - z.1 = x.46^inv(x.55) - z.2 = 'g'^(x.48*inv((x.47*x.55))) - z.3 = x.46^(x.47*inv(x.48)) - - 28. certC = cert(x.47^inv((x.48*x.49)), x.50, z.35) - skTe = (x.48*x.56*inv(x.57)) - z = z.35 - z.1 = x.47^(x.56*inv((x.49*x.57))) - z.2 = 'g'^(x.48*x.56*inv(x.57)) - z.3 = x.47^inv((x.48*x.49)) - - 29. certC = cert(x.47^(x.48*x.49), x.50, z.35) - skTe = (x.56*inv((x.48*x.57))) - z = z.35 - z.1 = x.47^(x.49*x.56*inv(x.57)) - z.2 = 'g'^(x.56*inv((x.48*x.57))) - z.3 = x.47^(x.48*x.49) - - 30. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35) - skTe = inv((x.49*x.57)) - z = z.35 - z.1 = x.47^(x.48*inv((x.50*x.57))) - z.2 = 'g'^inv((x.49*x.57)) - z.3 = x.47^(x.48*x.49*inv(x.50)) - - 31. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35) - skTe = (x.50*x.57*inv(x.48)) - z = z.35 - z.1 = x.47^(x.49*x.57) - z.2 = 'g'^(x.50*x.57*inv(x.48)) - z.3 = x.47^(x.48*x.49*inv(x.50)) - - 32. certC = cert(x.47^(x.48*x.49*inv(x.50)), x.51, z.35) - skTe = (x.50*inv((x.48*x.57))) - z = z.35 - z.1 = x.47^(x.49*inv(x.57)) - z.2 = 'g'^(x.50*inv((x.48*x.57))) - z.3 = x.47^(x.48*x.49*inv(x.50)) - - 33. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35) - skTe = (x.49*x.56*inv((x.48*x.57))) - z = z.35 - z.1 = x.47^(x.56*inv(x.57)) - z.2 = 'g'^(x.49*x.56*inv((x.48*x.57))) - z.3 = x.47^(x.48*inv(x.49)) - - 34. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35) - skTe = (x.56*inv(x.57)) - z = z.35 - z.1 = x.47^(x.48*x.56*inv((x.49*x.57))) - z.2 = 'g'^(x.56*inv(x.57)) - z.3 = x.47^(x.48*inv(x.49)) - - 35. certC = cert(x.47^(x.48*inv(x.49)), x.50, z.35) - skTe = (x.56*inv((x.48*x.57))) - z = z.35 - z.1 = x.47^(x.56*inv((x.49*x.57))) - z.2 = 'g'^(x.56*inv((x.48*x.57))) - z.3 = x.47^(x.48*inv(x.49)) - - 36. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35) - skTe = (x.49*x.57) - z = z.35 - z.1 = x.47^(x.48*x.57*inv(x.50)) - z.2 = 'g'^(x.49*x.57) - z.3 = x.47^(x.48*inv((x.49*x.50))) - - 37. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35) - skTe = (x.49*x.57*inv(x.48)) - z = z.35 - z.1 = x.47^(x.57*inv(x.50)) - z.2 = 'g'^(x.49*x.57*inv(x.48)) - z.3 = x.47^(x.48*inv((x.49*x.50))) - - 38. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35) - skTe = (x.49*inv(x.57)) - z = z.35 - z.1 = x.47^(x.48*inv((x.50*x.57))) - z.2 = 'g'^(x.49*inv(x.57)) - z.3 = x.47^(x.48*inv((x.49*x.50))) - - 39. certC = cert(x.47^(x.48*inv((x.49*x.50))), x.51, z.35) - skTe = (x.49*inv((x.48*x.57))) - z = z.35 - z.1 = x.47^inv((x.50*x.57)) - z.2 = 'g'^(x.49*inv((x.48*x.57))) - z.3 = x.47^(x.48*inv((x.49*x.50))) - - 40. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36) - skTe = (x.51*x.58*inv((x.49*x.59))) - z = z.36 - z.1 = x.48^(x.50*x.58*inv(x.59)) - z.2 = 'g'^(x.51*x.58*inv((x.49*x.59))) - z.3 = x.48^(x.49*x.50*inv(x.51)) - - 41. certC = cert(x.48^(x.49*x.50*inv(x.51)), x.52, z.36) - skTe = (x.58*inv((x.49*x.59))) - z = z.36 - z.1 = x.48^(x.50*x.58*inv((x.51*x.59))) - z.2 = 'g'^(x.58*inv((x.49*x.59))) - z.3 = x.48^(x.49*x.50*inv(x.51)) - - 42. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36) - skTe = (x.51*x.59*inv(x.49)) - z = z.36 - z.1 = x.48^(x.50*x.59*inv(x.52)) - z.2 = 'g'^(x.51*x.59*inv(x.49)) - z.3 = x.48^(x.49*x.50*inv((x.51*x.52))) - - 43. certC = cert(x.48^(x.49*x.50*inv((x.51*x.52))), x.53, z.36) - skTe = (x.51*inv((x.49*x.59))) - z = z.36 - z.1 = x.48^(x.50*inv((x.52*x.59))) - z.2 = 'g'^(x.51*inv((x.49*x.59))) - z.3 = x.48^(x.49*x.50*inv((x.51*x.52))) - - 44. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36) - skTe = (x.50*x.58*inv(x.59)) - z = z.36 - z.1 = x.48^(x.49*x.58*inv((x.51*x.59))) - z.2 = 'g'^(x.50*x.58*inv(x.59)) - z.3 = x.48^(x.49*inv((x.50*x.51))) - - 45. certC = cert(x.48^(x.49*inv((x.50*x.51))), x.52, z.36) - skTe = (x.50*x.58*inv((x.49*x.59))) - z = z.36 - z.1 = x.48^(x.58*inv((x.51*x.59))) - z.2 = 'g'^(x.50*x.58*inv((x.49*x.59))) - z.3 = x.48^(x.49*inv((x.50*x.51))) - - 46. certC = cert(x.49^(x.50*x.51*inv((x.52*x.53))), x.54, z.37) - skTe = (x.52*x.60*inv((x.50*x.61))) - z = z.37 - z.1 = x.49^(x.51*x.60*inv((x.53*x.61))) - z.2 = 'g'^(x.52*x.60*inv((x.50*x.61))) - z.3 = x.49^(x.50*x.51*inv((x.52*x.53))) - - 47. certC = cert(x.64^x.65, x.66, z.42) + 47. certC = cert(x.63^x.64, x.65, z.44) + skTe = skTe.36 + z = 'g'^skTe.36 + z.1 = x.63^x.64 + z.2 = x.63^(skTe.36*x.64) + z.3 = z.44 + + 48. certC = cert(x.64^inv((skTe.37*x.65)), x.67, z.45) skTe = skTe.37 - z = z.42 - z.1 = x.64^(skTe.37*x.65) - z.2 = 'g'^skTe.37 - z.3 = x.64^x.65 + z = 'g'^skTe.37 + z.1 = x.64^inv((skTe.37*x.65)) + z.2 = x.64^inv(x.65) + z.3 = z.45 - 48. certC = cert(x.65^inv((skTe.38*x.66)), x.68, z.43) - skTe = skTe.38 - z = z.43 - z.1 = x.65^inv(x.66) - z.2 = 'g'^skTe.38 - z.3 = x.65^inv((skTe.38*x.66)) + 49. certC = cert(x.64^(x.65*inv(skTe.37)), x.67, z.45) + skTe = skTe.37 + z = 'g'^skTe.37 + z.1 = x.64^(x.65*inv(skTe.37)) + z.2 = x.64^x.65 + z.3 = z.45 - 49. certC = cert(x.65^(x.66*inv(skTe.38)), x.68, z.43) + 50. certC = cert(x.65^(x.66*inv((skTe.38*x.67))), x.69, z.46) skTe = skTe.38 - z = z.43 - z.1 = x.65^x.66 - z.2 = 'g'^skTe.38 - z.3 = x.65^(x.66*inv(skTe.38)) - - 50. certC = cert(x.66^(x.67*inv((skTe.39*x.68))), x.70, z.44) - skTe = skTe.39 - z = z.44 - z.1 = x.66^(x.67*inv(x.68)) - z.2 = 'g'^skTe.39 - z.3 = x.66^(x.67*inv((skTe.39*x.68))) + z = 'g'^skTe.38 + z.1 = x.65^(x.66*inv((skTe.38*x.67))) + z.2 = x.65^(x.66*inv(x.67)) + z.3 = z.46 */ rule (modulo E) Verify_Transcript_C: @@ -18702,20 +18677,20 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, + solve( Completed( kdf_enc(z, ~r2), <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe, ~id_c, + solve( CAInitT( $T, skTe, ~id_c, cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j ) case CA_INIT_T @@ -18741,7 +18716,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_INIT_C solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.35 ) case TA_RESPONSE_T - solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) + solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk), x) ) @ #vk.38 ) case CA_Sign_ltk solve( !KU( ~id_c.1 ) @ #vk.41 ) @@ -18797,20 +18772,20 @@ guarded formula characterizing all satisfying traces: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, + solve( Completed( kdf_enc(z, ~r2), <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe, ~id_c, + solve( CAInitT( $T, skTe, ~id_c, cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j ) case CA_INIT_T @@ -18820,21 +18795,20 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_Sign_ltk solve( Completed( k2, sid2, $C, 'chip', $T ) @ #i2 ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, cert(x, x.1, $T), pkTe, id_c.1, r1.1, r2.1 - ) ▶₁ #i2 ) + solve( CAInitC( $C, cert(x, x.1, $T), pkTe, id_c.1, r1.1, r2.1 ) ▶₁ #i2 ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i2 ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i2 ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2.1), kdf_mac(z, ~r2.1)>, + solve( Completed( kdf_enc(z, ~r2.1), <cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T), cert('g'^~ltk.2, sign(<'g'^~ltk.2, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, ~id_c.1, ~r2.1>, $T, 'terminal', $C ) @ #j2 ) case CA_FINISH_T - solve( CAInitT( <$T, iid.3>, skTe.1, ~id_c.1, + solve( CAInitT( $T, skTe.1, ~id_c.1, cert('g'^~skC, sign(<'g'^~skC, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j2 ) case CA_INIT_T @@ -18919,24 +18893,22 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma weak_agreement_C: +lemma aliveness: all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" + "∀ k sid A role B #i #t. + ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ + (∃ #k.1. Corrupted( B ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid A role B #i #t. + (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" + (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) +solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -18944,113 +18916,276 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2 >, - C, 'chip', T.1 + A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, - cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe, - id_c, r1, r2 - ) ▶₁ #i ) - case CA_INIT_C - solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) - case Generate_chip_key_pair - solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z), - 'chip' - ) ▶₃ #i ) - case CA_Sign_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - qed -qed - -lemma weak_agreement_T: - all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" -*/ -simplify -solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) - case CA_INIT_T - solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) - case CA_Sign_ltk - solve( Completed( k, - <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), - cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2 - >, - T.1, 'terminal', C - ) @ #i ) + by contradiction /* from formulas */ + next case CA_FINISH_T - solve( CAInitT( <$T, iid>, ~skTe, id_c, - cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C) + solve( CAInitT( $T, ~skTe, id_c, + cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) ▶₁ #i ) case CA_INIT_T solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 ) case CA_FINISH_C solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 ) + case TA_RESPONSE_T + solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B) + ) @ #vk.14 ) + case CA_INIT_C + by contradiction /* from formulas */ + next + case CA_Sign_ltk + by contradiction /* from formulas */ + next + case c_cert + solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.34 ) + case CA_INIT_C + by contradiction /* from formulas */ + next + case CA_Sign_ltk + by contradiction /* from formulas */ + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.38 ) + qed + qed + next case c_sign - solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C) + solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B) ) @ #vk.14 ) + case CA_INIT_C + by contradiction /* from formulas */ + next case CA_Sign_ltk - solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z) - ) @ #vk.33 ) + by contradiction /* from formulas */ + next + case c_cert + solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.39 ) + case CA_INIT_C + by contradiction /* from formulas */ + next case CA_Sign_ltk - solve( !KU( ~ltk.1 ) @ #vk.35 ) - case Corrupt_ltk - solve( !KU( ~r2 ) @ #vk.10 ) - case CA_FINISH_C - solve( !KU( ~id_c.1 ) @ #vk.36 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.37 ) - case TA_CHALLENGE_C - solve( !KU( 'g'^~skTe ) @ #vk.28 ) - case CA_INIT_T - SOLVED // trace found - qed - qed - qed + by contradiction /* from formulas */ + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.43 ) + qed + qed + qed + next + case c_mac + solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.13 ) + case CA_INIT_C + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.22 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.33 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.37 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.37 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.37 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.37 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.39 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.33 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.38 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.38 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.38 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.38 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.40 ) + case Corrupt_ltk + by contradiction /* from formulas */ qed qed qed qed - qed - qed - qed - qed - qed -qed - -lemma agreement_C: - all-traces - "∀ k sid C T #i #t. - ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ - (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ - (∃ #k.1. Corrupted( T ) @ #k.1))" -/* -guarded formula characterizing all counter-examples: -"∃ k sid C T #i #t. - (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) - ∧ - (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + next + case CA_Sign_ltk + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.21 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.22 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.22 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.22 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.22 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.24 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + next + case c_cert + solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.22 ) + case CA_INIT_C + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.25 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.40 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.40 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.40 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.40 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.42 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.41 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.41 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.41 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.41 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.43 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + next + case CA_Sign_ltk + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.24 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.25 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.25 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.25 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.25 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.27 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + next + case c_sign + by solve( !KU( ca_sk ) @ #vk.26 ) + qed + qed + qed + qed + qed + qed +qed + +lemma weak_agreement_C: + all-traces + "∀ k sid C T #i #t. + ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ k2 sid2 #j. Completed( k2, sid2, T, 'terminal', C ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid C T #i #t. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) +solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -19061,7 +19196,7 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, + solve( CAInitC( $C, cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe, id_c, r1, r2 ) ▶₁ #i ) @@ -19080,11 +19215,11 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) qed qed -lemma agreement_T: +lemma weak_agreement_T: all-traces "∀ k sid C T #i #t. ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (((∃ k2 sid2 #j. Completed( k2, sid2, C, 'chip', T ) @ #j) ∨ (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ (∃ #k.1. Corrupted( T ) @ #k.1))" /* @@ -19092,12 +19227,12 @@ guarded formula characterizing all counter-examples: "∃ k sid C T #i #t. (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ k2 sid2 #j. (Completed( k2, sid2, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) +solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -19108,29 +19243,32 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) T.1, 'terminal', C ) @ #i ) case CA_FINISH_T - solve( CAInitT( <$T, iid>, ~skTe, id_c, + solve( CAInitT( $T, ~skTe, id_c, cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C) ) ▶₁ #i ) case CA_INIT_T solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 ) case CA_FINISH_C solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 ) - case TA_RESPONSE_T + case c_sign solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C) ) @ #vk.14 ) case CA_Sign_ltk - solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) - ) @ #vk.31 ) + solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z) + ) @ #vk.33 ) case CA_Sign_ltk - solve( !KU( ~r2 ) @ #vk.8 ) - case CA_FINISH_C - solve( !KU( ~id_c ) @ #vk.20 ) - case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.21 ) + solve( !KU( ~ltk.1 ) @ #vk.35 ) + case Corrupt_ltk + solve( !KU( ~r2 ) @ #vk.10 ) + case CA_FINISH_C + solve( !KU( ~id_c.1 ) @ #vk.36 ) case TA_CHALLENGE_C - solve( !KU( 'g'^~skTe ) @ #vk.24 ) - case TA_INIT_T - SOLVED // trace found + solve( !KU( ~r1 ) @ #vk.37 ) + case TA_CHALLENGE_C + solve( !KU( 'g'^~skTe ) @ #vk.28 ) + case CA_INIT_T + SOLVED // trace found + qed qed qed qed @@ -19144,22 +19282,24 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) qed qed -lemma aliveness: +lemma agreement_C: all-traces - "∀ k sid A role B #i #t. - ((Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ - ((∃ k2 sid2 role2 C #j. Completed( k2, sid2, B, role2, C ) @ #j) ∨ - (∃ #k.1. Corrupted( B ) @ #k.1))" + "∀ k sid C T #i #t. + ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, T, 'terminal', C ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" /* guarded formula characterizing all counter-examples: -"∃ k sid A role B #i #t. - (Completed( k, sid, A, role, B ) @ #i) ∧ (Finished( sid ) @ #t) +"∃ k sid C T #i #t. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Finished( sid ) @ #t) ∧ - (∀ k2 sid2 role2 C #j. (Completed( k2, sid2, B, role2, C ) @ #j) ⇒ ⊥) ∧ - (∀ #k.1. (Corrupted( B ) @ #k.1) ⇒ ⊥)" + (∀ #j. (Completed( k, sid, T, 'terminal', C ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" */ simplify -solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) +solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) case CA_Sign_ltk @@ -19167,464 +19307,84 @@ solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #t ) <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2 >, - A, role, B + C, 'chip', T.1 ) @ #i ) case CA_FINISH_C - by contradiction /* from formulas */ - next - case CA_FINISH_T - solve( CAInitT( <$T, iid>, ~skTe, id_c, - cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) + solve( CAInitC( $C, + cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), 'g'^~skTe, + id_c, r1, r2 ) ▶₁ #i ) - case CA_INIT_T - solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 ) - case CA_FINISH_C - solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 ) - case TA_RESPONSE_T - solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B) - ) @ #vk.14 ) - case CA_INIT_C - by contradiction /* from formulas */ - next - case CA_Sign_ltk - by contradiction /* from formulas */ - next - case c_cert - solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.34 ) - case CA_INIT_C - by contradiction /* from formulas */ - next - case CA_Sign_ltk - by contradiction /* from formulas */ - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.38 ) - qed - qed - next - case c_sign - solve( !KU( cert('g'^~skC, sign(<'g'^~skC, B, 'chip'>, ca_sk), B) - ) @ #vk.14 ) - case CA_INIT_C - by contradiction /* from formulas */ - next - case CA_Sign_ltk - by contradiction /* from formulas */ - next - case c_cert - solve( !KU( sign(<'g'^~skC, B, 'chip'>, ca_sk) ) @ #vk.39 ) - case CA_INIT_C - by contradiction /* from formulas */ - next - case CA_Sign_ltk - by contradiction /* from formulas */ - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.43 ) - qed - qed + case CA_INIT_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, cert('g'^~skC, sign(<'g'^~skC, z, 'chip'>, ca_sk), z), + 'chip' + ) ▶₃ #i ) + case CA_Sign_ltk + by contradiction /* from formulas */ qed - next - case c_mac - solve( !KU( cert(z.1, sign(<z.1, B, 'chip'>, ca_sk), B) ) @ #vk.13 ) - case CA_INIT_C - solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.22 ) - case TA_RESPONSE_T - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) - ) @ #vk.37 ) - case CA_Sign_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case TA_INIT_T - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.42 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case c_cert - solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.48 ) - case CA_Sign_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case TA_INIT_T - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.52 ) - qed - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.36 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.37 ) - next - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.37 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.37 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.37 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.39 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z) - ) @ #vk.35 ) - case CA_Sign_ltk - solve( !KU( ~ltk.2 ) @ #vk.40 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case TA_INIT_T - solve( !KU( ~ltk.2 ) @ #vk.40 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.43 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_cert - solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.49 ) - case CA_Sign_ltk - solve( !KU( ~ltk.2 ) @ #vk.41 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case TA_INIT_T - solve( !KU( ~ltk.2 ) @ #vk.41 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.44 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) - qed - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.37 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.38 ) - next - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.38 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.38 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.38 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.40 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next - case CA_Sign_ltk - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.20 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.21 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.22 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.22 ) - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.22 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.22 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.24 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_cert - solve( !KU( sign(<z.1, B, 'chip'>, ca_sk) ) @ #vk.22 ) - case CA_INIT_C - solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.25 ) - case TA_RESPONSE_T - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.23 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) - ) @ #vk.40 ) - case CA_Sign_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case TA_INIT_T - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.45 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case c_cert - solve( !KU( sign(<pk(~skT), z, 'terminal'>, ca_sk) ) @ #vk.51 ) - case CA_Sign_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case TA_INIT_T - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 ) - case c_mac - by contradiction /* cyclic */ - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.55 ) - qed - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.39 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.40 ) - next - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.40 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.40 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.40 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.42 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - next - case c_sign - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.22 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( cert(pk(x), sign(<pk(x), z, 'terminal'>, ca_sk), z) - ) @ #vk.38 ) - case CA_Sign_ltk - solve( !KU( ~ltk.3 ) @ #vk.43 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case TA_INIT_T - solve( !KU( ~ltk.3 ) @ #vk.43 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.46 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_cert - solve( !KU( sign(<pk(x), z, 'terminal'>, ca_sk) ) @ #vk.52 ) - case CA_Sign_ltk - solve( !KU( ~ltk.3 ) @ #vk.44 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case TA_INIT_T - solve( !KU( ~ltk.3 ) @ #vk.44 ) - case Corrupt_ltk - solve( !KU( mac('g'^~skTe.2, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.47 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) - qed - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.40 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.41 ) - next - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.41 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.41 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.41 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.43 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - qed - qed - qed - next + qed + qed + qed + qed +qed + +lemma agreement_T: + all-traces + "∀ k sid C T #i #t. + ((Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t)) ⇒ + (((∃ #j. Completed( k, sid, C, 'chip', T ) @ #j) ∨ + (∃ #k.1. Corrupted( C ) @ #k.1)) ∨ + (∃ #k.1. Corrupted( T ) @ #k.1))" +/* +guarded formula characterizing all counter-examples: +"∃ k sid C T #i #t. + (Completed( k, sid, T, 'terminal', C ) @ #i) ∧ (Finished( sid ) @ #t) + ∧ + (∀ #j. (Completed( k, sid, C, 'chip', T ) @ #j) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( C ) @ #k.1) ⇒ ⊥) ∧ + (∀ #k.1. (Corrupted( T ) @ #k.1) ⇒ ⊥)" +*/ +simplify +solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #t ) + case CA_INIT_T + solve( !Cert( $T, certT, 'terminal' ) ▶₂ #t ) + case CA_Sign_ltk + solve( Completed( k, + <cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T), + cert(z.1, sign(<z.1, z.2, 'chip'>, ca_sk), z.2), 'g'^~skTe, z.1, id_c, r2 + >, + T.1, 'terminal', C + ) @ #i ) + case CA_FINISH_T + solve( CAInitT( $T, ~skTe, id_c, + cert(z.1, sign(<z.1, C, 'chip'>, ca_sk), C) + ) ▶₁ #i ) + case CA_INIT_T + solve( !KU( mac('g'^~skTe, kdf_mac(z, r2)) ) @ #vk.3 ) + case CA_FINISH_C + solve( !KU( sign(<~id_c.1, ~r1.1, 'g'^~skTe>, x) ) @ #vk.29 ) + case TA_RESPONSE_T + solve( !KU( cert('g'^~skC, sign(<'g'^~skC, C, 'chip'>, ca_sk), C) + ) @ #vk.14 ) case CA_Sign_ltk - solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.21 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) - case c_mac - by contradiction /* cyclic */ - qed - qed - next - case c_kdf_mac - solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.24 ) - case CA_INIT_T - solve( !KU( ~ltk ) @ #vk.25 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.25 ) - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.25 ) - next - case TA_INIT_T - solve( !KU( ~ltk ) @ #vk.25 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - solve( !KU( ~ltk ) @ #vk.27 ) - case Corrupt_ltk - by contradiction /* from formulas */ + solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) + ) @ #vk.31 ) + case CA_Sign_ltk + solve( !KU( ~r2 ) @ #vk.8 ) + case CA_FINISH_C + solve( !KU( ~id_c ) @ #vk.20 ) + case TA_CHALLENGE_C + solve( !KU( ~r1 ) @ #vk.21 ) + case TA_CHALLENGE_C + solve( !KU( 'g'^~skTe ) @ #vk.24 ) + case TA_INIT_T + SOLVED // trace found + qed + qed qed qed qed - next - case c_sign - by solve( !KU( ca_sk ) @ #vk.26 ) qed qed qed @@ -19654,16 +19414,15 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_1 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B - ) @ #j ) + solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) + solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ qed @@ -19673,15 +19432,13 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i ) + solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal', - B - ) @ #j ) + solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j ) + solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j ) case CA_Sign_ltk @@ -19701,14 +19458,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.57 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.61 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.59 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.63 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.59 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.60 ) + qed qed qed qed @@ -19716,14 +19498,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.58 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.62 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.58 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.60 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.64 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.61 ) + qed qed qed qed @@ -19732,14 +19539,38 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.47 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.51 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.47 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.49 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.53 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.49 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + qed qed qed qed @@ -19751,14 +19582,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.60 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.63 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.62 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.65 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.63 ) + qed qed qed qed @@ -19766,14 +19622,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.61 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.64 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.61 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.63 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.66 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.64 ) + qed qed qed qed @@ -19782,14 +19663,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.50 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.53 ) + qed qed qed qed @@ -19807,14 +19713,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.62 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.66 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.64 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.65 ) + qed qed qed qed @@ -19822,14 +19766,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.63 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.67 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.66 ) + qed qed qed qed @@ -19838,14 +19820,50 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + qed qed qed qed @@ -19857,14 +19875,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.65 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.68 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.37 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.67 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.68 ) + qed qed qed qed @@ -19872,14 +19928,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.66 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.69 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.68 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.69 ) + qed qed qed qed @@ -19888,14 +19982,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.55 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.58 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.58 ) + qed qed qed qed @@ -19915,33 +20047,108 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.49 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.50 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.51 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.54 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) qed qed qed @@ -19954,16 +20161,55 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.26 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.34 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.38 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.35 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) qed qed qed @@ -19975,35 +20221,114 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) solve( splitEqs(1) ) case split_case_1 by contradiction /* cyclic */ - next - case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.55 ) + next + case split_case_2 + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.53 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.54 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.53 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) qed qed qed @@ -20016,16 +20341,55 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.27 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.37 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.40 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.38 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.39 ) qed qed qed @@ -20046,16 +20410,15 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B - ) @ #j ) + solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) + solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* cyclic */ qed @@ -20065,15 +20428,13 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i ) + solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal', - B - ) @ #j ) + solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j ) + solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j ) case CA_Sign_ltk @@ -20093,14 +20454,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.57 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.61 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.59 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.63 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.59 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.60 ) + qed qed qed qed @@ -20108,14 +20494,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.58 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.62 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.58 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.60 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.64 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.61 ) + qed qed qed qed @@ -20124,14 +20535,38 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.47 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.51 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.47 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.49 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.53 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.49 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + qed qed qed qed @@ -20143,14 +20578,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.60 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.63 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.62 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.65 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.63 ) + qed qed qed qed @@ -20158,14 +20618,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.61 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.64 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.61 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.63 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.66 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.64 ) + qed qed qed qed @@ -20174,14 +20659,39 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.50 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.53 ) + qed qed qed qed @@ -20199,14 +20709,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.62 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.66 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.64 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.65 ) + qed qed qed qed @@ -20214,14 +20762,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.63 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.67 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.66 ) + qed qed qed qed @@ -20230,14 +20816,50 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + qed qed qed qed @@ -20249,14 +20871,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.65 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.68 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.37 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.67 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.68 ) + qed qed qed qed @@ -20264,14 +20924,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.66 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.69 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.68 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.69 ) + qed qed qed qed @@ -20280,14 +20978,52 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.55 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.58 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.58 ) + qed qed qed qed @@ -20307,33 +21043,108 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.49 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.50 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.51 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.54 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) qed qed qed @@ -20346,16 +21157,55 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.26 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.34 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.38 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.35 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) qed qed qed @@ -20369,33 +21219,112 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.55 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.53 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.54 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.53 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) qed qed qed @@ -20408,16 +21337,55 @@ solve( (¬(#i = #j)) ∥ (¬(sid = sid2)) ) by contradiction /* cyclic */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.27 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.37 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.40 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.38 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.39 ) qed qed qed @@ -20439,16 +21407,15 @@ next case case_2 solve( Completed( k, sid, A, role, B ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, sid2, $C, 'chip', B - ) @ #j ) + solve( Completed( kdf_enc(z, ~r2), sid2, $C, 'chip', B ) @ #j ) case CA_FINISH_C - solve( CAInitC( <$C, iid.1>, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) + solve( CAInitC( $C, certT, pkTe.1, id_c.1, r1.1, ~r2 ) ▶₁ #j ) case CA_INIT_C by contradiction /* from formulas */ qed @@ -20458,15 +21425,13 @@ next qed next case CA_FINISH_T - solve( CAInitT( <$T, iid>, skTe, id_c, certC ) ▶₁ #i ) + solve( CAInitT( $T, skTe, id_c, certC ) ▶₁ #i ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, r2), kdf_mac(z, r2)>, sid2, $T, 'terminal', - B - ) @ #j ) + solve( Completed( kdf_enc(z, r2), sid2, $T, 'terminal', B ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe.1, id_c.1, certC ) ▶₁ #j ) + solve( CAInitT( $T, skTe.1, id_c.1, certC ) ▶₁ #j ) case CA_INIT_T solve( !Cert( $T, certT, 'terminal' ) ▶₂ #j ) case CA_Sign_ltk @@ -20486,14 +21451,38 @@ next case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.57 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.61 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.55 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.56 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.57 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.59 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.63 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.59 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.60 ) + qed qed qed qed @@ -20501,14 +21490,38 @@ next case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.58 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.62 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.56 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.57 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.58 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.58 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.60 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.64 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.61 ) + qed qed qed qed @@ -20517,14 +21530,38 @@ next case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.47 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.51 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.45 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.46 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.47 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.47 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.49 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.53 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.49 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + qed qed qed qed @@ -20536,14 +21573,39 @@ next case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.60 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.63 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.58 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.59 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.60 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.60 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.62 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.65 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.63 ) + qed qed qed qed @@ -20551,14 +21613,39 @@ next case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.61 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.64 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.59 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.60 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.61 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.61 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.63 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.66 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.64 ) + qed qed qed qed @@ -20567,14 +21654,38 @@ next case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.48 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.49 ) + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.50 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.50 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.53 ) + qed qed qed qed @@ -20592,14 +21703,50 @@ next case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.32 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.62 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.66 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.60 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.61 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.62 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.62 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.64 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.68 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.64 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.65 ) + qed qed qed qed @@ -20607,14 +21754,50 @@ next case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.63 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.67 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.61 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.62 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.63 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.63 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.65 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.69 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.66 ) + qed qed qed qed @@ -20623,14 +21806,50 @@ next case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.27 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.50 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.51 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + qed qed qed qed @@ -20642,14 +21861,52 @@ next case TA_RESPONSE_T solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.30 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.33 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.65 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.68 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.63 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.64 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.37 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.65 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.65 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.36 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.67 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.70 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.67 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.68 ) + qed qed qed qed @@ -20657,14 +21914,52 @@ next case c_sign solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.29 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.66 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.69 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.64 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.65 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.66 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.66 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), + $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.68 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.71 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.68 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.69 ) + qed qed qed qed @@ -20673,14 +21968,50 @@ next case CA_Sign_ltk solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skC*~skTe), ~r2)) ) @ #vk.28 ) case c_mac - solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), - sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.55 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.58 ) + solve( !KU( kdf_mac('g'^(~skC*~skTe), ~r2) ) @ #vk.53 ) + case c_kdf_mac + solve( !KU( 'g'^(~skC*~skTe) ) @ #vk.54 ) + case CA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.55 ) + next + case TA_INIT_T + solve( !KU( ~skC ) @ #vk.55 ) + case Corrupt_ltk + solve( !KU( cert('g'^(~skC*~skTe*inv(~skTe.1)), + sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~skC*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.57 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.60 ) + qed + qed + qed + next + case c_exp + solve( !KU( ~skC ) @ #vk.57 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.58 ) + qed qed qed qed @@ -20700,33 +22031,108 @@ next by contradiction /* from formulas */ next case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.30 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.49 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.53 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.33 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.48 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.33 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.34 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.51 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.55 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.50 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.51 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.28 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.50 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.54 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.44 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.49 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.49 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.31 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.52 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.56 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.52 ) qed qed qed @@ -20739,16 +22145,55 @@ next by contradiction /* from formulas */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.25 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.26 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.34 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.38 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.31 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.32 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.33 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.33 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.29 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.30 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.36 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.40 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.35 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) qed qed qed @@ -20762,33 +22207,108 @@ next by contradiction /* from formulas */ next case split_case_2 - solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) - case TA_RESPONSE_T - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.28 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.31 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.52 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.55 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( sign(<~id_c.2, ~r1.2, pkTe>, x) ) @ #vk.36 ) + case TA_RESPONSE_T + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.51 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.34 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.35 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.54 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.57 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.53 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.54 ) qed qed - qed - next - case c_sign - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.27 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) - ) @ #vk.29 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) - ) @ #vk.53 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.56 ) + next + case c_sign + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.52 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.52 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.32 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk), $C) + ) @ #vk.33 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $C, 'chip'>, ca_sk) + ) @ #vk.55 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.58 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.54 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.55 ) qed qed qed @@ -20801,16 +22321,55 @@ next by contradiction /* from formulas */ next case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.26 ) - case c_mac - solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), - sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) - ) @ #vk.27 ) - case c_cert - solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) - ) @ #vk.37 ) - case c_sign - by solve( !KU( ca_sk ) @ #vk.40 ) + solve( !KU( kdf_mac('g'^(~ltk*~skTe), r2) ) @ #vk.32 ) + case c_kdf_mac + solve( !KU( 'g'^(~ltk*~skTe) ) @ #vk.35 ) + case CA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.36 ) + next + case TA_INIT_T + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~ltk*~skTe), r2)) ) @ #vk.30 ) + case c_mac + solve( !KU( cert('g'^(~ltk*~skTe*inv(~skTe.1)), + sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk), $A) + ) @ #vk.31 ) + case c_cert + solve( !KU( sign(<'g'^(~ltk*~skTe*inv(~skTe.1)), $A, 'chip'>, ca_sk) + ) @ #vk.39 ) + case c_sign + by solve( !KU( ca_sk ) @ #vk.42 ) + qed + qed + qed + qed + next + case c_exp + solve( !KU( ~ltk ) @ #vk.38 ) + case Corrupt_ltk + by solve( !KU( ~skTe ) @ #vk.39 ) qed qed qed @@ -20834,19 +22393,21 @@ lemma consistency: "∀ C T k k2 sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j)) ⇒ - ((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m))" + (((k = k2) ∨ (∃ #m. Corrupted( C ) @ #m)) ∨ (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k k2 sid #i #j. (Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k2, sid, T, 'terminal', C ) @ #j) ∧ - (¬(k = k2)) ∧ (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (¬(k = k2)) ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair @@ -20859,7 +22420,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe, ~id_c, + solve( CAInitT( $T, skTe, ~id_c, cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j ) case CA_INIT_T @@ -20876,8 +22437,9 @@ lemma key_secrecy: "∀ C T k sid #i #j. ((Completed( k, sid, C, 'chip', T ) @ #i) ∧ (Completed( k, sid, T, 'terminal', C ) @ #j)) ⇒ - (((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ - (∃ #m. Corrupted( C ) @ #m))" + ((((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m)) ∨ + (∃ #m. Corrupted( C ) @ #m)) ∨ + (∃ #m. Corrupted( T ) @ #m))" /* guarded formula characterizing all counter-examples: "∃ C T k sid #i #j. @@ -20886,25 +22448,26 @@ guarded formula characterizing all counter-examples: ∧ (∃ #m. (K( k ) @ #m)) ∧ (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥) ∧ - (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥)" + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ⊥)" */ simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, + solve( Completed( kdf_enc(z, ~r2), <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe, ~id_c, + solve( CAInitT( $T, skTe, ~id_c, cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j ) case CA_INIT_T @@ -20912,9 +22475,9 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) 'terminal' ) ▶₂ #j ) case CA_Sign_ltk - solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 ) + solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 ) case TA_RESPONSE_T - solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 ) + solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 ) case Reveal_session solve( splitEqs(2) ) case split_case_1 @@ -20922,132 +22485,65 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) next case split_case_2 solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) - ) @ #vk.42 ) + ) @ #vk.40 ) case c_mac - solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.14 ) - case Reveal_session - by contradiction /* cyclic */ - next + solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.46 ) case c_kdf_mac - solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.48 ) + solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.47 ) case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.52 ) + by solve( !KU( ~skTe ) @ #vk.51 ) next case CA_INIT_T by contradiction /* cyclic */ next case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.49 ) + by solve( !KU( ~skTe ) @ #vk.48 ) next case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.49 ) + by solve( !KU( ~skTe ) @ #vk.48 ) next case TA_INIT_T - solve( !KU( ~ltk.1 ) @ #vk.49 ) + solve( !KU( ~ltk.1 ) @ #vk.48 ) case Corrupt_ltk by contradiction /* from formulas */ qed next case c_exp - by solve( !KU( ~skTe ) @ #vk.51 ) + by solve( !KU( ~skTe ) @ #vk.50 ) qed qed qed qed next case c_kdf_enc - solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 ) + solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 ) case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.40 ) + by solve( !KU( ~skTe ) @ #vk.38 ) next case CA_INIT_T by contradiction /* cyclic */ next case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.37 ) + by solve( !KU( ~skTe ) @ #vk.35 ) next case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.37 ) + by solve( !KU( ~skTe ) @ #vk.35 ) next case TA_INIT_T - solve( !KU( ~ltk.1 ) @ #vk.37 ) + solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk by contradiction /* from formulas */ qed next case c_exp - by solve( !KU( ~skTe ) @ #vk.39 ) + by solve( !KU( ~skTe ) @ #vk.37 ) qed qed next case c_sign - solve( !KU( ~ltk ) @ #vk.38 ) + solve( !KU( ~ltk ) @ #vk.36 ) case Corrupt_ltk - solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 ) - case Reveal_session - solve( splitEqs(2) ) - case split_case_1 - by contradiction /* from formulas */ - next - case split_case_2 - solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) - ) @ #vk.46 ) - case c_mac - solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.17 ) - case Reveal_session - by contradiction /* cyclic */ - next - case c_kdf_mac - solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.52 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.56 ) - next - case CA_INIT_T - by contradiction /* cyclic */ - next - case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.53 ) - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.53 ) - next - case TA_INIT_T - solve( !KU( ~ltk.1 ) @ #vk.53 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - by solve( !KU( ~skTe ) @ #vk.55 ) - qed - qed - qed - qed - next - case c_kdf_enc - solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.40 ) - case CA_INIT_C - by solve( !KU( ~skTe ) @ #vk.44 ) - next - case CA_INIT_T - by contradiction /* cyclic */ - next - case CA_Sign_ltk - by solve( !KU( ~skTe ) @ #vk.41 ) - next - case Generate_chip_key_pair - by solve( !KU( ~skTe ) @ #vk.41 ) - next - case TA_INIT_T - solve( !KU( ~ltk.1 ) @ #vk.41 ) - case Corrupt_ltk - by contradiction /* from formulas */ - qed - next - case c_exp - by solve( !KU( ~skTe ) @ #vk.43 ) - qed - qed + by contradiction /* from formulas */ qed qed qed @@ -21058,29 +22554,7 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed -lemma chip_hiding: - all-traces - "∀ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) ⇒ - ((¬(∃ #m. K( iid ) @ #m)) ∨ (∃ #m. (K( iid ) @ #m) ∧ (#i < #m)))" -/* -guarded formula characterizing all counter-examples: -"∃ C T iid #i. - (CompletedTA( C, iid, T ) @ #i) - ∧ - (∃ #m. (K( iid ) @ #m)) ∧ (∀ #m. (K( iid ) @ #m) ⇒ ¬(#i < #m))" -*/ -simplify -solve( TAChallengeC( <$C, iid>, cert(pk(x), x.1, T), pkTe, id_c, r1 - ) ▶₁ #i ) - case TA_CHALLENGE_C - solve( !KU( ~iid ) @ #vk.6 ) - case CA_INIT_C - by contradiction /* cyclic */ - qed -qed - -lemma nonRepudiation_terminal: +lemma notNonRepudiation_C: exists-trace "∃ C T #i. (((ValidTrans( C, 'chip', T ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -21129,7 +22603,7 @@ solve( ValidTrans( C, 'chip', T ) @ #i ) qed qed -lemma nonRepudiation_chip: +lemma notNonRepudiation_T: exists-trace "∃ C T #i. (((ValidTrans( T, 'terminal', C ) @ #i) ∧ (¬(∃ #k. Started( ) @ #k))) ∧ @@ -21187,7 +22661,7 @@ solve( ValidTrans( T, 'terminal', C ) @ #i ) qed qed -lemma pfs: +lemma forward_secrecy: all-traces "∀ C T k sid #i #j. ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ @@ -21209,20 +22683,20 @@ guarded formula characterizing all counter-examples: simplify solve( Completed( k, sid, C, 'chip', T ) @ #i ) case CA_FINISH_C - solve( CAInitC( <$C, iid>, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) case CA_INIT_C solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) case Generate_chip_key_pair solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) case CA_Sign_ltk - solve( Completed( <kdf_enc(z, ~r2), kdf_mac(z, ~r2)>, + solve( Completed( kdf_enc(z, ~r2), <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, ~id_c, ~r2>, T, 'terminal', $C ) @ #j ) case CA_FINISH_T - solve( CAInitT( <$T, iid.1>, skTe, ~id_c, + solve( CAInitT( $T, skTe, ~id_c, cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) ) ▶₁ #j ) case CA_INIT_T @@ -21230,45 +22704,42 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) 'terminal' ) ▶₂ #j ) case CA_Sign_ltk - solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.13 ) + solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 ) case TA_RESPONSE_T - solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.12 ) + solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 ) case c_kdf_enc - solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.36 ) + solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 ) case TA_INIT_T - solve( !KU( ~ltk.1 ) @ #vk.37 ) + solve( !KU( ~ltk.1 ) @ #vk.35 ) case Corrupt_ltk - solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.15 ) - case c_kdf_mac - solve( !KU( ~r2 ) @ #vk.20 ) - case CA_FINISH_C - solve( !KU( ~id_c ) @ #vk.35 ) + solve( !KU( ~r2 ) @ #vk.18 ) + case CA_FINISH_C + solve( !KU( ~id_c ) @ #vk.33 ) + case TA_CHALLENGE_C + solve( !KU( ~r1 ) @ #vk.34 ) case TA_CHALLENGE_C - solve( !KU( ~r1 ) @ #vk.36 ) - case TA_CHALLENGE_C - solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T) - ) @ #vk.22 ) - case CA_Sign_ltk - solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.26 ) - case CA_FINISH_C - solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C) - ) @ #vk.34 ) - case CA_INIT_C - solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.40 ) - case TA_RESPONSE_T - solve( !KU( cert(pk(~skT), sign(<pk(~skT), z, 'terminal'>, ca_sk), z) - ) @ #vk.43 ) - case CA_Sign_ltk - solve( !KU( ~id_c.1 ) @ #vk.46 ) + solve( !KU( cert(pk(~ltk), sign(<pk(~ltk), $T, 'terminal'>, ca_sk), $T) + ) @ #vk.20 ) + case CA_Sign_ltk + solve( !KU( mac('g'^~skTe, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) ) @ #vk.24 ) + case CA_FINISH_C + solve( !KU( cert('g'^~ltk.1, sign(<'g'^~ltk.1, $C, 'chip'>, ca_sk), $C) + ) @ #vk.32 ) + case CA_INIT_C + solve( !KU( sign(<~id_c.1, ~r1.1, pkTe>, x) ) @ #vk.38 ) + case TA_RESPONSE_T + solve( !KU( cert(pk(~skT), sign(<pk(~skT), x, 'terminal'>, ca_sk), x) + ) @ #vk.41 ) + case CA_Sign_ltk + solve( !KU( ~id_c.1 ) @ #vk.44 ) + case TA_CHALLENGE_C + solve( !KU( ~r1.1 ) @ #vk.45 ) case TA_CHALLENGE_C - solve( !KU( ~r1.1 ) @ #vk.47 ) - case TA_CHALLENGE_C - solve( !KU( 'g'^~skTe ) @ #vk.27 ) + solve( !KU( 'g'^~skTe ) @ #vk.25 ) + case TA_INIT_T + solve( !KU( 'g'^~skTe.1 ) @ #vk.45 ) case TA_INIT_T - solve( !KU( 'g'^~skTe.1 ) @ #vk.47 ) - case TA_INIT_T - SOLVED // trace found - qed + SOLVED // trace found qed qed qed @@ -21293,6 +22764,128 @@ solve( Completed( k, sid, C, 'chip', T ) @ #i ) qed qed +lemma forward_secrecy_T: + all-traces + "∀ C T k sid #i #j. + ((((Completed( k, sid, C, 'chip', T ) @ #i) ∧ + (Completed( k, sid, T, 'terminal', C ) @ #j)) ∧ + (¬(∃ #m. Corrupted( C ) @ #m))) ∧ + (¬(∃ #m. (Corrupted( T ) @ #m) ∧ (#m < #j)))) ⇒ + ((¬(∃ #m. K( k ) @ #m)) ∨ (∃ #m. Revealed( sid ) @ #m))" +/* +guarded formula characterizing all counter-examples: +"∃ C T k sid #i #j. + (Completed( k, sid, C, 'chip', T ) @ #i) ∧ + (Completed( k, sid, T, 'terminal', C ) @ #j) + ∧ + (∀ #m. (Corrupted( C ) @ #m) ⇒ ⊥) ∧ + (∀ #m. (Corrupted( T ) @ #m) ⇒ ¬(#m < #j)) ∧ + (∃ #m. (K( k ) @ #m)) ∧ + (∀ #m. (Revealed( sid ) @ #m) ⇒ ⊥)" +*/ +simplify +solve( Completed( k, sid, C, 'chip', T ) @ #i ) + case CA_FINISH_C + solve( CAInitC( $C, certT, pkTe, id_c, r1, r2 ) ▶₁ #i ) + case CA_INIT_C + solve( !Ltk( $C, ~skC, 'chip' ) ▶₂ #i ) + case Generate_chip_key_pair + solve( !Cert( $C, certC, 'chip' ) ▶₃ #i ) + case CA_Sign_ltk + solve( Completed( kdf_enc(z, ~r2), + <cert(pk(x), sign(<pk(x), T, 'terminal'>, ca_sk), T), + cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C), pkTe, 'g'^~skC, + ~id_c, ~r2>, + T, 'terminal', $C + ) @ #j ) + case CA_FINISH_T + solve( CAInitT( $T, skTe, ~id_c, + cert('g'^~ltk, sign(<'g'^~ltk, $C, 'chip'>, ca_sk), $C) + ) ▶₁ #j ) + case CA_INIT_T + solve( !Cert( $T, cert(pk(x), sign(<pk(x), $T, 'terminal'>, ca_sk), $T), + 'terminal' + ) ▶₂ #j ) + case CA_Sign_ltk + solve( !KU( sign(<~id_c, ~r1, 'g'^~skTe>, ~ltk) ) @ #vk.11 ) + case TA_RESPONSE_T + solve( !KU( kdf_enc('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.1 ) + case Reveal_session + solve( splitEqs(2) ) + case split_case_1 + by contradiction /* from formulas */ + next + case split_case_2 + solve( !KU( mac('g'^~skTe.1, kdf_mac('g'^(~skTe*~ltk.1), ~r2)) + ) @ #vk.40 ) + case c_mac + solve( !KU( kdf_mac('g'^(~skTe*~ltk.1), ~r2) ) @ #vk.46 ) + case c_kdf_mac + solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.47 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.51 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.48 ) + next + case TA_INIT_T + solve( !KU( ~ltk.1 ) @ #vk.48 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + by solve( !KU( ~skTe ) @ #vk.50 ) + qed + qed + qed + qed + next + case c_kdf_enc + solve( !KU( 'g'^(~skTe*~ltk.1) ) @ #vk.34 ) + case CA_INIT_C + by solve( !KU( ~skTe ) @ #vk.38 ) + next + case CA_INIT_T + by contradiction /* cyclic */ + next + case CA_Sign_ltk + by solve( !KU( ~skTe ) @ #vk.35 ) + next + case Generate_chip_key_pair + by solve( !KU( ~skTe ) @ #vk.35 ) + next + case TA_INIT_T + solve( !KU( ~ltk.1 ) @ #vk.35 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + next + case c_exp + by solve( !KU( ~skTe ) @ #vk.37 ) + qed + qed + next + case c_sign + solve( !KU( ~ltk ) @ #vk.36 ) + case Corrupt_ltk + by contradiction /* from formulas */ + qed + qed + qed + qed + qed + qed + qed + qed +qed + @@ -21340,21 +22933,21 @@ summary of summaries: analyzed: tmp.spthy - processing time: 54.21s + processing time: 67.38s session_exist (exists-trace): verified (22 steps) two_session_exist (exists-trace): verified (32 steps) + aliveness (all-traces): verified (85 steps) weak_agreement_C (all-traces): verified (8 steps) weak_agreement_T (all-traces): falsified - found trace (15 steps) agreement_C (all-traces): verified (8 steps) agreement_T (all-traces): falsified - found trace (14 steps) - aliveness (all-traces): verified (155 steps) - session_uniqueness (all-traces): verified (336 steps) + session_uniqueness (all-traces): verified (888 steps) consistency (all-traces): verified (8 steps) - key_secrecy (all-traces): verified (54 steps) - chip_hiding (all-traces): verified (4 steps) - nonRepudiation_terminal (exists-trace): verified (12 steps) - nonRepudiation_chip (exists-trace): falsified - no trace found (15 steps) - pfs (all-traces): falsified - found trace (26 steps) + key_secrecy (all-traces): verified (32 steps) + notNonRepudiation_C (exists-trace): verified (12 steps) + notNonRepudiation_T (exists-trace): falsified - no trace found (15 steps) + forward_secrecy (all-traces): falsified - found trace (25 steps) + forward_secrecy_T (all-traces): verified (32 steps) ============================================================================== diff --git a/tmp.spthy b/tmp.spthy deleted file mode 100644 index 9d54c88..0000000 --- a/tmp.spthy +++ /dev/null @@ -1,463 +0,0 @@ -/* -PQ-EAC with Terminal Signatures -====================================== - -Author: Jonas Mueller -Date: May 2024 - -*/ - -theory SigPQEAC -begin - -builtins: signing -functions: kdf/2 -functions: encaps/2, decaps/2 -equations: decaps((encaps(k, pk(sk))), sk) = k - - -/* Key setup and Certificate model for all EAC models */ - - -functions: cert/3, cert_pk/1, cert_sig/1, cert_id/1, ca_sk/0 [private] -equations: cert_pk(cert(pk, s, id)) = pk, cert_sig(cert(pk, s, id)) = s, cert_id(cert(pk, s, id)) = id - -macros: verify_cert(cert, role) = verify(cert_sig(cert), <cert_pk(cert), cert_id(cert), role>, pk(ca_sk)) - - -rule Publish_ca_pk: - [ ] - --> - [ Out(pk(ca_sk)) ] - -// Generate long-term key pair for the chip. Classic version needs dh key pair -#ifdef CLASSIC -rule Generate_chip_key_pair: -let - pk = 'g'^~ltk -in - [ Fr(~ltk) ] - --[ TestMe() ]-> - [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ] -#else -rule Generate_chip_key_pair: -let - pk = pk(~ltk) -in - [ Fr(~ltk) ] - --> - [ !Pk($A, pk, 'chip'), !Ltk($A, ~ltk, 'chip'), Out(pk) ] -#endif - -// Generate static long-term key pair for the terminal. -rule Generate_terminal_key_pair: -let - pk = pk(~ltk) -in - [ Fr(~ltk) ] - --> - [ !Pk($A, pk, 'terminal'), !Ltk($A, ~ltk, 'terminal'), Out(pk) ] - -rule CA_Sign_ltk: -let - certA = cert(pk, sign(<pk, A, role>, ca_sk), A) -in - [ !Pk(A, pk, role) ] - --[ RegisteredRole(A, role) ]-> - [ !Cert(A, certA, role), Out(certA) ] - -/* Attacker model */ -// We extend the Dolev-Yao attack model in tamarin with Reveal and Corrupt capabilities - -rule Corrupt_ltk: - [ !Ltk($A, ltk, role) ] - --[ Corrupted($A) ]-> - [ Out(<ltk, role>) ] - -rule Reveal_session: - [ !SessionReveal(sid, k) ] - --[ Revealed(sid) ]-> - [ Out(k) ] - - - -/* Terminal Authentication */ -// State machine: TA_INIT_T -> TA_CHALLENGE_C -> TA_RESPONSE_T -> TA_COMPLETE_C - - -rule TA_INIT_T: -let - msg1 = <certT, '1', 't'> -in - [ !Cert($T, certT, 'terminal'), Fr(~iid) ] - --[ Started() ]-> - [ Out(msg1), Out(~iid), TAInitT(<$T, ~iid>) ] - -// We generate a fresh IDc to simulate the previous execution of PACE or BAC -rule TA_CHALLENGE_C: -let - msg1 = <certT, '1', 't'> - msg2 = <~id_c, ~r1, '2', 'c'> -in - [ In(msg1), Fr(~r1), Fr(~id_c), Fr(~iid) ] - --[ Eq(verify_cert(certT, 'terminal'), true), Started() ]-> - [ Out(msg2), TAChallengeC(<$C, ~iid>, certT, ~id_c, ~r1) ] - -rule TA_RESPONSE_T: -let - msg2 = <id_c, r1, '2', 'c'> - s = sign(<'TA', id_c, r1>, ~skT) - msg3 = <s, '3', 't'> -in - [ In(msg2), TAInitT(<$T, iid>), !Ltk($T, ~skT, 'terminal') ] - --> - [ Out(msg3), TAResponseT(<$T, iid>, id_c) ] - -rule TA_COMPLETE_C: -let - msg3 = <s, '3', 't'> -in - [ In(msg3), TAChallengeC(<$C, iid>, certT, id_c, r1) ] - --[ Eq(verify(s, <'TA', id_c, r1>, cert_pk(certT)), true), CompletedTA($C, iid, cert_id(certT)) ]-> - [ TACompleteC(<$C, iid>, certT, id_c, r1) ] - - - -/* Chip Authentication */ -// State machine: CA_INIT_C -> CA_INIT_T -> CA_FINISH_C -> CA_FINISH_T - -#ifdef PFS -rule CA_INIT_C: -let - msg4 = <certC, ~r2, pk(~skCe), '4', 'c'> -in - [ Fr(~r2), Fr(~skCe), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ] - --> - [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2, ~skCe) ] -#else -rule CA_INIT_C: -let - msg4 = <certC, ~r2, '4', 'c'> -in - [ Fr(~r2), TACompleteC(<$C, iid>, certT, id_c, r1), !Cert($C, certC, 'chip') ] - --> - [ Out(msg4), Out(iid), CAInitC(<$C, iid>, certT, id_c, r1, ~r2) ] -#endif - - -#ifdef PFS -rule CA_INIT_T: -let - msg4 = <certC, r2, pkCe, '4', 'c'> - pkC = cert_pk(certC) - cip = encaps(~k, pkC) - cipe = encaps(~ke, pkCe) - sid = <certT, certC, r2, cip, pkCe, cipe> - s = sign(<'CA', sid>, ~skT) - msg5 = <cip, s, cipe, '5', 't'> -in - [ In(msg4), Fr(~k), Fr(~ke), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] - --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>, <~ke, cipe>, pkCe) ] -#else -rule CA_INIT_T: -let - msg4 = <certC, r2, '4', 'c'> - pkC = cert_pk(certC) - cip = encaps(~k, pkC) - sid = <certT, certC, r2, cip> - s = sign(<'CA', sid>, ~skT) - msg5 = <cip, s, '5', 't'> -in - [ In(msg4), Fr(~k), TAResponseT(<$T, iid>, id_c), !Ltk($T, ~skT, 'terminal'), !Cert($T, certT, 'terminal') ] - --[ Eq(verify_cert(certC, 'chip'), true) ]-> - [ Out(msg5), CAInitT(<$T, iid>, id_c, certC, r2, <~k, cip>) ] -#endif - - -#ifdef PFS -rule CA_FINISH_C: -let - msg5 = <cip, s, cipe, '5', 't'> - sid = <certT, certC, r2, cip, pk(skCe), cipe> - k = decaps(cip, ~skC) - ke = decaps(cipe, skCe) - kCNF = kdf(<'CNF', sid>, <k, ke>) - kKEY = kdf(<'KEY', sid>, <k, ke>) - msg6 = <kCNF, '6', 'c'> -in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2, skCe), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] -#else -rule CA_FINISH_C: -let - msg5 = <cip, s, '5', 't'> - sid = <certT, certC, r2, cip> - k = decaps(cip, ~skC) - kCNF = kdf(<'CNF', sid>, k) - kKEY = kdf(<'KEY', sid>, k) - msg6 = <kCNF, '6', 'c'> -in - [ In(msg5), CAInitC(<$C, iid>, certT, id_c, r1, r2), !Ltk($C, ~skC, 'chip'), !Cert($C, certC, 'chip') ] - --[ Eq(verify(s, <'CA', sid>, cert_pk(certT)), true), Completed(kKEY, sid, $C, 'chip', cert_id(certT)) ]-> - [ Out(msg6), CAFinishC($C, cert_id(certT), kKEY) ] -#endif - -#ifdef PFS -rule CA_FINISH_T: -let - msg6 = <kCNF_C, '6', 'c'> - sid = <certT, certC, r2, cip, pkCe, cipe> - kCNF = kdf(<'CNF', sid>, <k, ke>) - kKEY = kdf(<'KEY', sid>, <k, ke>) -in - [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>, <ke, cipe>, pkCe), !Cert($T, certT, 'terminal') ] - --[ Eq(kCNF, kCNF_C), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] -#else -rule CA_FINISH_T: -let - msg6 = <kCNF_c, '6', 'c'> - sid = <certT, certC, r2, cip> - kCNF = kdf(<'CNF', sid>, k) - kKEY = kdf(<'KEY', sid>, k) -in - [ In(msg6), CAInitT(<$T, iid>, id_c, certC, r2, <k, cip>), !Cert($T, certT, 'terminal') ] - --[ Eq(kCNF, kCNF_c), Completed(kKEY, sid, $T, 'terminal', cert_id(certC)), Finished(sid) ]-> - [ CAFinishT(cert_id(certC), $T, kKEY), !SessionReveal(sid, kKEY) ] -#endif - - - - -/* Contains the restrictions and lemmas for all EAC models */ - -restriction Equality: - "All x y #i. Eq(x, y) @ i ==> x = y" - - -// Correctness - -lemma session_exist: exists-trace - " Ex C T k sid #i #j. - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k, sid, T, 'terminal', C) @ #j - & #i < #j - " - -lemma two_session_exist: exists-trace - " Ex C T k k2 sid sid2 #i #j #i2 #j2. - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k, sid, T, 'terminal', C) @ #j - & #i < #j - & Completed(k2, sid2, C, 'chip', T) @ #i2 - & Completed(k2, sid2, T, 'terminal', C) @ #j2 - & #i2 < #j2 - & not(k=k2) - " - -// Agreement -lemma weak_agreement_C: - "All k sid C T #i #t . - Completed(k, sid, C, 'chip', T) @ #i - & Finished(sid) @ #t - ==> (Ex k2 sid2 #j . - Completed(k2, sid2, T, 'terminal', C) @ #j) - | (Ex #k . Corrupted(C) @ #k) - | (Ex #k . Corrupted(T) @ #k) - " - -lemma weak_agreement_T: - "All k sid C T #i #t . - Completed(k, sid, T, 'terminal', C) @ #i - & Finished(sid) @ #t - ==> (Ex k2 sid2 #j . - Completed(k2, sid2, C, 'chip', T) @ #j) - | (Ex #k . Corrupted(C) @ #k) - | (Ex #k . Corrupted(T) @ #k) - " - -lemma agreement_C: - "All k sid C T #i #t . - Completed(k, sid, C, 'chip', T) @ #i - & Finished(sid) @ #t - ==> (Ex #j . - Completed(k, sid, T, 'terminal', C) @ #j) - | (Ex #k . Corrupted(C) @ #k) - | (Ex #k . Corrupted(T) @ #k) - " - -lemma agreement_T: - "All k sid C T #i #t . - Completed(k, sid, T, 'terminal', C) @ #i - & Finished(sid) @ #t - ==> (Ex #j . - Completed(k, sid, C, 'chip', T) @ #j) - | (Ex #k . Corrupted(C) @ #k) - | (Ex #k . Corrupted(T) @ #k) - " - -lemma aliveness: - "All k sid A role B #i #t . - Completed(k, sid, A, role, B) @ #i - & Finished(sid) @ #t - ==> (Ex k2 sid2 role2 C #j . - Completed(k2, sid2, B, role2, C) @ #j) - | (Ex #k . Corrupted(B) @ #k) - " - -lemma session_uniqueness: - "All A B k sid sid2 role #i #j . - Completed(k, sid, A, role, B) @ #i - & Completed(k, sid2, A, role, B) @ #j - ==> (#i = #j) & (sid = sid2) - " - -// Sole purpose of static key of T is authentication -// The final keys k/k2 are only derived from pkC/skC, pkTe/skTe and r2 -lemma consistency: - "All C T k k2 sid #i #j . - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k2, sid, T, 'terminal', C) @ #j - ==> (k=k2) - | (Ex #m . Corrupted(C) @ #m) - " - -// Key secrecy -lemma key_secrecy: - "All C T k sid #i #j . - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k, sid, T, 'terminal', C) @ #j - ==> not(Ex #m . K(k) @ #m) - | (Ex #m . Revealed(sid) @ #m) - | (Ex #m . Corrupted(C) @ #m) - " - -// Cannot track chip before CA -lemma chip_hiding: - "All C T iid #i . - CompletedTA(C, iid, T) @ #i - ==> not(Ex #m . K(iid) @ #m) - | (Ex #m . (K(iid) @ #m & #i < #m)) - " - -/* This lemma shows that the chip has NOT non-repudiation */ -// We use the exists-trace keyword because it is enough to show the possibility -// 1.: To exclude an empty trace, we check for a finished protocol run (with the two Completed facts) -// 2.: We define that the chip is not corrupted -// 3.: We say that for every data the chip computed (which we manually put into action facts) the adversary could know the value before - // We use the adversaries knowledge because it is easy to model and he can simple corrupt the terminal and execute the protocol instead -// Problems: Some information required so that the other party can compute the data is sent after the Computed fact - -/* -lemma notNonRepudiation: exists-trace - "Ex C T k sid #i #j . - Completed(k, sid, C, 'chip', T) @ #i // 1. - & Completed(k, sid, T, 'terminal', C) @ #j // 1. - & not(Ex #n . Corrupted(C) @ #n) // 2. - & (All data #m . Computed(C, 'chip', data) @ #m // 3. - ==> (Ex #k . K(data) @ #k & #k < #m)) // 3. - " -*/ - -/* This lemma shows that the chip has NOT non-repudiation */ -// We use the fact that every value the chip can calculate its partner could too -// We state the possibility that with a finished protocol run the terminal could identify as a chip because it knows all the computations too -// Problems: pkTe is a fresh value used in the DH key, T could simply get a chip certificate and key pair (this could be solved but would limit our model), limited by our model at the moment because the identity from Completed is from the sent certificate which prevents T from trying a replay scenario - -/* -lemma notNonRepudiation2: exists-trace - "Ex C T T2 k k2 sid sid2 #i #i2 #j #j2 . - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k2, sid2, T, 'chip', T2) @ #i2 - & Completed(k2, sid2, T2, 'terminal', T) @ #j2 - " -*/ - -// We simulate a one sided protocol execution - -// The terminal finishes the protocol by itself -// It does not register a chip certificate and the chip shouldn't be involved in the protocol execution -// This should be possible for the terminal - -lemma nonRepudiation_terminal: exists-trace - "Ex C T #i . - ValidTrans(C, 'chip', T) @ #i - & not(Ex #k . Started() @ #k) - & not(Ex #k . Corrupted(C) @ #k) - & not(Ex #k . RegisteredRole(T, 'chip') @ #k) - " - -// The chip finishes the protocol by itself -// It does not register a terminal certificate and the terminal shouldn't be involved in the protocol execution -// This should NOT be possible for the chip - -lemma nonRepudiation_chip: exists-trace - "Ex C T #i . - ValidTrans(T, 'terminal', C) @ #i - & not(Ex #k . Started() @ #k) - & not(Ex #k . Corrupted(T) @ #k) - & not(Ex #k . RegisteredRole(C, 'terminal') @ #k) - " - -// Perfect forward secrecy -lemma pfs: - "All C T k sid #i #j . - Completed(k, sid, C, 'chip', T) @ #i - & Completed(k, sid, T, 'terminal', C) @ #j - & not(Ex #m . Corrupted(C) @ #m & #m < #j) - & not(Ex #m . Corrupted(T) @ #m & #m < #j) - ==> (not(Ex #m . K(k) @ #m) - | (Ex #m . Revealed(sid) @ #m)) - " - - -#ifdef PFS -rule Verify_Transcript_C: -let - pkT = cert_pk(certT) - sid = <certT, certC, r2, cip, pkCe, cipe> - k = decaps(cip, skC) - ke = decaps(cipe, skCe) - kCNF_c = kdf(<'CNF', sid>, <k, ke>) -in - [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(skCe), !Ltk(C, skC, 'chip') ] - --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> - [ ] -#else -rule Verify_Transcript_C: -let - pkT = cert_pk(certT) - sid = <certT, certC, r2, cip> - kKDF = decaps(cip, skC) - kCNF_c = kdf(<'CNF', sid>, kKDF) -in - [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), !Ltk(C, skC, 'chip') ] - --[ Eq(C, cert_id(certC)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_c), ValidTrans(C, 'chip', cert_id(certT)) ]-> - [ ] -#endif - -#ifdef PFS -rule Verify_Transcript_T: -let - pkT = cert_pk(certT) - sid = <certT, certC, r2, cip, pkCe, cipe> - kCNF_t = kdf(<'CNF', sid>, <k, ke>) -in - [ In(<certT, IDc, r1, sT, certC, r2, pkCe, cip, sC, cipe, kCNF>), In(<k, ke>) ] - --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> - [ ] -#else -rule Verify_Transcript_T: -let - pkT = cert_pk(certT) - sid = <certT, certC, r2, cip> - kCNF_t = kdf(<'CNF', sid>, kKDF) -in - [ In(<certT, IDc, r1, sT, certC, r2, cip, sC, kCNF>), In(kKDF) ] - --[ Eq(T, cert_id(certT)), Eq(verify_cert(certT, 'terminal'), true), Eq(verify_cert(certC, 'chip'), true), Eq(verify(sT, <'TA', IDc, r1>, pkT), true), Eq(verify(sC, <'CA', sid>, pkT), true), Eq(kCNF, kCNF_t), ValidTrans(T, 'terminal', cert_id(certC)) ]-> - [ ] -#endif - -end -- GitLab