(*************************************************************
 *                                                           *
 *  Cryptographic protocol verifier                          *
 *                                                           *
 *  Bruno Blanchet, Vincent Cheval, and Marc Sylvestre       *
 *                                                           *
 *  Copyright (C) INRIA, CNRS 2000-2018                      *
 *                                                           *
 *************************************************************)

(*

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details (in file LICENSE).

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

*)
(* SKEME *)

pred c/1 decompData, elimVar.
pred c2/1 decompData, elimVar.

(* Public key cryptography *)

fun pk/1.
fun encrypt/2.

(* Hash function *)

fun hash/1.

(* Diffie-Hellman *)
(* equation f(x,g(y)) = f(y,g(x)). *)

fun g/1.
fun h1/2.
fun h0/2.

(* Keyed hash function *)

fun keyhash/2.

query c2:secretA[].
query c2:secretB[].

(* Secrecy assumptions *)

not c:skA[].
not c:skB[].
not c:x[pk(skB[])].
not c:y[(encrypt((pk(skA[]), a), pk(skB[])), b)].
not c:Ka[pk(skB[])].
not c:Kb[(encrypt((pk(skA[]),Ka[pk(skB[])]),pk(skB[])),g(x[pk(skB[])]))].

reduc

c:keyhash((g(y[(encrypt((pk(skA[]),v18),pk(skB[])),v19)]),v19,pk(skA[]),pk(skB[])),hash((v18,Kb[(encrypt((pk(skA[]),v18),pk(skB[])),v19)]))) & c:(encrypt((pk(skA[]),v18),pk(skB[])),v19) -> c:encrypt(secretB[],pk(hash(h0(y[(encrypt((pk(skA[]),v18),pk(skB[])),v19)],v19))));
c:keyhash((g(y[(encrypt((pk(skA[]),v16),pk(skB[])),g(v17))]),g(v17),pk(skA[]),pk(skB[])),hash((v16,Kb[(encrypt((pk(skA[]),v16),pk(skB[])),g(v17))]))) & c:(encrypt((pk(skA[]),v16),pk(skB[])),g(v17)) -> c:encrypt(secretB[],pk(hash(h1(y[(encrypt((pk(skA[]),v16),pk(skB[])),g(v17))],v17))));
c:keyhash((g(y[(encrypt((pk(skA[]),v15),pk(skB[])),g(v14))]),g(v14),pk(skA[]),pk(skB[])),hash((v15,Kb[(encrypt((pk(skA[]),v15),pk(skB[])),g(v14))]))) & c:(encrypt((pk(skA[]),v15),pk(skB[])),g(v14)) -> c:encrypt(secretB[],pk(hash(h1(v14,y[(encrypt((pk(skA[]),v15),pk(skB[])),g(v14))]))));
c:(encrypt((v11,v12),pk(skB[])),v13) -> c:(encrypt(Kb[(encrypt((v11,v12),pk(skB[])),v13)],v11),g(y[(encrypt((v11,v12),pk(skB[])),v13)]),keyhash((v13,g(y[(encrypt((v11,v12),pk(skB[])),v13)]),pk(skB[]),v11),hash((v12,Kb[(encrypt((v11,v12),pk(skB[])),v13)]))));
c:(encrypt(v10,pk(skA[])),v9,keyhash((g(x[pk(skB[])]),v9,pk(skB[]),pk(skA[])),hash((Ka[pk(skB[])],v10)))) & c:pk(skB[]) -> c:encrypt(secretA[],pk(hash(h0(x[pk(skB[])],v9))));
c:(encrypt(v8,pk(skA[])),g(v7),keyhash((g(x[pk(skB[])]),g(v7),pk(skB[]),pk(skA[])),hash((Ka[pk(skB[])],v8)))) & c:pk(skB[]) -> c:encrypt(secretA[],pk(hash(h1(x[pk(skB[])],v7))));
c:(encrypt(v6,pk(skA[])),g(v5),keyhash((g(x[pk(skB[])]),g(v5),pk(skB[]),pk(skA[])),hash((Ka[pk(skB[])],v6)))) & c:pk(skB[]) -> c:encrypt(secretA[],pk(hash(h1(v5,x[pk(skB[])]))));
c:(encrypt(v4,pk(skA[])),v2,keyhash((g(x[v3]),v2,v3,pk(skA[])),hash((Ka[v3],v4)))) & c:v3 -> c:keyhash((v2,g(x[v3]),pk(skA[]),v3),hash((Ka[v3],v4)));
c:v1 -> c:(encrypt((pk(skA[]),Ka[v1]),v1),g(x[v1]));
c:pk(skB[]);
c:pk(skA[]);
c:c[];
c:encrypt(x,pk(y)) & c:y -> c:x;
c:any11 -> c:pk(any11);
c:any10 & c:any9 -> c:keyhash(any10,any9);
c:any8 & c:any7 -> c:encrypt(any8,any7);
c:any6 & c:any5 -> c:h1(any6,any5);
c:any4 & c:any3 -> c:h0(any4,any3);
c:any2 -> c:hash(any2);
c:any1 -> c:g(any1);
c:x & c:y -> c:h0(x,y);
c:x & c:g(y) -> c:h1(x,y);
c:y & c:g(x) -> c:h1(x,y);

(* Implication *)

c:x -> c2:x;

(* Computation rules for c2 *)

c2:encrypt(x,pk(y)) & c2:y -> c2:x;
c2:any11 -> c2:pk(any11);
c2:any10 & c2:any9 -> c2:keyhash(any10,any9);
c2:any8 & c2:any7 -> c2:encrypt(any8,any7);
c2:any6 & c2:any5 -> c2:h1(any6,any5);
c2:any4 & c2:any3 -> c2:h0(any4,any3);
c2:any2 -> c2:hash(any2);
c2:any1 -> c2:g(any1);
c2:x & c2:y -> c2:h0(x,y);
c2:x & c2:g(y) -> c2:h1(x,y);
c2:g(x) & c2:y -> c2:h1(x,y);

(* and assume that the attacker has the secret keys *)

c2:skA[];
c2:skB[].
