Import of originally published version of isabelle-ofmc.

This commit is contained in:
Achim D. Brucker 2009-11-02 14:14:13 +00:00
commit 0407d94abd
52 changed files with 12743 additions and 0 deletions

1
AUTHORS Normal file
View File

@ -0,0 +1 @@
Achim D. Brucker <brucker@member.fsf.org>

35
COPYING Normal file
View File

@ -0,0 +1,35 @@
Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
==================================================
Copyright (c) 2009 Achim D. Brucker, Germany
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of the copyright holders nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3
ChangeLog Normal file
View File

@ -0,0 +1,3 @@
2009-11-02 Achim D. Brucker <brucker@member.fsf.org>
* Isabelle/OFMC: first public release (development version)

12
README Normal file
View File

@ -0,0 +1,12 @@
Isabelle/OFMC - Linking OFMC and Isabelle/HOL
=============================================
This is a developer release for Isabelle/OFMC, i.e., while it may be
of interested to experts, it is not yet useable by the general
public. This development version comprises a small set of Isabelle
theories and a prototypical tool, called anb2thy. Using OFMC's
fixed-point module, anb2thy generates Isabelle theory files for
protocols that haven been successfully validated by OFMC.

0
bin/.empty Normal file
View File

View File

@ -0,0 +1,19 @@
Protocol: BilateralKeyExchange
Types: Agent A,B;
Number NA,NB;
Symmetric_key K;
Function pk,f
Knowledge: A: A,B,pk(A),pk(B),inv(pk(A)),f;
B: A,B,pk(A),pk(B),inv(pk(B)),pk,f
Actions:
B->A: B,{NB,B}pk(A)
A->B: {f(NB),NA,A,K}pk(B)
B->A: {|f(NA)|}K
Goals:
A *->* B: K

View File

@ -0,0 +1,284 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: BilateralKeyExchange
Types:
[(Purpose,["purposeK"]),(Agent False False,["A","B"]),(Number,["NA","NB"]),(SymmetricKey,["K"]),(Function,["pk","f"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeNB),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNB(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeNA),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNA(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
request(A,B,Purpose (purposeK),M,(SID sid))
| B/=Agent (dishonest i);
M/=SymKey (absK(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_8:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),(SID sid)])
=>
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (absNB(pair(Agent (B),Agent (A)))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (absNB(pair(Agent (B),Agent (A)))),Agent (B)))),(SID sid)]);
iknows(pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (absNB(pair(Agent (B),Agent (A)))),Agent (B)))))
step rule_9:
State (rA,[Agent (A),Step 0,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),(SID sid)]);
iknows(Agent (B));
iknows(crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))))
=>
secret(SymKey (absK(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeK),SymKey (absK(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (absNA(pair(Agent (A),Agent (B)))),SymKey (absK(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))))
step rule_10:
State (rA,[Agent (A),Step 0,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),(SID sid)]);
iknows(Agent (B));
iknows(pk(Agent (A)));
iknows(Nonce (NB))
=>
secret(SymKey (absK(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeK),SymKey (absK(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (absNA(pair(Agent (A),Agent (B)))),SymKey (absK(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))))
step rule_11:
State (rA,[Agent (A),Step 0,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),(SID sid)]);
iknows(Agent (B));
iknows(Agent (A));
iknows(Nonce (NB))
=>
secret(SymKey (absK(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeK),SymKey (absK(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (absNA(pair(Agent (A),Agent (B)))),SymKey (absK(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (A),SymKey (absK(pair(Agent (A),Agent (B)))))))))
step rule_12:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))))
=>
request(Agent (B),Agent (A),Purpose (purposeK),SymKey (K),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),SymKey (K),Nonce (NA),f(Nonce (NB)),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
step rule_13:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(f(Nonce (NB)));
iknows(Nonce (NA));
iknows(Agent (A));
iknows(SymKey (K))
=>
request(Agent (B),Agent (A),Purpose (purposeK),SymKey (K),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),SymKey (K),Nonce (NA),f(Nonce (NB)),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
step rule_14:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (NB));
iknows(Nonce (NA));
iknows(Agent (A));
iknows(SymKey (K))
=>
request(Agent (B),Agent (A),Purpose (purposeK),SymKey (K),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),SymKey (K),Nonce (NA),f(Nonce (NB)),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
step rule_15:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(Agent (B));
iknows(f(Nonce (NB)));
iknows(Nonce (NA));
iknows(Agent (A));
iknows(SymKey (K))
=>
request(Agent (B),Agent (A),Purpose (purposeK),SymKey (K),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),SymKey (K),Nonce (NA),f(Nonce (NB)),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
step rule_16:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (NB));
iknows(Nonce (NA));
iknows(Agent (A));
iknows(SymKey (K))
=>
request(Agent (B),Agent (A),Purpose (purposeK),SymKey (K),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),pk(Agent (B)),pk(Agent (A)),Agent (A),Nonce (NB),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),SymKey (K),Nonce (NA),f(Nonce (NB)),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
step rule_17:
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),(SID sid)]);
iknows(scrypt(SymKey (K),f(Nonce (NA))))
=>
State (rA,[Agent (A),Step 2,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)])
step rule_18:
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),(SID sid)]);
iknows(SymKey (K));
iknows(f(Nonce (NA)))
=>
State (rA,[Agent (A),Step 2,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)])
step rule_19:
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),(SID sid)]);
iknows(SymKey (K));
iknows(Nonce (NA))
=>
State (rA,[Agent (A),Step 2,inv(pk(Agent (A))),pk(Agent (B)),pk(Agent (A)),Agent (B),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B))),pair(Agent (B),crypt(pk(Agent (A)),pair(Nonce (NB),Agent (B)))),Nonce (NA),SymKey (K),crypt(pk(Agent (B)),pair(f(Nonce (NB)),pair(Nonce (NA),pair(Agent (A),SymKey (K))))),scrypt(SymKey (K),f(Nonce (NA))),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(inv(pk(Agent (dishonest i))));
init_6: iknows(pk(Agent (dishonest i)));
init_7: iknows((SID sid));
init_8: iknows(pk(Agent (honest a)));
init_9: iknows(Agent (honest a));
init_10: State (rB,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (dishonest i)),Agent (dishonest i),(SID sid)]);
init_11: State (rB,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),(SID sid)]);
section fixedpoint:
fp_0: iknows(pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))));
fp_1: iknows(pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))));
fp_2: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (dishonest i)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),(SID sid)]);
fp_3: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))),(SID sid)]);
fp_4: secret(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i));
fp_5: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeK),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))));
fp_6: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_7: secret(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),Agent (honest a));
fp_8: witness(Agent (honest a),Agent (honest a),Purpose (purposeK),SymKey (absK(pair(Agent (honest a),Agent (honest a)))));
fp_9: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_10: iknows(crypt(pk(Agent (honest a)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))));
fp_11: iknows(crypt(pk(Agent (dishonest i)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_12: iknows(crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))));
fp_13: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))));
fp_14: iknows(pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))));
fp_15: iknows(pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))));
fp_16: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_17: iknows(pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))));
fp_18: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))));
fp_19: iknows(pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_20: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (honest a))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_21: iknows(crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (honest a))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))));
fp_22: iknows(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))));
fp_23: iknows(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))));
fp_24: iknows(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))));
fp_25: iknows(f(Nonce (ni)));
fp_26: iknows(pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))));
fp_27: iknows(pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))));
fp_28: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_29: iknows(pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))));
fp_30: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))));
fp_31: iknows(pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_32: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_33: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_34: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_35: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_36: request(Agent (honest a),Agent (honest a),Purpose (purposeK),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_37: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNB(pair(Agent (honest a),Agent (honest a))))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (honest a))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))),(SID sid)]);
fp_38: request(Agent (honest a),Agent (dishonest i),Purpose (purposeK),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_39: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (dishonest i)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))))),(SID sid)]);
fp_40: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (dishonest i)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))),(SID sid)]);
fp_41: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (dishonest i)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (ni),pair(Agent (dishonest i),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (ni))),(SID sid)]);
fp_42: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))),(SID sid)]);
fp_43: iknows(scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (ni))));
fp_44: iknows(scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))));
fp_45: iknows(scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))))));
fp_46: iknows(scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))));
fp_47: iknows(crypt(pk(Agent (honest a)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))));
fp_48: iknows(crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))));
fp_49: iknows(crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_50: iknows(crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_51: iknows(pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))));
fp_52: iknows(pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))));
fp_53: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_54: iknows(pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))));
fp_55: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))));
fp_56: iknows(pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_57: iknows(pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_58: iknows(pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_59: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))),(SID sid)]);
fp_60: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (dishonest i)),pk(Agent (honest a)),Agent (dishonest i),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (dishonest i),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))),f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))),(SID sid)]);
fp_61: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))),(SID sid)]);
fp_62: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))),(SID sid)]);
fp_63: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (absNB(pair(Agent (honest a),Agent (honest a))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))),(SID sid)]);
fp_64: State (rA,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),pk(Agent (honest a)),pk(Agent (honest a)),Agent (honest a),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a))),pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),SymKey (absK(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (honest a)))))))),scrypt(SymKey (absK(pair(Agent (honest a),Agent (honest a)))),f(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))),(SID sid)]);
fp_65: iknows(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))));
fp_66: iknows(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))));
fp_67: iknows(pair(Agent (honest a),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a)))));
fp_68: iknows(pair(Agent (honest a),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)))));
fp_69: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_70: iknows(pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))));
fp_71: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i)))))));
fp_72: iknows(pair(f(Nonce (ni)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_73: iknows(pair(f(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
fp_74: iknows(pair(f(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absK(pair(Agent (honest a),Agent (dishonest i))))))));
section abstraction:
NB->Nonce (absNB(pair(B,A)));
NA->Nonce (absNA(pair(A,B)));
K->SymKey (absK(pair(A,B)))

View File

@ -0,0 +1,24 @@
Protocol: DenningSacco
Types: Agent A,B,s;
Number T,timestamp,Payload;
Symmetric_key KAB;
Function sk
Knowledge: A: A,B,sk(A,s),timestamp;
B: B,A,sk(B,s),timestamp;
s: A,B,sk(A,s),sk(B,s)
Actions:
A->s: A,B
s->A: {|B,KAB,T,{|A,KAB,T|}sk(B,s)|}sk(A,s)
A->B: {|A,KAB,T|}sk(B,s)
B->A: {|Payload|}KAB
Goals:
B *->* A: Payload
Abstraction:
T -> timestamp;
Payload -> payload(B,A);
KAB -> sk(A,B)

View File

@ -0,0 +1,213 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: DenningSacco
Types:
[(Purpose,["purposePayload"]),(Agent False False,["A","B","s"]),(Number,["T","timestamp","Payload"]),(SymmetricKey,["KAB"]),(Function,["sk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposePayload),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (payload(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeKAB),M,(SID sid))
| B/=Agent (dishonest i);
M/=SymKey (sk(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
State (rA,[Agent (A),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),(SID sid)])
=>
State (rA,[Agent (A),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(pair(Agent (A),Agent (B)))
step rule_8:
State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),(SID sid)]);
iknows(Agent (A));
iknows(Agent (B))
=>
State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),pair(Agent (A),Agent (B)),SymKey (sk(pair(Agent (A),Agent (B)))),Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Agent (A),pair(SymKey (sk(pair(Agent (A),Agent (B)))),Nonce (timestamp)))))))),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Agent (A),pair(SymKey (sk(pair(Agent (A),Agent (B)))),Nonce (timestamp)))))))))
step rule_9:
State (rA,[Agent (A),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))))
=>
State (rA,[Agent (A),Step 2,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),(SID sid)]);
iknows(Agent (dishonest i))
step rule_10:
State (rA,[Agent (A),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(SymKey (sk(pair(Agent (A),Agent (honest a)))));
iknows(Agent (B));
iknows(SymKey (KAB));
iknows(Nonce (T));
iknows(Agent (dishonest i))
=>
State (rA,[Agent (A),Step 2,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),(SID sid)]);
iknows(Agent (dishonest i))
step rule_11:
State (rB,[Agent (B),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Agent (A),pair(SymKey (KAB),Nonce (T)))))
=>
secret(Nonce (payload(pair(Agent (B),Agent (A)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposePayload),Nonce (payload(pair(Agent (B),Agent (A)))));
State (rB,[Agent (B),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Agent (A),pair(SymKey (KAB),Nonce (T)))),Nonce (payload(pair(Agent (B),Agent (A)))),scrypt(SymKey (KAB),Nonce (payload(pair(Agent (B),Agent (A))))),(SID sid)]);
iknows(scrypt(SymKey (KAB),Nonce (payload(pair(Agent (B),Agent (A))))))
step rule_12:
State (rB,[Agent (B),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),(SID sid)]);
iknows(SymKey (sk(pair(Agent (B),Agent (honest a)))));
iknows(Agent (A));
iknows(SymKey (KAB));
iknows(Nonce (T))
=>
secret(Nonce (payload(pair(Agent (B),Agent (A)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposePayload),Nonce (payload(pair(Agent (B),Agent (A)))));
State (rB,[Agent (B),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Agent (A),pair(SymKey (KAB),Nonce (T)))),Nonce (payload(pair(Agent (B),Agent (A)))),scrypt(SymKey (KAB),Nonce (payload(pair(Agent (B),Agent (A))))),(SID sid)]);
iknows(scrypt(SymKey (KAB),Nonce (payload(pair(Agent (B),Agent (A))))))
step rule_13:
State (rA,[Agent (A),Step 2,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),(SID sid)]);
iknows(scrypt(SymKey (KAB),Nonce (Payload)))
=>
request(Agent (A),Agent (B),Purpose (purposePayload),Nonce (Payload),(SID sid));
State (rA,[Agent (A),Step 3,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),Nonce (Payload),scrypt(SymKey (KAB),Nonce (Payload)),(SID sid)])
step rule_14:
State (rA,[Agent (A),Step 2,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),(SID sid)]);
iknows(SymKey (KAB));
iknows(Nonce (Payload))
=>
request(Agent (A),Agent (B),Purpose (purposePayload),Nonce (Payload),(SID sid));
State (rA,[Agent (A),Step 3,Nonce (timestamp),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),pair(Agent (A),Agent (B)),Agent (dishonest i),Nonce (T),SymKey (KAB),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Agent (B),pair(SymKey (KAB),pair(Nonce (T),Agent (dishonest i))))),Nonce (Payload),scrypt(SymKey (KAB),Nonce (Payload)),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(Nonce (timestamp));
init_6: iknows(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))));
init_7: iknows((SID sid));
init_8: iknows(Agent (honest a));
init_9: State (rB,[Agent (honest a),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_10: State (rB,[Agent (honest a),Step 0,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_11: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),(SID sid)]);
init_12: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),(SID sid)]);
init_13: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),(SID sid)]);
init_14: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Agent (honest a),(SID sid)]);
section fixedpoint:
fp_0: iknows(pair(Agent (honest a),Agent (honest a)));
fp_1: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_2: State (rA,[Agent (honest a),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),pair(Agent (honest a),Agent (dishonest i)),(SID sid)]);
fp_3: State (rA,[Agent (honest a),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_4: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),pair(Agent (dishonest i),Agent (dishonest i)),SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))))),(SID sid)]);
fp_5: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),pair(Agent (honest a),Agent (dishonest i)),SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Nonce (timestamp)))))))),(SID sid)]);
fp_6: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),pair(Agent (dishonest i),Agent (honest a)),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))))),(SID sid)]);
fp_7: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Agent (honest a),pair(Agent (honest a),Agent (honest a)),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Nonce (timestamp)))))))),(SID sid)]);
fp_8: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Nonce (timestamp)))))))));
fp_9: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))))));
fp_10: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),pair(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Nonce (timestamp)))))))));
fp_11: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))))));
fp_12: iknows(pair(Agent (honest a),Agent (honest a)));
fp_13: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_14: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))));
fp_15: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))));
fp_16: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))))));
fp_17: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))));
fp_18: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))));
fp_19: iknows(pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))))));
fp_20: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))));
fp_21: iknows(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))));
fp_22: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))));
fp_23: iknows(pair(Agent (honest a),Agent (honest a)));
fp_24: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_25: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))));
fp_26: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))));
fp_27: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))))));
fp_28: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))));
fp_29: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))));
fp_30: iknows(pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))))));
fp_31: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)));
fp_32: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))));
fp_33: secret(Nonce (payload(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i));
fp_34: witness(Agent (honest a),Agent (dishonest i),Purpose (purposePayload),Nonce (payload(pair(Agent (honest a),Agent (dishonest i)))));
fp_35: State (rB,[Agent (honest a),Step 1,Nonce (timestamp),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Nonce (timestamp),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))),Nonce (payload(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (payload(pair(Agent (honest a),Agent (dishonest i))))),(SID sid)]);
fp_36: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (payload(pair(Agent (honest a),Agent (dishonest i))))));
fp_37: iknows(pair(Agent (honest a),Agent (honest a)));
fp_38: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_39: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))));
fp_40: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))));
fp_41: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))))));
fp_42: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))));
fp_43: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))));
fp_44: iknows(pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))))));
fp_45: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)));
fp_46: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))));
fp_47: iknows(Nonce (payload(pair(Agent (honest a),Agent (dishonest i)))));
fp_48: iknows(pair(Agent (honest a),Agent (honest a)));
fp_49: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_50: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))));
fp_51: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)))))));
fp_52: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))))))));
fp_53: iknows(pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))));
fp_54: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp)))))));
fp_55: iknows(pair(Agent (honest a),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (timestamp),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (timestamp))))))));
fp_56: iknows(pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp)));
fp_57: iknows(pair(Agent (dishonest i),pair(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))),Nonce (timestamp))));
section abstraction:
T->timestamp;
Payload->Nonce (payload(pair(B,A)));
KAB->SymKey (sk(pair(A,B)))

View File

@ -0,0 +1,18 @@
Protocol: ISO_onepass_pk
# should be fine (replay is not considered here!)
Types: Agent A,B,s;
Number NA,Text1;
Function pk
Knowledge: A: A,B,{A,pk(A)}inv(pk(s)),pk(A),inv(pk(A));
B: B,pk(s)
Actions:
A->B: {A,pk(A)}inv(pk(s)),
{NA,B,Text1}inv(pk(A))
Goals:
A *-> B: Text1

View File

@ -0,0 +1,222 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: ISO_onepass_pk
Types:
[(Purpose,["purposeText1"]),(Agent False False,["A","B","s"]),(Number,["NA","Text1"]),(Function,["pk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeNA),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNA(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeText1),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absText1(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
State (rA,[Agent (A),Step 0,inv(pk(Agent (A))),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Agent (B),(SID sid)])
=>
witness(Agent (A),Agent (B),Purpose (purposeText1),Nonce (absText1(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,inv(pk(Agent (A))),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Agent (B),Nonce (absNA(pair(Agent (A),Agent (B)))),Nonce (absText1(pair(Agent (A),Agent (B)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (B),Nonce (absText1(pair(Agent (A),Agent (B)))))))),(SID sid)]);
iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Agent (B),Nonce (absText1(pair(Agent (A),Agent (B)))))))))
step rule_8:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))));
iknows(crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
step rule_9:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))));
iknows(inv(pk(Agent (A))));
iknows(Nonce (NA));
iknows(Agent (B));
iknows(Nonce (Text1))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
step rule_10:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(pk(Agent (A)));
iknows(crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
step rule_11:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(pk(Agent (A)));
iknows(inv(pk(Agent (A))));
iknows(Nonce (NA));
iknows(Agent (B));
iknows(Nonce (Text1))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
step rule_12:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
step rule_13:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(inv(pk(Agent (A))));
iknows(Nonce (NA));
iknows(Agent (B));
iknows(Nonce (Text1))
=>
request(Agent (B),Agent (A),Purpose (purposeText1),Nonce (Text1),(SID sid));
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Nonce (Text1),Nonce (NA),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1)))),pk(Agent (A)),Agent (A),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),crypt(inv(pk(Agent (A))),pair(Nonce (NA),pair(Agent (B),Nonce (Text1))))),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Agent (honest a),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(inv(pk(Agent (dishonest i))));
init_6: iknows(pk(Agent (dishonest i)));
init_7: iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))));
init_8: iknows((SID sid));
init_9: iknows(Agent (honest a));
init_10: State (rB,[Agent (honest a),Step 0,pk(Agent (honest a)),(SID sid)]);
init_11: iknows(pk(Agent (honest a)));
section fixedpoint:
fp_0: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))));
fp_1: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_2: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_3: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))));
fp_4: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Agent (dishonest i),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_5: witness(Agent (honest a),Agent (honest a),Purpose (purposeText1),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))));
fp_6: State (rA,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_7: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (ni),(SID sid));
fp_8: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (ni),Nonce (ni),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (ni)))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (ni))))),(SID sid)]);
fp_9: iknows(crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))));
fp_10: iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))));
fp_11: iknows(crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))));
fp_12: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))));
fp_13: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_14: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_15: iknows(pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))));
fp_16: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))));
fp_17: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_18: iknows(pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))));
fp_19: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))));
fp_20: request(Agent (honest a),Agent (honest a),Purpose (purposeText1),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_21: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (honest a)),Agent (honest a),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_22: iknows(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))));
fp_23: iknows(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))));
fp_24: iknows(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))));
fp_25: iknows(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))));
fp_26: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))));
fp_27: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_28: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_29: iknows(pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))));
fp_30: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))));
fp_31: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_32: iknows(pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))));
fp_33: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))));
fp_34: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_35: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_36: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_37: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_38: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_39: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_40: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText1),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_41: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_42: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (ni),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (ni)))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (ni))))),(SID sid)]);
fp_43: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_44: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_45: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_46: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_47: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (ni),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (ni)))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (ni))))),(SID sid)]);
fp_48: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_49: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_50: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_51: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_52: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (ni),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (ni)))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (ni))))),(SID sid)]);
fp_53: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_54: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_55: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_56: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_57: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (ni),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (ni)))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (ni))))),(SID sid)]);
fp_58: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_59: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_60: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))),Nonce (ni),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_61: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Nonce (ni),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a))))))),pk(Agent (dishonest i)),Agent (dishonest i),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),crypt(inv(pk(Agent (dishonest i))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_62: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))))));
fp_63: iknows(pair(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),crypt(inv(pk(Agent (honest a))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_64: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_65: iknows(pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i))))));
fp_66: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText1(pair(Agent (honest a),Agent (dishonest i)))))));
fp_67: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_68: iknows(pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a))))));
fp_69: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText1(pair(Agent (honest a),Agent (honest a)))))));
section abstraction:
NA->Nonce (absNA(pair(A,B)));
Text1->Nonce (absText1(pair(A,B)))

View File

@ -0,0 +1,15 @@
Protocol: ISO_twopass_symm # Verified & Certified
Types: Agent A,B;
Number NB,Text1,Text2,Text3;
Function sk
Knowledge: A: A,B,sk(A,B);
B: B,A,sk(A,B)
Actions:
B->A: NB
A->B: {|NB,B,Text2|}sk(A,B)
Goals:
A *-> B: Text2

View File

@ -0,0 +1,154 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: ISO_twopass_symm
Types:
[(Purpose,["purposeText2"]),(Agent False False,["A","B"]),(Number,["NB","Text1","Text2","Text3"]),(Function,["sk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeNB),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNB(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeText2),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absText2(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
State (rB,[Agent (B),Step 0,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),(SID sid)])
=>
State (rB,[Agent (B),Step 1,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),Nonce (absNB(pair(Agent (B),Agent (A)))),(SID sid)]);
iknows(Nonce (absNB(pair(Agent (B),Agent (A)))))
step rule_8:
State (rA,[Agent (A),Step 0,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (B),(SID sid)]);
iknows(Nonce (NB))
=>
witness(Agent (A),Agent (B),Purpose (purposeText2),Nonce (absText2(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (B),Nonce (NB),Nonce (absText2(pair(Agent (A),Agent (B)))),scrypt(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (NB),pair(Agent (B),Nonce (absText2(pair(Agent (A),Agent (B))))))),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (NB),pair(Agent (B),Nonce (absText2(pair(Agent (A),Agent (B))))))))
step rule_9:
State (rB,[Agent (B),Step 1,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),Nonce (NB),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (NB),pair(Agent (B),Nonce (Text2)))))
=>
request(Agent (B),Agent (A),Purpose (purposeText2),Nonce (Text2),(SID sid));
State (rB,[Agent (B),Step 2,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),Nonce (NB),Nonce (Text2),scrypt(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (NB),pair(Agent (B),Nonce (Text2)))),(SID sid)])
step rule_10:
State (rB,[Agent (B),Step 1,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),Nonce (NB),(SID sid)]);
iknows(SymKey (sk(pair(Agent (A),Agent (B)))));
iknows(Nonce (NB));
iknows(Agent (B));
iknows(Nonce (Text2))
=>
request(Agent (B),Agent (A),Purpose (purposeText2),Nonce (Text2),(SID sid));
State (rB,[Agent (B),Step 2,SymKey (sk(pair(Agent (A),Agent (B)))),Agent (A),Nonce (NB),Nonce (Text2),scrypt(SymKey (sk(pair(Agent (A),Agent (B)))),pair(Nonce (NB),pair(Agent (B),Nonce (Text2)))),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(SymKey (sk(pair(Agent (dishonest i),Agent (dishonest i)))));
init_6: iknows((SID sid));
init_7: iknows(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))));
init_8: iknows(Agent (honest a));
init_9: State (rB,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_10: State (rB,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_11: iknows(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))));
section fixedpoint:
fp_0: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),(SID sid)]);
fp_1: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),(SID sid)]);
fp_2: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeText2),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))));
fp_3: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i),Nonce (ni),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (ni),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_4: witness(Agent (honest a),Agent (honest a),Purpose (purposeText2),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))));
fp_5: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (ni),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_6: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))));
fp_7: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (ni),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))));
fp_8: iknows(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))));
fp_9: iknows(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))));
fp_10: iknows(pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))));
fp_11: iknows(pair(Nonce (ni),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_12: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_13: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_14: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_15: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_16: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText2),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_17: State (rB,[Agent (honest a),Step 2,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_18: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText2),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_19: State (rB,[Agent (honest a),Step 2,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_20: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText2),Nonce (ni),(SID sid));
fp_21: State (rB,[Agent (honest a),Step 2,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (ni)))),(SID sid)]);
fp_22: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))));
fp_23: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))));
fp_24: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))));
fp_25: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))));
fp_26: iknows(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))));
fp_27: iknows(pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))));
fp_28: iknows(pair(Nonce (ni),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_29: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_30: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_31: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_32: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_33: request(Agent (honest a),Agent (honest a),Purpose (purposeText2),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_34: State (rB,[Agent (honest a),Step 2,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),Nonce (absText2(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_35: request(Agent (honest a),Agent (dishonest i),Purpose (purposeText2),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_36: State (rB,[Agent (honest a),Step 2,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_37: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),Nonce (absText2(pair(Agent (honest a),Agent (honest a))))))));
fp_38: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))))));
fp_39: iknows(pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i))))));
fp_40: iknows(pair(Nonce (ni),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_41: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_42: iknows(pair(Nonce (absNB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
fp_43: iknows(pair(Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),Nonce (absText2(pair(Agent (honest a),Agent (dishonest i)))))));
section abstraction:
NB->Nonce (absNB(pair(B,A)));
Text2->Nonce (absText2(pair(A,B)))

View File

@ -0,0 +1,19 @@
Protocol: WideMouthFrog
## Problem with abstract authentication
Types: Agent A,B,s;
Number TA,TS; # actually timestamps
Symmetric_key KAB;
Function sk
Knowledge: A: A,B,sk(A,s);
B: B,A,sk(B,s);
s: A,B,sk(A,s),sk(B,s)
Actions:
A->s: A,{|TA,B,KAB|}sk(A,s)
s->B: {|TS,A,KAB|}sk(B,s)
Goals:
A *->* B: KAB

View File

@ -0,0 +1,209 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: WideMouthFrog
Types:
[(Purpose,["purposeKAB"]),(Agent False False,["A","B","s"]),(Number,["TA","TS"]),(SymmetricKey,["KAB"]),(Function,["sk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeTA),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absTA(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeKAB),M,(SID sid))
| B/=Agent (dishonest i);
M/=SymKey (absKAB(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
request(A,B,Purpose (purposeTS),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absTS(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_8:
State (rA,[Agent (A),Step 0,SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),(SID sid)])
=>
secret(SymKey (absKAB(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeKAB),SymKey (absKAB(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Nonce (absTA(pair(Agent (A),Agent (B)))),SymKey (absKAB(pair(Agent (A),Agent (B)))),pair(Agent (A),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (A),Agent (B)))),pair(Agent (B),SymKey (absKAB(pair(Agent (A),Agent (B)))))))),(SID sid)]);
iknows(pair(Agent (A),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (A),Agent (B)))),pair(Agent (B),SymKey (absKAB(pair(Agent (A),Agent (B)))))))))
step rule_9:
State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),(SID sid)]);
iknows(Agent (A));
iknows(scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (TA),pair(Agent (B),SymKey (KAB)))))
=>
State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),SymKey (KAB),Nonce (TA),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (TA),pair(Agent (B),SymKey (KAB)))),pair(Agent (A),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (TA),pair(Agent (B),SymKey (KAB))))),Nonce (absTS(pair(Agent (B),Agent (A)))),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (B),Agent (A)))),pair(Agent (A),SymKey (KAB)))),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (B),Agent (A)))),pair(Agent (A),SymKey (KAB)))))
step rule_10:
State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),(SID sid)]);
iknows(Agent (A));
iknows(SymKey (sk(pair(Agent (A),Agent (honest a)))));
iknows(Nonce (TA));
iknows(Agent (B));
iknows(SymKey (KAB))
=>
State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (B),Agent (honest a)))),SymKey (sk(pair(Agent (A),Agent (honest a)))),Agent (B),Agent (A),SymKey (KAB),Nonce (TA),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (TA),pair(Agent (B),SymKey (KAB)))),pair(Agent (A),scrypt(SymKey (sk(pair(Agent (A),Agent (honest a)))),pair(Nonce (TA),pair(Agent (B),SymKey (KAB))))),Nonce (absTS(pair(Agent (B),Agent (A)))),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (B),Agent (A)))),pair(Agent (A),SymKey (KAB)))),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (B),Agent (A)))),pair(Agent (A),SymKey (KAB)))))
step rule_11:
State (rB,[Agent (B),Step 0,SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),(SID sid)]);
iknows(scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (TS),pair(Agent (A),SymKey (KAB)))))
=>
request(Agent (B),Agent (A),Purpose (purposeKAB),SymKey (KAB),(SID sid));
State (rB,[Agent (B),Step 1,SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),SymKey (KAB),Nonce (TS),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (TS),pair(Agent (A),SymKey (KAB)))),(SID sid)])
step rule_12:
State (rB,[Agent (B),Step 0,SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),(SID sid)]);
iknows(SymKey (sk(pair(Agent (B),Agent (honest a)))));
iknows(Nonce (TS));
iknows(Agent (A));
iknows(SymKey (KAB))
=>
request(Agent (B),Agent (A),Purpose (purposeKAB),SymKey (KAB),(SID sid));
State (rB,[Agent (B),Step 1,SymKey (sk(pair(Agent (B),Agent (honest a)))),Agent (A),SymKey (KAB),Nonce (TS),scrypt(SymKey (sk(pair(Agent (B),Agent (honest a)))),pair(Nonce (TS),pair(Agent (A),SymKey (KAB)))),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))));
init_6: iknows((SID sid));
init_7: iknows(Agent (honest a));
init_8: State (rB,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),(SID sid)]);
init_9: State (rB,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),(SID sid)]);
init_10: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),(SID sid)]);
init_11: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),(SID sid)]);
init_12: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),(SID sid)]);
init_13: State (rs,[Agent (honest a),Step 0,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Agent (honest a),(SID sid)]);
section fixedpoint:
fp_0: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))));
fp_1: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_2: secret(SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i));
fp_3: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeKAB),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))));
fp_4: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),(SID sid)]);
fp_5: secret(SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),Agent (honest a));
fp_6: witness(Agent (honest a),Agent (honest a),Purpose (purposeKAB),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))));
fp_7: State (rA,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))),(SID sid)]);
fp_8: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (ni),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_9: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (ni),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_10: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))));
fp_11: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))));
fp_12: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))));
fp_13: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))));
fp_14: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))));
fp_15: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_16: iknows(pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_17: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_18: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_19: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_20: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_21: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))),Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_22: request(Agent (honest a),Agent (dishonest i),Purpose (purposeKAB),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),(SID sid));
fp_23: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_24: request(Agent (honest a),Agent (dishonest i),Purpose (purposeKAB),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_25: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_26: request(Agent (honest a),Agent (honest a),Purpose (purposeKAB),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_27: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_28: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))));
fp_29: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))));
fp_30: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))));
fp_31: iknows(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))));
fp_32: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))));
fp_33: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_34: iknows(pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_35: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_36: iknows(pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_37: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_38: iknows(pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))));
fp_39: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))));
fp_40: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_41: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_42: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))),Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_43: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_44: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))),Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a))))))),(SID sid)]);
fp_45: iknows(scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))));
fp_46: iknows(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))));
fp_47: iknows(SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))));
fp_48: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))));
fp_49: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_50: iknows(pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_51: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_52: iknows(pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_53: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_54: iknows(pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))));
fp_55: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))));
fp_56: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_57: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_58: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))))),(SID sid)]);
fp_59: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_60: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (dishonest i),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_61: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_62: State (rs,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),Agent (honest a),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (ni),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),pair(Agent (dishonest i),scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (ni),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_63: State (rB,[Agent (honest a),Step 1,SymKey (sk(pair(Agent (honest a),Agent (honest a)))),Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))),Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))),(SID sid)]);
fp_64: iknows(scrypt(SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))),pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))))));
fp_65: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (honest a)))))))));
fp_66: iknows(pair(Agent (honest a),scrypt(SymKey (sk(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absTA(pair(Agent (honest a),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))))));
fp_67: iknows(pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_68: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_69: iknows(pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a))))));
fp_70: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (sk(pair(Agent (dishonest i),Agent (honest a)))))));
fp_71: iknows(pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))));
fp_72: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (honest a)))),pair(Agent (honest a),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))));
fp_73: iknows(pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i))))));
fp_74: iknows(pair(Nonce (absTS(pair(Agent (dishonest i),Agent (dishonest i)))),pair(Agent (dishonest i),SymKey (absKAB(pair(Agent (honest a),Agent (dishonest i)))))));
section abstraction:
TA->Nonce (absTA(pair(A,B)));
KAB->SymKey (absKAB(pair(A,B)));
TS->Nonce (absTS(pair(B,A)))

26
examples/AnB/nsl-ks.AnB Normal file
View File

@ -0,0 +1,26 @@
Protocol: NSL
Types: Agent A,B,s;
Number NA,NB;
Function pk
Knowledge: A: A,pk(A),inv(pk(A)),s,pk(s),B;
B: B,pk(B),inv(pk(B)),s,pk(s);
s: s,pk,inv(pk(s))
Actions:
A->s: A,B
s->A: {B,pk(B)}(inv(pk(s)))
A->B: {NA,A}(pk(B))
B->s: B,A
s->B: {A,pk(A)}(inv(pk(s)))
B->A: {NA,NB,B}(pk(A))
A->B: {NB}(pk(B))
Goals:
A *->* B: NA
B *->* A: NB
Abstraction:
NA -> na(A,B);
NB -> nb(B,A,equals(NA,na(A,B)))

401
examples/AnB/nsl-ks.fp Normal file
View File

@ -0,0 +1,401 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
Protocol: NSL
Types:
[(Purpose,["purposeNA","purposeNB"]),(Agent False False,["A","B","s"]),(Number,["NA","NB"]),(Function,["pk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeNA),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (na(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeNB),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (nb(pair(B,pair(A,Arg1))))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
State (rA,[Agent (A),Step 0,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),(SID sid)])
=>
State (rA,[Agent (A),Step 1,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(pair(Agent (A),Agent (B)))
step rule_8:
State (rs,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),(SID sid)]);
iknows(Agent (A));
iknows(Agent (B))
=>
State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (B),Agent (A),pair(Agent (A),Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))))
step rule_9:
State (rA,[Agent (A),Step 1,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))))
=>
secret(Nonce (na(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeNA),Nonce (na(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))))
step rule_10:
State (rA,[Agent (A),Step 1,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (B));
iknows(pk(Agent (B)))
=>
secret(Nonce (na(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeNA),Nonce (na(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))))
step rule_11:
State (rA,[Agent (A),Step 1,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (B))
=>
secret(Nonce (na(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeNA),Nonce (na(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))))
step rule_12:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))))
=>
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(pair(Agent (B),Agent (A)))
step rule_13:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (NA));
iknows(Agent (A))
=>
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(pair(Agent (B),Agent (A)))
step rule_14:
State (rB,[Agent (B),Step 0,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (NA));
iknows(Agent (A))
=>
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(pair(Agent (B),Agent (A)))
step rule_15:
State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (B),Agent (A),pair(Agent (A),Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),(SID sid)]);
iknows(Agent (B));
iknows(Agent (A))
=>
State (rs,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (B),Agent (A),pair(Agent (A),Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),pair(Agent (B),Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))))
step rule_16:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_17:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(pk(Agent (A)))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_18:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (na(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (na(pair(Agent (A),Agent (B)))),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (na(pair(Agent (A),Agent (B)))),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_19:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))))
| Nonce (NA)/=Nonce (na(pair(Agent (A),Agent (B))))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_20:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A));
iknows(pk(Agent (A)))
| Nonce (NA)/=Nonce (na(pair(Agent (A),Agent (B))))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_21:
State (rB,[Agent (B),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),(SID sid)]);
iknows(inv(pk(Agent (honest a))));
iknows(Agent (A))
| Nonce (NA)/=Nonce (na(pair(Agent (A),Agent (B))))
=>
secret(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (nb(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_22:
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 3,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_23:
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(pk(Agent (A)));
iknows(Nonce (NA));
iknows(Nonce (NB));
iknows(Agent (B))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 3,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_24:
State (rA,[Agent (A),Step 2,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(Agent (A));
iknows(Nonce (NA));
iknows(Nonce (NB));
iknows(Agent (B))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 3,Agent (B),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (A))),pk(Agent (A)),pair(Agent (A),Agent (B)),pk(Agent (B)),crypt(inv(pk(Agent (honest a))),pair(Agent (B),pk(Agent (B)))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_25:
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
step rule_26:
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (NB))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
step rule_27:
State (rB,[Agent (B),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (NB))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (B))),pk(Agent (B)),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),pair(Agent (B),Agent (A)),pk(Agent (A)),crypt(inv(pk(Agent (honest a))),pair(Agent (A),pk(Agent (A)))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,Agent (honest a),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(pk(Agent (honest a)));
init_6: iknows(Agent (honest a));
init_7: iknows(inv(pk(Agent (dishonest i))));
init_8: iknows(pk(Agent (dishonest i)));
init_9: iknows((SID sid));
init_10: iknows(Agent (honest a));
init_11: State (rB,[Agent (honest a),Step 0,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),(SID sid)]);
init_12: State (rs,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),(SID sid)]);
section fixedpoint:
fp_0: iknows(pair(Agent (honest a),Agent (honest a)));
fp_1: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_2: State (rA,[Agent (honest a),Step 1,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (dishonest i)),(SID sid)]);
fp_3: State (rA,[Agent (honest a),Step 1,Agent (honest a),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_4: State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (dishonest i),Agent (dishonest i),pair(Agent (dishonest i),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),(SID sid)]);
fp_5: State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Agent (dishonest i),pair(Agent (dishonest i),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),(SID sid)]);
fp_6: State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (dishonest i),Agent (honest a),pair(Agent (honest a),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),(SID sid)]);
fp_7: State (rs,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Agent (honest a),pair(Agent (honest a),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),(SID sid)]);
fp_8: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),(SID sid)]);
fp_9: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_10: iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))));
fp_11: iknows(crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))));
fp_12: iknows(pair(Agent (honest a),Agent (honest a)));
fp_13: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_14: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_15: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_16: secret(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i));
fp_17: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))));
fp_18: State (rA,[Agent (honest a),Step 2,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),(SID sid)]);
fp_19: secret(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a));
fp_20: witness(Agent (honest a),Agent (honest a),Purpose (purposeNA),Nonce (na(pair(Agent (honest a),Agent (honest a)))));
fp_21: State (rA,[Agent (honest a),Step 2,Agent (honest a),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (na(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),(SID sid)]);
fp_22: State (rs,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (dishonest i),Agent (dishonest i),pair(Agent (dishonest i),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(Agent (dishonest i),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),(SID sid)]);
fp_23: State (rs,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (honest a),Agent (dishonest i),pair(Agent (dishonest i),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),pair(Agent (honest a),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),(SID sid)]);
fp_24: State (rs,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (dishonest i),Agent (honest a),pair(Agent (honest a),Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),pair(Agent (dishonest i),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),(SID sid)]);
fp_25: State (rs,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (honest a),Agent (honest a),pair(Agent (honest a),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),pair(Agent (honest a),Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),(SID sid)]);
fp_26: secret(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i));
fp_27: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))));
fp_28: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_29: secret(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a));
fp_30: witness(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))));
fp_31: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_32: iknows(crypt(pk(Agent (honest a)),pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_33: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_34: iknows(crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))));
fp_35: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))));
fp_36: iknows(pair(Agent (honest a),Agent (honest a)));
fp_37: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_38: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_39: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_40: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_41: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_42: iknows(pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_43: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (na(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_44: iknows(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))));
fp_45: iknows(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))));
fp_46: iknows(pair(Agent (honest a),Agent (honest a)));
fp_47: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_48: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_49: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_50: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_51: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_52: iknows(pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_53: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),(SID sid)]);
fp_54: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_55: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),(SID sid)]);
fp_56: State (rB,[Agent (honest a),Step 1,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),(SID sid)]);
fp_57: secret(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a));
fp_58: witness(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))));
fp_59: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (na(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),(SID sid)]);
fp_60: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_61: State (rA,[Agent (honest a),Step 3,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (na(pair(Agent (honest a),Agent (dishonest i))))),(SID sid)]);
fp_62: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),(SID sid));
fp_63: State (rA,[Agent (honest a),Step 3,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_64: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (ni),(SID sid));
fp_65: State (rA,[Agent (honest a),Step 3,Agent (dishonest i),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (ni),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (ni)),(SID sid)]);
fp_66: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (ni),(SID sid));
fp_67: State (rB,[Agent (honest a),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_68: iknows(crypt(pk(Agent (dishonest i)),Nonce (ni)));
fp_69: iknows(crypt(pk(Agent (dishonest i)),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))));
fp_70: iknows(crypt(pk(Agent (dishonest i)),Nonce (na(pair(Agent (honest a),Agent (dishonest i))))));
fp_71: iknows(crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))));
fp_72: iknows(pair(Agent (honest a),Agent (honest a)));
fp_73: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_74: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_75: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_76: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_77: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_78: iknows(pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_79: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_80: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_81: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_82: State (rB,[Agent (honest a),Step 2,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_83: request(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),(SID sid));
fp_84: State (rA,[Agent (honest a),Step 3,Agent (honest a),pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (na(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1))))),(SID sid)]);
fp_85: iknows(crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1))))));
fp_86: iknows(crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_87: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_88: iknows(crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_89: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_90: iknows(pair(Agent (honest a),Agent (honest a)));
fp_91: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_92: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_93: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_94: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_95: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_96: iknows(pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_97: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_98: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_99: request(Agent (honest a),Agent (honest a),Purpose (purposeNA),Nonce (na(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_100: State (rB,[Agent (honest a),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (honest a),Nonce (na(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),pair(Agent (honest a),Agent (honest a)),pk(Agent (honest a)),crypt(inv(pk(Agent (honest a))),pair(Agent (honest a),pk(Agent (honest a)))),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (honest a),Step 1))))),(SID sid)]);
fp_101: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_102: State (rB,[Agent (honest a),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_103: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),(SID sid));
fp_104: State (rB,[Agent (honest a),Step 3,pk(Agent (honest a)),Agent (honest a),inv(pk(Agent (honest a))),pk(Agent (honest a)),Agent (dishonest i),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i))),pair(Agent (honest a),Agent (dishonest i)),pk(Agent (dishonest i)),crypt(inv(pk(Agent (honest a))),pair(Agent (dishonest i),pk(Agent (dishonest i)))),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_105: iknows(pair(Agent (honest a),Agent (honest a)));
fp_106: iknows(pair(Agent (honest a),Agent (dishonest i)));
fp_107: iknows(pair(Agent (dishonest i),pk(Agent (dishonest i))));
fp_108: iknows(pair(Agent (honest a),pk(Agent (honest a))));
fp_109: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_110: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_111: iknows(pair(Nonce (ni),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_112: iknows(pair(Nonce (na(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_113: iknows(pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (nb(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
section abstraction:
NA->Nonce (na(pair(A,B)));
NB->Nonce (nb(pair(B,pair(A,equals(pair(NA,Nonce (na(pair(A,B)))))))))

18
examples/AnB/nsl.AnB Normal file
View File

@ -0,0 +1,18 @@
Protocol: NSL # Verified
Types: Agent A,B;
Number NA,NB;
Function pk
Knowledge: A: A,pk,inv(pk(A)),B;
B: B,pk,inv(pk(B))
Actions:
A->B: {NA,A}(pk(B))
B->A: {NA,NB,B}(pk(A))
A->B: {NB}(pk(B))
Goals:
A *->* B: NA
B *->* A: NB

275
examples/AnB/nsl.fp Normal file
View File

@ -0,0 +1,275 @@
Backend: Open-Source Fixedpoint Model-Checker version 2009c
(**** REFINING ABSTRACTION: ["NA","NB"] *****)
Protocol: NSL
Types:
[(Purpose,["purposeNA","purposeNB"]),(Agent False False,["A","B"]),(Number,["NA","NB"]),(Function,["pk"])]
section rules:
step rule_0:
iknows(crypt(K,M));
iknows(inv(K))
=>
iknows(M)
step rule_1:
iknows(crypt(inv(K),M));
iknows(K)
=>
iknows(M)
step rule_2:
iknows(scrypt(K,M));
iknows(K)
=>
iknows(M)
step rule_3:
iknows(pair(M1,M2))
=>
iknows(M1);
iknows(M2)
step rule_4:
secret(M,Agent (honest a));
iknows(M)
=>
attack(pair(secrecy,M))
step rule_5:
request(A,B,Purpose (purposeNA),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNA(pair(B,A)))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_6:
request(A,B,Purpose (purposeNB),M,(SID sid))
| B/=Agent (dishonest i);
M/=Nonce (absNB(pair(B,pair(A,Arg1))))
=>
attack(pair(authentication,pair(A,pair(B,M))))
step rule_7:
State (rA,[Agent (A),Step 0,Agent (B),inv(pk(Agent (A))),(SID sid)])
=>
secret(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (B));
witness(Agent (A),Agent (B),Purpose (purposeNA),Nonce (absNA(pair(Agent (A),Agent (B)))));
State (rA,[Agent (A),Step 1,Agent (B),inv(pk(Agent (A))),Nonce (absNA(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))))
step rule_8:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (absNA(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_9:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (absNA(pair(Agent (A),Agent (B)))));
iknows(Agent (A))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (absNA(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_10:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (absNA(pair(Agent (A),Agent (B)))));
iknows(Agent (A))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (absNA(pair(Agent (A),Agent (B)))),crypt(pk(Agent (B)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (absNA(pair(Agent (A),Agent (B)))),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 1)))),Agent (B)))))
step rule_11:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))))
| Nonce (NA)/=Nonce (absNA(pair(Agent (A),Agent (B))))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_12:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (NA));
iknows(Agent (A))
| Nonce (NA)/=Nonce (absNA(pair(Agent (A),Agent (B))))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_13:
State (rB,[Agent (B),Step 0,inv(pk(Agent (B))),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (NA));
iknows(Agent (A))
| Nonce (NA)/=Nonce (absNA(pair(Agent (A),Agent (B))))
=>
secret(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (A));
witness(Agent (B),Agent (A),Purpose (purposeNB),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))));
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (absNB(pair(Agent (B),pair(Agent (A),Step 0)))),Agent (B)))))
step rule_14:
State (rA,[Agent (A),Step 1,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 2,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_15:
State (rA,[Agent (A),Step 1,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(pk(Agent (A)));
iknows(Nonce (NA));
iknows(Nonce (NB));
iknows(Agent (B))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 2,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_16:
State (rA,[Agent (A),Step 1,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),(SID sid)]);
iknows(Agent (A));
iknows(Nonce (NA));
iknows(Nonce (NB));
iknows(Agent (B))
=>
request(Agent (A),Agent (B),Purpose (purposeNB),Nonce (NB),(SID sid));
State (rA,[Agent (A),Step 2,Agent (B),inv(pk(Agent (A))),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
step rule_17:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(crypt(pk(Agent (B)),Nonce (NB)))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
step rule_18:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(pk(Agent (B)));
iknows(Nonce (NB))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
step rule_19:
State (rB,[Agent (B),Step 1,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),(SID sid)]);
iknows(Agent (B));
iknows(Nonce (NB))
=>
request(Agent (B),Agent (A),Purpose (purposeNA),Nonce (NA),(SID sid));
State (rB,[Agent (B),Step 2,inv(pk(Agent (B))),Agent (A),Nonce (NA),crypt(pk(Agent (B)),pair(Nonce (NA),Agent (A))),Nonce (NB),crypt(pk(Agent (A)),pair(Nonce (NA),pair(Nonce (NB),Agent (B)))),crypt(pk(Agent (B)),Nonce (NB)),(SID sid)])
section initial state:
init_0: iknows(Nonce (ni));
init_1: iknows(Agent (dishonest i));
init_2: State (rA,[Agent (honest a),Step 0,Agent (dishonest i),inv(pk(Agent (honest a))),(SID sid)]);
init_3: State (rA,[Agent (honest a),Step 0,Agent (honest a),inv(pk(Agent (honest a))),(SID sid)]);
init_4: iknows(Step 0);
init_5: iknows(inv(pk(Agent (dishonest i))));
init_6: iknows((SID sid));
init_7: iknows(Agent (honest a));
init_8: State (rB,[Agent (honest a),Step 0,inv(pk(Agent (honest a))),(SID sid)]);
section fixedpoint:
fp_0: secret(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i));
fp_1: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))));
fp_2: State (rA,[Agent (honest a),Step 1,Agent (dishonest i),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),(SID sid)]);
fp_3: secret(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a));
fp_4: witness(Agent (honest a),Agent (honest a),Purpose (purposeNA),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))));
fp_5: State (rA,[Agent (honest a),Step 1,Agent (honest a),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),(SID sid)]);
fp_6: secret(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i));
fp_7: witness(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))));
fp_8: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_9: secret(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a));
fp_10: witness(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))));
fp_11: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_12: iknows(crypt(pk(Agent (honest a)),pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_13: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_14: iknows(crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))));
fp_15: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))));
fp_16: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_17: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_18: iknows(pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_19: secret(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a));
fp_20: witness(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))));
fp_21: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),(SID sid)]);
fp_22: iknows(crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))));
fp_23: iknows(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))));
fp_24: iknows(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))));
fp_25: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_26: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_27: iknows(pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_28: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_29: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_30: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_31: State (rB,[Agent (honest a),Step 1,inv(pk(Agent (honest a))),Agent (honest a),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))),(SID sid)]);
fp_32: request(Agent (honest a),Agent (honest a),Purpose (purposeNB),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),(SID sid));
fp_33: State (rA,[Agent (honest a),Step 2,Agent (honest a),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1))))),(SID sid)]);
fp_34: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_35: State (rA,[Agent (honest a),Step 2,Agent (dishonest i),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))),(SID sid)]);
fp_36: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),(SID sid));
fp_37: State (rA,[Agent (honest a),Step 2,Agent (dishonest i),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_38: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNB),Nonce (ni),(SID sid));
fp_39: State (rA,[Agent (honest a),Step 2,Agent (dishonest i),inv(pk(Agent (honest a))),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a))),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (ni),Agent (dishonest i)))),crypt(pk(Agent (dishonest i)),Nonce (ni)),(SID sid)]);
fp_40: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (ni),(SID sid));
fp_41: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (ni),crypt(pk(Agent (honest a)),pair(Nonce (ni),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_42: iknows(crypt(pk(Agent (dishonest i)),Nonce (ni)));
fp_43: iknows(crypt(pk(Agent (dishonest i)),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))));
fp_44: iknows(crypt(pk(Agent (dishonest i)),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i))))));
fp_45: iknows(crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1))))));
fp_46: iknows(crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_47: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_48: iknows(crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 0)))),Agent (honest a)))));
fp_49: iknows(crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))));
fp_50: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_51: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_52: iknows(pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_53: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_54: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_55: request(Agent (honest a),Agent (honest a),Purpose (purposeNA),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),(SID sid));
fp_56: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (honest a),Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),Agent (honest a))),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (honest a)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (honest a),Step 1))))),(SID sid)]);
fp_57: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),(SID sid));
fp_58: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),crypt(pk(Agent (honest a)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_59: request(Agent (honest a),Agent (dishonest i),Purpose (purposeNA),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),(SID sid));
fp_60: State (rB,[Agent (honest a),Step 2,inv(pk(Agent (honest a))),Agent (dishonest i),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (honest a)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (dishonest i))),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),crypt(pk(Agent (dishonest i)),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)))),crypt(pk(Agent (honest a)),Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0))))),(SID sid)]);
fp_61: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),Agent (honest a)));
fp_62: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a)));
fp_63: iknows(pair(Nonce (ni),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_64: iknows(pair(Nonce (absNA(pair(Agent (honest a),Agent (dishonest i)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
fp_65: iknows(pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),pair(Nonce (absNB(pair(Agent (honest a),pair(Agent (dishonest i),Step 0)))),Agent (honest a))));
section abstraction:
NA->Nonce (absNA(pair(A,B)));
NB->Nonce (absNB(pair(B,pair(A,equals(pair(NA,Nonce (absNA(pair(A,B)))))))))

View File

@ -0,0 +1,608 @@
header {* Analysing BilateralKeyExchange *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/Bilateral-Key_Exchange.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"Bilateral-Key_Exchange"
imports
ofmc
begin
section {* Protocol Model (BilateralKeyExchange) *}
datatype Role = rA | rB
datatype Purpose = purposeK | purposeNI | purposeNA | purposeNB
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "absNB" "Msg" "nat"
| "absNA" "Msg" "nat"
| "NI"
| "NA"
| "NB"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
| "absK" "Msg" "nat"
(* Functions *)
| "pk" "Msg" | "f" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (BilateralKeyExchange) *}
inductive_set
BilateralKeyExchange::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : BilateralKeyExchange"
| init_1: "[ Iknows(Agent(dishonest(i)))] : BilateralKeyExchange"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(dishonest(i))), pk(Agent(honest(a))), Agent(dishonest(i)), SID(sid)] )] : BilateralKeyExchange"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(honest(a))), Agent(honest(a)), SID(sid)] )] : BilateralKeyExchange"
| init_4: "[ Iknows(Step(0))] : BilateralKeyExchange"
| init_5: "[ Iknows(inv(pk(Agent(dishonest(i)))))] : BilateralKeyExchange"
| init_6: "[ Iknows(pk(Agent(dishonest(i))))] : BilateralKeyExchange"
| init_7: "[ Iknows(SID(sid))] : BilateralKeyExchange"
| init_8: "[ Iknows(pk(Agent(honest(a))))] : BilateralKeyExchange"
| init_9: "[ Iknows(Agent(honest(a)))] : BilateralKeyExchange"
| init_10: "[ State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(dishonest(i))), Agent(dishonest(i)), SID(sid)] )] : BilateralKeyExchange"
| init_11: "[ State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(honest(a))), Agent(honest(a)), SID(sid)] )] : BilateralKeyExchange"
| rule_0: "[| t :BilateralKeyExchange;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : BilateralKeyExchange"
| rule_1: "[| t :BilateralKeyExchange;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : BilateralKeyExchange"
| rule_2: "[| t :BilateralKeyExchange;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : BilateralKeyExchange"
| rule_3: "[| t :BilateralKeyExchange;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : BilateralKeyExchange"
| rule_4: "[| t :BilateralKeyExchange;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : BilateralKeyExchange"
| rule_5: "[| t :BilateralKeyExchange;
Request(A, B, Purpose(purposeNB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NB .
M = Nonce((absNB(pair(B, A)) Abs_NB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : BilateralKeyExchange"
| rule_6: "[| t :BilateralKeyExchange;
Request(A, B, Purpose(purposeNA), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : BilateralKeyExchange"
| rule_7: "[| t :BilateralKeyExchange;
Request(A, B, Purpose(purposeK), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_K .
M = SymKey((absK(pair(B, A)) Abs_K)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : BilateralKeyExchange"
| rule_8: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), SID(sid)] ) : (set t)|]
==>
((State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), Agent(B))))))
#t) : BilateralKeyExchange"
| rule_9: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))) : (set t)|]
==>
((Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))
#(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))))
#t) : BilateralKeyExchange"
| rule_10: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(pk(Agent(A))) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))
#(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))))
#t) : BilateralKeyExchange"
| rule_11: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))
#(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))))
#t) : BilateralKeyExchange"
| rule_12: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K)))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#(Iknows(scrypt(SymKey(K), f(Nonce(NA)))))
#t) : BilateralKeyExchange"
| rule_13: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(f(Nonce(NB))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(K)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#(Iknows(scrypt(SymKey(K), f(Nonce(NA)))))
#t) : BilateralKeyExchange"
| rule_14: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(K)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#(Iknows(scrypt(SymKey(K), f(Nonce(NA)))))
#t) : BilateralKeyExchange"
| rule_15: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(f(Nonce(NB))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(K)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#(Iknows(scrypt(SymKey(K), f(Nonce(NA)))))
#t) : BilateralKeyExchange"
| rule_16: "[| t :BilateralKeyExchange;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(K)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#(Iknows(scrypt(SymKey(K), f(Nonce(NA)))))
#t) : BilateralKeyExchange"
| rule_17: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : (set t)|]
==>
((State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#t) : BilateralKeyExchange"
| rule_18: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : (set t);
Iknows(SymKey(K)) : (set t);
Iknows(f(Nonce(NA))) : (set t)|]
==>
((State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#t) : BilateralKeyExchange"
| rule_19: "[| t :BilateralKeyExchange;
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : (set t);
Iknows(SymKey(K)) : (set t);
Iknows(Nonce(NA)) : (set t)|]
==>
((State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ))
#t) : BilateralKeyExchange"
section {* Fixed-point Definition (BilateralKeyExchange) *}
constdefs BilateralKeyExchange_fp::"Fact set""BilateralKeyExchange_fp == {m. ( ? a32 a33 Abs_NB5 Abs_NB6 Abs_NB7 Abs_NB4 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 Abs_NA3 i3 Abs_NA4 Abs_NA5 Abs_NA6 Abs_NB1 Abs_NB2 Abs_NB3 a24 a25 a26 a27 a28 a29 a30 a31 a5 Abs_NI1 a6 a7 a8 Abs_NI2 a9 a10 a11 a12 a13 a14 Abs_NI3 a15 a16 a17 a18 a19 Abs_K1 a20 a21 Abs_K2 a22 a23 Abs_NA2 sid0 a4 Abs_NI0 Abs_NB0 a0 i0 Abs_NA0 a1 i1 Abs_NA1 a2 a3 i2 Abs_K0 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(inv(pk(Agent(dishonest(i0))))))
| (m = Iknows(pk(Agent(dishonest(i0)))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(pk(Agent(honest(a0)))))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(dishonest(i0))), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), SID(sid0)] ))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(honest(a1))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(dishonest(i0))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), pair(Agent(honest(a4)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i4)))) Abs_NB1)), Agent(honest(a6))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NB0)), pair(Agent(honest(a7)), crypt(pk(Agent(honest(a8))), pair(Nonce((absNB(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NB1)), Agent(honest(a11))))), SID(sid0)] ))
| (m = Secret(SymKey((absK(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_K0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeK), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_K0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a3))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i2)))), pair(Agent(dishonest(i3)), crypt(pk(Agent(honest(a4))), pair(Nonce((ni Abs_NI2)), Agent(dishonest(i4))))), Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a6)), Agent(dishonest(i6)))) Abs_K0)), crypt(pk(Agent(dishonest(i7))), pair(f(Nonce((ni Abs_NI3))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i8)))) Abs_NA1)), pair(Agent(honest(a8)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K1)))))), SID(sid0)] ))
| (m = Secret(SymKey((absK(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_K0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeK), SymKey((absK(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_K0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((ni Abs_NI1)), Agent(honest(a6)))), pair(Agent(honest(a7)), crypt(pk(Agent(honest(a8))), pair(Nonce((ni Abs_NI2)), Agent(honest(a9))))), Nonce((absNA(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_K0)), crypt(pk(Agent(honest(a14))), pair(f(Nonce((ni Abs_NI3))), pair(Nonce((absNA(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_NA1)), pair(Agent(honest(a17)), SymKey((absK(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_K1)))))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), pair(Agent(honest(a3)), SymKey((absK(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_K0))))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_K0))))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NB0)), Agent(honest(a3))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(honest(a1))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_K0)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0))))))
| (m = Iknows(pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0)))))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NB0)), crypt(pk(Agent(honest(a7))), pair(Nonce((absNB(pair(Agent(honest(a8)), Agent(honest(a9)))) Abs_NB1)), Agent(honest(a10)))), pair(Agent(honest(a11)), crypt(pk(Agent(honest(a12))), pair(Nonce((absNB(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NB2)), Agent(honest(a15))))), Nonce((absNA(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_K0)), crypt(pk(Agent(honest(a20))), pair(f(Nonce((absNB(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a23)), Agent(honest(a24)))) Abs_NA1)), pair(Agent(honest(a25)), SymKey((absK(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_K1)))))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(f(Nonce((absNB(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NB0))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), pair(Agent(honest(a5)), SymKey((absK(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_K0))))))))
| (m = Iknows(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0))))
| (m = Iknows(SymKey((absK(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_K0))))
| (m = Iknows(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))))
| (m = Iknows(f(Nonce((ni Abs_NI0)))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(honest(a1))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_K0)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0))))))
| (m = Iknows(pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0)))))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i3)))) Abs_NB1)), Agent(dishonest(i4)))), pair(Agent(dishonest(i5)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB2)), Agent(dishonest(i7))))), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i8)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K0)), crypt(pk(Agent(dishonest(i10))), pair(f(Nonce((absNB(pair(Agent(honest(a10)), Agent(dishonest(i11)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i12)))) Abs_NA1)), pair(Agent(honest(a12)), SymKey((absK(pair(Agent(honest(a13)), Agent(dishonest(i13)))) Abs_K1)))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NA0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i3)))) Abs_NA1)), Agent(dishonest(i4)))), pair(Agent(dishonest(i5)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NA2)), Agent(dishonest(i7))))), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i8)))) Abs_NA3)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K0)), crypt(pk(Agent(dishonest(i10))), pair(f(Nonce((absNA(pair(Agent(honest(a10)), Agent(dishonest(i11)))) Abs_NA4))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i12)))) Abs_NA5)), pair(Agent(honest(a12)), SymKey((absK(pair(Agent(honest(a13)), Agent(dishonest(i13)))) Abs_K1)))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i1)))) Abs_NB1)), Agent(honest(a8)))), pair(Agent(honest(a9)), crypt(pk(Agent(honest(a10))), pair(Nonce((absNB(pair(Agent(honest(a11)), Agent(dishonest(i2)))) Abs_NB2)), Agent(honest(a12))))), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_K0)), crypt(pk(Agent(honest(a17))), pair(f(Nonce((absNB(pair(Agent(honest(a18)), Agent(dishonest(i3)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a19)), Agent(honest(a20)))) Abs_NA1)), pair(Agent(honest(a21)), SymKey((absK(pair(Agent(honest(a22)), Agent(honest(a23)))) Abs_K1)))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i0)))) Abs_NA0)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i1)))) Abs_NA1)), Agent(honest(a8)))), pair(Agent(honest(a9)), crypt(pk(Agent(honest(a10))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i2)))) Abs_NA2)), Agent(honest(a12))))), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA3)), SymKey((absK(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_K0)), crypt(pk(Agent(honest(a17))), pair(f(Nonce((absNA(pair(Agent(honest(a18)), Agent(dishonest(i3)))) Abs_NA4))), pair(Nonce((absNA(pair(Agent(honest(a19)), Agent(honest(a20)))) Abs_NA5)), pair(Agent(honest(a21)), SymKey((absK(pair(Agent(honest(a22)), Agent(honest(a23)))) Abs_K1)))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeK), SymKey((absK(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_K0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NB0)), pair(Agent(honest(a7)), crypt(pk(Agent(honest(a8))), pair(Nonce((absNB(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NB1)), Agent(honest(a11))))), crypt(pk(Agent(honest(a12))), pair(Nonce((absNB(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NB2)), Agent(honest(a15)))), SymKey((absK(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_K0)), Nonce((absNA(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_NA0)), f(Nonce((absNB(pair(Agent(honest(a20)), Agent(honest(a21)))) Abs_NB3))), crypt(pk(Agent(honest(a22))), pair(f(Nonce((absNB(pair(Agent(honest(a23)), Agent(honest(a24)))) Abs_NB4))), pair(Nonce((absNA(pair(Agent(honest(a25)), Agent(honest(a26)))) Abs_NA1)), pair(Agent(honest(a27)), SymKey((absK(pair(Agent(honest(a28)), Agent(honest(a29)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a30)), Agent(honest(a31)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a32)), Agent(honest(a33)))) Abs_NA2)))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeK), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_K0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(dishonest(i0))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), pair(Agent(honest(a4)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i4)))) Abs_NB1)), Agent(honest(a6))))), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB2)), Agent(honest(a8)))), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i7)))) Abs_K0)), Nonce((absNB(pair(Agent(honest(a10)), Agent(dishonest(i8)))) Abs_NB3)), f(Nonce((absNB(pair(Agent(honest(a11)), Agent(dishonest(i9)))) Abs_NB4))), crypt(pk(Agent(honest(a12))), pair(f(Nonce((absNB(pair(Agent(honest(a13)), Agent(dishonest(i10)))) Abs_NB5))), pair(Nonce((absNB(pair(Agent(honest(a14)), Agent(dishonest(i11)))) Abs_NB6)), pair(Agent(dishonest(i12)), SymKey((absK(pair(Agent(honest(a15)), Agent(dishonest(i13)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a16)), Agent(dishonest(i14)))) Abs_K2)), f(Nonce((absNB(pair(Agent(honest(a17)), Agent(dishonest(i15)))) Abs_NB7)))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(dishonest(i0))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), pair(Agent(honest(a4)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i4)))) Abs_NB1)), Agent(honest(a6))))), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB2)), Agent(honest(a8)))), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i7)))) Abs_K0)), Nonce((absNA(pair(Agent(honest(a10)), Agent(dishonest(i8)))) Abs_NA0)), f(Nonce((absNB(pair(Agent(honest(a11)), Agent(dishonest(i9)))) Abs_NB3))), crypt(pk(Agent(honest(a12))), pair(f(Nonce((absNB(pair(Agent(honest(a13)), Agent(dishonest(i10)))) Abs_NB4))), pair(Nonce((absNA(pair(Agent(honest(a14)), Agent(dishonest(i11)))) Abs_NA1)), pair(Agent(dishonest(i12)), SymKey((absK(pair(Agent(honest(a15)), Agent(dishonest(i13)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a16)), Agent(dishonest(i14)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a17)), Agent(dishonest(i15)))) Abs_NA2)))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(dishonest(i0))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), pair(Agent(honest(a4)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i4)))) Abs_NB1)), Agent(honest(a6))))), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB2)), Agent(honest(a8)))), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i7)))) Abs_K0)), Nonce((ni Abs_NI0)), f(Nonce((absNB(pair(Agent(honest(a10)), Agent(dishonest(i8)))) Abs_NB3))), crypt(pk(Agent(honest(a11))), pair(f(Nonce((absNB(pair(Agent(honest(a12)), Agent(dishonest(i9)))) Abs_NB4))), pair(Nonce((ni Abs_NI1)), pair(Agent(dishonest(i10)), SymKey((absK(pair(Agent(honest(a13)), Agent(dishonest(i11)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a14)), Agent(dishonest(i12)))) Abs_K2)), f(Nonce((ni Abs_NI2)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a3))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i2)))), pair(Agent(dishonest(i3)), crypt(pk(Agent(honest(a4))), pair(Nonce((ni Abs_NI2)), Agent(dishonest(i4))))), Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a6)), Agent(dishonest(i6)))) Abs_K0)), crypt(pk(Agent(dishonest(i7))), pair(f(Nonce((ni Abs_NI3))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i8)))) Abs_NA1)), pair(Agent(honest(a8)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a10)), Agent(dishonest(i10)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i11)))) Abs_NA2)))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey((absK(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_K0)), f(Nonce((ni Abs_NI0))))))
| (m = Iknows(scrypt(SymKey((absK(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_K0)), f(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0))))))
| (m = Iknows(scrypt(SymKey((absK(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_K0)), f(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0))))))
| (m = Iknows(scrypt(SymKey((absK(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_K0)), f(Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(f(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_NA0))), pair(Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA1)), pair(Agent(honest(a4)), SymKey((absK(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_K0))))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(f(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_NB0))), pair(Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), pair(Agent(honest(a4)), SymKey((absK(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_K0))))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(f(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_NA1)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_K0))))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(f(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NB0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_NA0)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_K0))))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(honest(a1))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_K0)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0))))))
| (m = Iknows(pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0)))))))
| (m = Iknows(pair(f(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_K0)))))))
| (m = Iknows(pair(f(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA1)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_K0)))))))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NB0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i3)))) Abs_NB1)), Agent(dishonest(i4)))), pair(Agent(dishonest(i5)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB2)), Agent(dishonest(i7))))), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i8)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K0)), crypt(pk(Agent(dishonest(i10))), pair(f(Nonce((absNB(pair(Agent(honest(a10)), Agent(dishonest(i11)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i12)))) Abs_NA1)), pair(Agent(honest(a12)), SymKey((absK(pair(Agent(honest(a13)), Agent(dishonest(i13)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a14)), Agent(dishonest(i14)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a15)), Agent(dishonest(i15)))) Abs_NA2)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(dishonest(i0))), pk(Agent(honest(a2))), Agent(dishonest(i1)), Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NA0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i3)))) Abs_NA1)), Agent(dishonest(i4)))), pair(Agent(dishonest(i5)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NA2)), Agent(dishonest(i7))))), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i8)))) Abs_NA3)), SymKey((absK(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_K0)), crypt(pk(Agent(dishonest(i10))), pair(f(Nonce((absNA(pair(Agent(honest(a10)), Agent(dishonest(i11)))) Abs_NA4))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i12)))) Abs_NA5)), pair(Agent(honest(a12)), SymKey((absK(pair(Agent(honest(a13)), Agent(dishonest(i13)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a14)), Agent(dishonest(i14)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a15)), Agent(dishonest(i15)))) Abs_NA6)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i1)))) Abs_NB1)), Agent(honest(a8)))), pair(Agent(honest(a9)), crypt(pk(Agent(honest(a10))), pair(Nonce((absNB(pair(Agent(honest(a11)), Agent(dishonest(i2)))) Abs_NB2)), Agent(honest(a12))))), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_K0)), crypt(pk(Agent(honest(a17))), pair(f(Nonce((absNB(pair(Agent(honest(a18)), Agent(dishonest(i3)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a19)), Agent(honest(a20)))) Abs_NA1)), pair(Agent(honest(a21)), SymKey((absK(pair(Agent(honest(a22)), Agent(honest(a23)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a24)), Agent(honest(a25)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_NA2)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i0)))) Abs_NA0)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i1)))) Abs_NA1)), Agent(honest(a8)))), pair(Agent(honest(a9)), crypt(pk(Agent(honest(a10))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i2)))) Abs_NA2)), Agent(honest(a12))))), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA3)), SymKey((absK(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_K0)), crypt(pk(Agent(honest(a17))), pair(f(Nonce((absNA(pair(Agent(honest(a18)), Agent(dishonest(i3)))) Abs_NA4))), pair(Nonce((absNA(pair(Agent(honest(a19)), Agent(honest(a20)))) Abs_NA5)), pair(Agent(honest(a21)), SymKey((absK(pair(Agent(honest(a22)), Agent(honest(a23)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a24)), Agent(honest(a25)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_NA6)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((absNB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NB0)), crypt(pk(Agent(honest(a7))), pair(Nonce((absNB(pair(Agent(honest(a8)), Agent(honest(a9)))) Abs_NB1)), Agent(honest(a10)))), pair(Agent(honest(a11)), crypt(pk(Agent(honest(a12))), pair(Nonce((absNB(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NB2)), Agent(honest(a15))))), Nonce((absNA(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_K0)), crypt(pk(Agent(honest(a20))), pair(f(Nonce((absNB(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NB3))), pair(Nonce((absNA(pair(Agent(honest(a23)), Agent(honest(a24)))) Abs_NA1)), pair(Agent(honest(a25)), SymKey((absK(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a28)), Agent(honest(a29)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a30)), Agent(honest(a31)))) Abs_NA2)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), pk(Agent(honest(a3))), Agent(honest(a4)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((ni Abs_NI1)), Agent(honest(a6)))), pair(Agent(honest(a7)), crypt(pk(Agent(honest(a8))), pair(Nonce((ni Abs_NI2)), Agent(honest(a9))))), Nonce((absNA(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_NA0)), SymKey((absK(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_K0)), crypt(pk(Agent(honest(a14))), pair(f(Nonce((ni Abs_NI3))), pair(Nonce((absNA(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_NA1)), pair(Agent(honest(a17)), SymKey((absK(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_K1)))))), scrypt(SymKey((absK(pair(Agent(honest(a20)), Agent(honest(a21)))) Abs_K2)), f(Nonce((absNA(pair(Agent(honest(a22)), Agent(honest(a23)))) Abs_NA2)))), SID(sid0)] ))
| (m = Iknows(f(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)))))
| (m = Iknows(f(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(honest(a1))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(pair(Agent(honest(a0)), crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absK(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_K0)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0))))))
| (m = Iknows(pair(f(Nonce((ni Abs_NI0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(honest(a1)), SymKey((absK(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_K0)))))))
| (m = Iknows(pair(f(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_K0)))))))
| (m = Iknows(pair(f(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA1)), pair(Agent(honest(a2)), SymKey((absK(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_K0)))))))
)}"
section {* Checking Fixed-point (BilateralKeyExchange) *}
lemma fp_attack_free: "~ (Attack m : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(dishonest(i))), pk(Agent(honest(a))), Agent(dishonest(i)), SID(sid)] ) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(honest(a))), Agent(honest(a)), SID(sid)] ) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(inv(pk(Agent(dishonest(i))))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(pk(Agent(dishonest(i)))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(SID(sid)) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "Iknows(pk(Agent(honest(a)))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "Iknows(Agent(honest(a))) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(dishonest(i))), Agent(dishonest(i)), SID(sid)] ) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), pk(Agent(honest(a))), Agent(honest(a)), SID(sid)] ) : BilateralKeyExchange_fp"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : BilateralKeyExchange_fp;
Iknows(inv(K)) : BilateralKeyExchange_fp|]
==>
(Iknows(M) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : BilateralKeyExchange_fp;
Iknows(K) : BilateralKeyExchange_fp|]
==>
(Iknows(M) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : BilateralKeyExchange_fp;
Iknows(K) : BilateralKeyExchange_fp|]
==>
(Iknows(M) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : BilateralKeyExchange_fp|]
==>
(Iknows(M1) : BilateralKeyExchange_fp) &
(Iknows(M2) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : BilateralKeyExchange_fp;
Iknows(M) : BilateralKeyExchange_fp|]
==>
(Attack(pair(secrecy, M)) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeNB), M, SID(sid)) : BilateralKeyExchange_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NB .
M = Nonce((absNB(pair(B, A)) Abs_NB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeNA), M, SID(sid)) : BilateralKeyExchange_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
Request(A, B, Purpose(purposeK), M, SID(sid)) : BilateralKeyExchange_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_K .
M = SymKey((absK(pair(B, A)) Abs_K)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), SID(sid)] ) : BilateralKeyExchange_fp|]
==>
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), Agent(B))))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(Agent(B)) : BilateralKeyExchange_fp;
Iknows(crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))) : BilateralKeyExchange_fp|]
==>
(Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)) : BilateralKeyExchange_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))) : BilateralKeyExchange_fp) &
(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(Agent(B)) : BilateralKeyExchange_fp;
Iknows(pk(Agent(A))) : BilateralKeyExchange_fp;
Iknows(Nonce(NB)) : BilateralKeyExchange_fp|]
==>
(Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)) : BilateralKeyExchange_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))) : BilateralKeyExchange_fp) &
(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(Agent(B)) : BilateralKeyExchange_fp;
Iknows(Agent(A)) : BilateralKeyExchange_fp;
Iknows(Nonce(NB)) : BilateralKeyExchange_fp|]
==>
(Secret(SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), Agent(B)) : BilateralKeyExchange_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeK), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))) : BilateralKeyExchange_fp) &
(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K)))))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(A), SymKey((absK(pair(Agent(A), Agent(B))) Abs_K))))))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K)))))) : BilateralKeyExchange_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)) : BilateralKeyExchange_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_13: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(pk(Agent(B))) : BilateralKeyExchange_fp;
Iknows(f(Nonce(NB))) : BilateralKeyExchange_fp;
Iknows(Nonce(NA)) : BilateralKeyExchange_fp;
Iknows(Agent(A)) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)) : BilateralKeyExchange_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_14: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(pk(Agent(B))) : BilateralKeyExchange_fp;
Iknows(Nonce(NB)) : BilateralKeyExchange_fp;
Iknows(Nonce(NA)) : BilateralKeyExchange_fp;
Iknows(Agent(A)) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)) : BilateralKeyExchange_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_15: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(Agent(B)) : BilateralKeyExchange_fp;
Iknows(f(Nonce(NB))) : BilateralKeyExchange_fp;
Iknows(Nonce(NA)) : BilateralKeyExchange_fp;
Iknows(Agent(A)) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)) : BilateralKeyExchange_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_16: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(Agent(B)) : BilateralKeyExchange_fp;
Iknows(Nonce(NB)) : BilateralKeyExchange_fp;
Iknows(Nonce(NA)) : BilateralKeyExchange_fp;
Iknows(Agent(A)) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeK), SymKey(K), SID(sid)) : BilateralKeyExchange_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), pk(Agent(B)), pk(Agent(A)), Agent(A), Nonce(NB), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), SymKey(K), Nonce(NA), f(Nonce(NB)), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp) &
(Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_17: "[|
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(scrypt(SymKey(K), f(Nonce(NA)))) : BilateralKeyExchange_fp|]
==>
(State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_18: "[|
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp;
Iknows(f(Nonce(NA))) : BilateralKeyExchange_fp|]
==>
(State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_19: "[|
State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), SID(sid)] ) : BilateralKeyExchange_fp;
Iknows(SymKey(K)) : BilateralKeyExchange_fp;
Iknows(Nonce(NA)) : BilateralKeyExchange_fp|]
==>
(State(rA, [Agent(A), Step(2), inv(pk(Agent(A))), pk(Agent(B)), pk(Agent(A)), Agent(B), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B))), pair(Agent(B), crypt(pk(Agent(A)), pair(Nonce(NB), Agent(B)))), Nonce(NA), SymKey(K), crypt(pk(Agent(B)), pair(f(Nonce(NB)), pair(Nonce(NA), pair(Agent(A), SymKey(K))))), scrypt(SymKey(K), f(Nonce(NA))), SID(sid)] ) : BilateralKeyExchange_fp)"
by(simp only: BilateralKeyExchange_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (BilateralKeyExchange) *}
lemma over_approx: "t : BilateralKeyExchange ==> (set t) <= BilateralKeyExchange_fp"
apply(rule BilateralKeyExchange.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_13, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_14, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_15, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_16, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_17, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_18, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_19, (assumption | simp)+)
done
end (* theory *)

488
examples/Denning-Sacco.thy Normal file
View File

@ -0,0 +1,488 @@
header {* Analysing DenningSacco *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/Denning-Sacco.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"Denning-Sacco"
imports
ofmc
begin
section {* Protocol Model (DenningSacco) *}
datatype Role = rA | rB | rs
datatype Purpose = purposeNI | purposeT | purposetimestamp | purposePayload
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "timestamp" "nat"
| "payload" "Msg" "nat"
| "NI"
| "T"
| "Payload"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
| "sk" "Msg" "nat"
(* Functions *)
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (DenningSacco) *}
inductive_set
DenningSacco::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : DenningSacco"
| init_1: "[ Iknows(Agent(dishonest(i)))] : DenningSacco"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), SID(sid)] )] : DenningSacco"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), SID(sid)] )] : DenningSacco"
| init_4: "[ Iknows(Step(0))] : DenningSacco"
| init_5: "[ Iknows(Nonce((timestamp Abs_T)))] : DenningSacco"
| init_6: "[ Iknows(SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)))] : DenningSacco"
| init_7: "[ Iknows(SID(sid))] : DenningSacco"
| init_8: "[ Iknows(Agent(honest(a)))] : DenningSacco"
| init_9: "[ State(rB, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), SID(sid)] )] : DenningSacco"
| init_10: "[ State(rB, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), SID(sid)] )] : DenningSacco"
| init_11: "[ State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), Agent(dishonest(i)), SID(sid)] )] : DenningSacco"
| init_12: "[ State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), Agent(honest(a)), SID(sid)] )] : DenningSacco"
| init_13: "[ State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), Agent(dishonest(i)), SID(sid)] )] : DenningSacco"
| init_14: "[ State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), Agent(honest(a)), SID(sid)] )] : DenningSacco"
| rule_0: "[| t :DenningSacco;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : DenningSacco"
| rule_1: "[| t :DenningSacco;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : DenningSacco"
| rule_2: "[| t :DenningSacco;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : DenningSacco"
| rule_3: "[| t :DenningSacco;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : DenningSacco"
| rule_4: "[| t :DenningSacco;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : DenningSacco"
| rule_5: "[| t :DenningSacco;
Request(A, B, Purpose(purposePayload), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Payload .
M = Nonce((payload(pair(B, A)) Abs_Payload)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : DenningSacco"
| rule_6: "[| t :DenningSacco;
Request(A, B, Purpose(purposeKAB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_KAB .
M = SymKey((sk(pair(B, A)) Abs_KAB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : DenningSacco"
| rule_7: "[| t :DenningSacco;
State(rA, [Agent(A), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), SID(sid)] ) : (set t)|]
==>
((State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ))
#(Iknows(pair(Agent(A), Agent(B))))
#t) : DenningSacco"
| rule_8: "[| t :DenningSacco;
State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), Agent(A), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((State(rs, [Agent(honest(a)), Step(1), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), Agent(A), pair(Agent(A), Agent(B)), SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T))))))))), SID(sid)] ))
#(Iknows(scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T)))))))))))
#t) : DenningSacco"
| rule_9: "[| t :DenningSacco;
State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i))))))) : (set t)|]
==>
((State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ))
#(Iknows(Agent(dishonest(i))))
#t) : DenningSacco"
| rule_10: "[| t :DenningSacco;
State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ) : (set t);
Iknows(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB))) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(SymKey(KAB)) : (set t);
Iknows(Nonce(T)) : (set t);
Iknows(Agent(dishonest(i))) : (set t)|]
==>
((State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ))
#(Iknows(Agent(dishonest(i))))
#t) : DenningSacco"
| rule_11: "[| t :DenningSacco;
State(rB, [Agent(B), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T))))) : (set t)|]
==>
((Secret(Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposePayload), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))))
#(State(rB, [Agent(B), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T)))), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))), SID(sid)] ))
#(Iknows(scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)))))
#t) : DenningSacco"
| rule_12: "[| t :DenningSacco;
State(rB, [Agent(B), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), SID(sid)] ) : (set t);
Iknows(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(KAB)) : (set t);
Iknows(Nonce(T)) : (set t)|]
==>
((Secret(Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposePayload), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))))
#(State(rB, [Agent(B), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T)))), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))), SID(sid)] ))
#(Iknows(scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)))))
#t) : DenningSacco"
| rule_13: "[| t :DenningSacco;
State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey(KAB), Nonce(Payload))) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposePayload), Nonce(Payload), SID(sid)))
#(State(rA, [Agent(A), Step(3), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), Nonce(Payload), scrypt(SymKey(KAB), Nonce(Payload)), SID(sid)] ))
#t) : DenningSacco"
| rule_14: "[| t :DenningSacco;
State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : (set t);
Iknows(SymKey(KAB)) : (set t);
Iknows(Nonce(Payload)) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposePayload), Nonce(Payload), SID(sid)))
#(State(rA, [Agent(A), Step(3), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), Nonce(Payload), scrypt(SymKey(KAB), Nonce(Payload)), SID(sid)] ))
#t) : DenningSacco"
section {* Fixed-point Definition (DenningSacco) *}
constdefs DenningSacco_fp::"Fact set""DenningSacco_fp == {m. ( ? Abs_NI0 i8 i9 i10 i11 i12 i13 i14 i15 a10 a11 a12 a13 a14 a15 a16 a17 Abs_KAB5 a18 a19 a20 Abs_KAB6 i7 a5 a6 Abs_KAB3 Abs_T2 a7 a8 Abs_KAB4 a9 Abs_Payload1 sid0 Abs_Payload0 i3 i4 i5 i6 a0 a1 a2 a3 Abs_KAB1 a4 Abs_KAB2 Abs_T1 i0 i1 i2 Abs_KAB0 Abs_T0 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(dishonest(i0)), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(honest(a3)), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(Nonce((timestamp Abs_T0))))
| (m = Iknows(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(dishonest(i0)), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(0), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(honest(a3)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Agent(dishonest(i2)), Agent(dishonest(i3)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), Agent(dishonest(i1)), Agent(honest(a4)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a3)))) Abs_KAB1)), Agent(honest(a4)), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), SymKey((sk(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_KAB1)), Agent(honest(a5)), Agent(honest(a6)), SID(sid0)] ))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = State(rA, [Agent(honest(a0)), Step(1), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(dishonest(i0)), pair(Agent(honest(a3)), Agent(dishonest(i1))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(honest(a3)), pair(Agent(honest(a4)), Agent(honest(a5))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Agent(dishonest(i2)), Agent(dishonest(i3)), pair(Agent(dishonest(i4)), Agent(dishonest(i5))), SymKey((sk(pair(Agent(dishonest(i6)), Agent(dishonest(i7)))) Abs_KAB2)), Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i8)), Agent(honest(a3)))) Abs_KAB3)), pair(Agent(dishonest(i9)), pair(SymKey((sk(pair(Agent(dishonest(i10)), Agent(dishonest(i11)))) Abs_KAB4)), pair(Nonce((timestamp Abs_T1)), scrypt(SymKey((sk(pair(Agent(dishonest(i12)), Agent(honest(a4)))) Abs_KAB5)), pair(Agent(dishonest(i13)), pair(SymKey((sk(pair(Agent(dishonest(i14)), Agent(dishonest(i15)))) Abs_KAB6)), Nonce((timestamp Abs_T2))))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), Agent(dishonest(i1)), Agent(honest(a4)), pair(Agent(honest(a5)), Agent(dishonest(i2))), SymKey((sk(pair(Agent(honest(a6)), Agent(dishonest(i3)))) Abs_KAB2)), Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_KAB3)), pair(Agent(dishonest(i4)), pair(SymKey((sk(pair(Agent(honest(a9)), Agent(dishonest(i5)))) Abs_KAB4)), pair(Nonce((timestamp Abs_T1)), scrypt(SymKey((sk(pair(Agent(dishonest(i6)), Agent(honest(a10)))) Abs_KAB5)), pair(Agent(honest(a11)), pair(SymKey((sk(pair(Agent(honest(a12)), Agent(dishonest(i7)))) Abs_KAB6)), Nonce((timestamp Abs_T2))))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a3)))) Abs_KAB1)), Agent(honest(a4)), Agent(dishonest(i1)), pair(Agent(dishonest(i2)), Agent(honest(a5))), SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a6)))) Abs_KAB2)), Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i4)), Agent(honest(a7)))) Abs_KAB3)), pair(Agent(honest(a8)), pair(SymKey((sk(pair(Agent(dishonest(i5)), Agent(honest(a9)))) Abs_KAB4)), pair(Nonce((timestamp Abs_T1)), scrypt(SymKey((sk(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_KAB5)), pair(Agent(dishonest(i6)), pair(SymKey((sk(pair(Agent(dishonest(i7)), Agent(honest(a12)))) Abs_KAB6)), Nonce((timestamp Abs_T2))))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), SymKey((sk(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_KAB1)), Agent(honest(a5)), Agent(honest(a6)), pair(Agent(honest(a7)), Agent(honest(a8))), SymKey((sk(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_KAB2)), Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_KAB3)), pair(Agent(honest(a13)), pair(SymKey((sk(pair(Agent(honest(a14)), Agent(honest(a15)))) Abs_KAB4)), pair(Nonce((timestamp Abs_T1)), scrypt(SymKey((sk(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_KAB5)), pair(Agent(honest(a18)), pair(SymKey((sk(pair(Agent(honest(a19)), Agent(honest(a20)))) Abs_KAB6)), Nonce((timestamp Abs_T2))))))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(honest(a2)), pair(SymKey((sk(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_KAB1)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_KAB2)), pair(Agent(honest(a7)), pair(SymKey((sk(pair(Agent(honest(a8)), Agent(honest(a9)))) Abs_KAB3)), Nonce((timestamp Abs_T1)))))))))))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(honest(a1)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_KAB2)), pair(Agent(dishonest(i2)), pair(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a5)))) Abs_KAB3)), Nonce((timestamp Abs_T1)))))))))))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_KAB1)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a3)))) Abs_KAB2)), pair(Agent(honest(a4)), pair(SymKey((sk(pair(Agent(honest(a5)), Agent(dishonest(i3)))) Abs_KAB3)), Nonce((timestamp Abs_T1)))))))))))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i4)), Agent(honest(a1)))) Abs_KAB2)), pair(Agent(dishonest(i5)), pair(SymKey((sk(pair(Agent(dishonest(i6)), Agent(dishonest(i7)))) Abs_KAB3)), Nonce((timestamp Abs_T1)))))))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i3)), pair(SymKey((sk(pair(Agent(dishonest(i4)), Agent(dishonest(i5)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i4)), pair(SymKey((sk(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a3)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(honest(a0)), pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a4)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), Nonce((timestamp Abs_T0)))))))
| (m = Iknows(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0))))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Nonce((timestamp Abs_T0)))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i3)), pair(SymKey((sk(pair(Agent(dishonest(i4)), Agent(dishonest(i5)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i4)), pair(SymKey((sk(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a3)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(honest(a0)), pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a4)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), Nonce((timestamp Abs_T0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((timestamp Abs_T0))))))
| (m = Secret(Nonce((payload(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_Payload0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposePayload), Nonce((payload(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Payload0))))
| (m = State(rB, [Agent(honest(a0)), Step(1), Nonce((timestamp Abs_T0)), SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB0)), Agent(dishonest(i0)), Nonce((timestamp Abs_T1)), SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a3)))) Abs_KAB1)), scrypt(SymKey((sk(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_KAB2)), pair(Agent(dishonest(i2)), pair(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a6)))) Abs_KAB3)), Nonce((timestamp Abs_T2))))), Nonce((payload(pair(Agent(honest(a7)), Agent(dishonest(i4)))) Abs_Payload0)), scrypt(SymKey((sk(pair(Agent(dishonest(i5)), Agent(honest(a8)))) Abs_KAB4)), Nonce((payload(pair(Agent(honest(a9)), Agent(dishonest(i6)))) Abs_Payload1))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), Nonce((payload(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Payload0)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i3)), pair(SymKey((sk(pair(Agent(dishonest(i4)), Agent(dishonest(i5)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i4)), pair(SymKey((sk(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a3)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(honest(a0)), pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a4)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), Nonce((timestamp Abs_T0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((timestamp Abs_T0))))))
| (m = Iknows(Nonce((payload(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_Payload0))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(dishonest(i3)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i3)), pair(SymKey((sk(pair(Agent(dishonest(i4)), Agent(dishonest(i5)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))) Abs_KAB1)), pair(Agent(dishonest(i4)), pair(SymKey((sk(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))) Abs_KAB1)), Nonce((timestamp Abs_T1))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a3)))) Abs_KAB2)), Nonce((timestamp Abs_T1)))))))))
| (m = Iknows(pair(Agent(honest(a0)), pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(honest(a1)))) Abs_KAB0)), pair(Nonce((timestamp Abs_T0)), scrypt(SymKey((sk(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB1)), pair(Agent(dishonest(i1)), pair(SymKey((sk(pair(Agent(dishonest(i2)), Agent(honest(a4)))) Abs_KAB2)), Nonce((timestamp Abs_T1))))))))))
| (m = Iknows(pair(SymKey((sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_KAB0)), Nonce((timestamp Abs_T0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pair(SymKey((sk(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((timestamp Abs_T0))))))
)}"
section {* Checking Fixed-point (DenningSacco) *}
lemma fp_attack_free: "~ (Attack m : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(Nonce((timestamp Abs_T))) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB))) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(SID(sid)) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "Iknows(Agent(honest(a))) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "State(rB, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "State(rB, [Agent(honest(a)), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), Agent(dishonest(i)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_12: "State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(dishonest(i)), Agent(honest(a)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_13: "State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(dishonest(i)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), Agent(dishonest(i)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma init_14: "State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(honest(a)), Agent(honest(a)))) Abs_KAB)), Agent(honest(a)), Agent(honest(a)), SID(sid)] ) : DenningSacco_fp"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : DenningSacco_fp;
Iknows(inv(K)) : DenningSacco_fp|]
==>
(Iknows(M) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : DenningSacco_fp;
Iknows(K) : DenningSacco_fp|]
==>
(Iknows(M) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : DenningSacco_fp;
Iknows(K) : DenningSacco_fp|]
==>
(Iknows(M) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : DenningSacco_fp|]
==>
(Iknows(M1) : DenningSacco_fp) &
(Iknows(M2) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : DenningSacco_fp;
Iknows(M) : DenningSacco_fp|]
==>
(Attack(pair(secrecy, M)) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposePayload), M, SID(sid)) : DenningSacco_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Payload .
M = Nonce((payload(pair(B, A)) Abs_Payload)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeKAB), M, SID(sid)) : DenningSacco_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_KAB .
M = SymKey((sk(pair(B, A)) Abs_KAB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
State(rA, [Agent(A), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), SID(sid)] ) : DenningSacco_fp|]
==>
(State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ) : DenningSacco_fp) &
(Iknows(pair(Agent(A), Agent(B))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rs, [Agent(honest(a)), Step(0), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), Agent(A), SID(sid)] ) : DenningSacco_fp;
Iknows(Agent(A)) : DenningSacco_fp;
Iknows(Agent(B)) : DenningSacco_fp|]
==>
(State(rs, [Agent(honest(a)), Step(1), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), Agent(A), pair(Agent(A), Agent(B)), SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T))))))))), SID(sid)] ) : DenningSacco_fp) &
(Iknows(scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Nonce((timestamp Abs_T)), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey((sk(pair(Agent(A), Agent(B))) Abs_KAB)), Nonce((timestamp Abs_T)))))))))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ) : DenningSacco_fp;
Iknows(scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i))))))) : DenningSacco_fp|]
==>
(State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : DenningSacco_fp) &
(Iknows(Agent(dishonest(i))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rA, [Agent(A), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), SID(sid)] ) : DenningSacco_fp;
Iknows(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB))) : DenningSacco_fp;
Iknows(Agent(B)) : DenningSacco_fp;
Iknows(SymKey(KAB)) : DenningSacco_fp;
Iknows(Nonce(T)) : DenningSacco_fp;
Iknows(Agent(dishonest(i))) : DenningSacco_fp|]
==>
(State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : DenningSacco_fp) &
(Iknows(Agent(dishonest(i))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rB, [Agent(B), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), SID(sid)] ) : DenningSacco_fp;
Iknows(scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T))))) : DenningSacco_fp|]
==>
(Secret(Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), Agent(A)) : DenningSacco_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposePayload), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))) : DenningSacco_fp) &
(State(rB, [Agent(B), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T)))), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))), SID(sid)] ) : DenningSacco_fp) &
(Iknows(scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(0), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), SID(sid)] ) : DenningSacco_fp;
Iknows(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB))) : DenningSacco_fp;
Iknows(Agent(A)) : DenningSacco_fp;
Iknows(SymKey(KAB)) : DenningSacco_fp;
Iknows(Nonce(T)) : DenningSacco_fp|]
==>
(Secret(Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), Agent(A)) : DenningSacco_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposePayload), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))) : DenningSacco_fp) &
(State(rB, [Agent(B), Step(1), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), Agent(A), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(B), Agent(honest(a)))) Abs_KAB)), pair(Agent(A), pair(SymKey(KAB), Nonce(T)))), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)), scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload))), SID(sid)] ) : DenningSacco_fp) &
(Iknows(scrypt(SymKey(KAB), Nonce((payload(pair(Agent(B), Agent(A))) Abs_Payload)))) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_13: "[|
State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : DenningSacco_fp;
Iknows(scrypt(SymKey(KAB), Nonce(Payload))) : DenningSacco_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposePayload), Nonce(Payload), SID(sid)) : DenningSacco_fp) &
(State(rA, [Agent(A), Step(3), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), Nonce(Payload), scrypt(SymKey(KAB), Nonce(Payload)), SID(sid)] ) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_14: "[|
State(rA, [Agent(A), Step(2), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), SID(sid)] ) : DenningSacco_fp;
Iknows(SymKey(KAB)) : DenningSacco_fp;
Iknows(Nonce(Payload)) : DenningSacco_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposePayload), Nonce(Payload), SID(sid)) : DenningSacco_fp) &
(State(rA, [Agent(A), Step(3), Nonce((timestamp Abs_T)), SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), Agent(B), pair(Agent(A), Agent(B)), Agent(dishonest(i)), Nonce(T), SymKey(KAB), scrypt(SymKey((sk(pair(Agent(A), Agent(honest(a)))) Abs_KAB)), pair(Agent(B), pair(SymKey(KAB), pair(Nonce(T), Agent(dishonest(i)))))), Nonce(Payload), scrypt(SymKey(KAB), Nonce(Payload)), SID(sid)] ) : DenningSacco_fp)"
by(simp only: DenningSacco_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (DenningSacco) *}
lemma over_approx: "t : DenningSacco ==> (set t) <= DenningSacco_fp"
apply(rule DenningSacco.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac init_12, (assumption | simp)+)
apply(propagate_fp, cut_tac init_13, (assumption | simp)+)
apply(propagate_fp, cut_tac init_14, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_13, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_14, (assumption | simp)+)
done
end (* theory *)

View File

@ -0,0 +1,484 @@
header {* Analysing ISO_onepass_pk *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/ISOpubKeyOnePassUnilateralAuthProt.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"ISOpubKeyOnePassUnilateralAuthProt"
imports
ofmc
begin
section {* Protocol Model (ISO_onepass_pk) *}
datatype Role = rA | rB | rs
datatype Purpose = purposeNI | purposeNA | purposeText1
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "absNA" "Msg" "nat"
| "absText1" "Msg" "nat"
| "NI"
| "NA"
| "Text1"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
(* Functions *)
| "pk" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (ISO_onepass_pk) *}
inductive_set
ISO_onepass_pk::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : ISO_onepass_pk"
| init_1: "[ Iknows(Agent(dishonest(i)))] : ISO_onepass_pk"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), crypt(inv(pk(Agent(honest(a)))), pair(Agent(honest(a)), pk(Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] )] : ISO_onepass_pk"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), crypt(inv(pk(Agent(honest(a)))), pair(Agent(honest(a)), pk(Agent(honest(a))))), Agent(honest(a)), SID(sid)] )] : ISO_onepass_pk"
| init_4: "[ Iknows(Step(0))] : ISO_onepass_pk"
| init_5: "[ Iknows(inv(pk(Agent(dishonest(i)))))] : ISO_onepass_pk"
| init_6: "[ Iknows(pk(Agent(dishonest(i))))] : ISO_onepass_pk"
| init_7: "[ Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(dishonest(i)), pk(Agent(dishonest(i))))))] : ISO_onepass_pk"
| init_8: "[ Iknows(SID(sid))] : ISO_onepass_pk"
| init_9: "[ Iknows(Agent(honest(a)))] : ISO_onepass_pk"
| init_10: "[ State(rB, [Agent(honest(a)), Step(0), pk(Agent(honest(a))), SID(sid)] )] : ISO_onepass_pk"
| init_11: "[ Iknows(pk(Agent(honest(a))))] : ISO_onepass_pk"
| rule_0: "[| t :ISO_onepass_pk;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : ISO_onepass_pk"
| rule_1: "[| t :ISO_onepass_pk;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : ISO_onepass_pk"
| rule_2: "[| t :ISO_onepass_pk;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : ISO_onepass_pk"
| rule_3: "[| t :ISO_onepass_pk;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : ISO_onepass_pk"
| rule_4: "[| t :ISO_onepass_pk;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : ISO_onepass_pk"
| rule_5: "[| t :ISO_onepass_pk;
Request(A, B, Purpose(purposeNA), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : ISO_onepass_pk"
| rule_6: "[| t :ISO_onepass_pk;
Request(A, B, Purpose(purposeText1), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Text1 .
M = Nonce((absText1(pair(B, A)) Abs_Text1)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : ISO_onepass_pk"
| rule_7: "[| t :ISO_onepass_pk;
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Agent(B), SID(sid)] ) : (set t)|]
==>
((Witness(Agent(A), Agent(B), Purpose(purposeText1), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1))))
#(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Agent(B), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1)), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(B), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1)))))), SID(sid)] ))
#(Iknows(pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(B), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1))))))))
#t) : ISO_onepass_pk"
| rule_8: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : (set t);
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
| rule_9: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : (set t);
Iknows(inv(pk(Agent(A)))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(Text1)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
| rule_10: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(pk(Agent(A))) : (set t);
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
| rule_11: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(pk(Agent(A))) : (set t);
Iknows(inv(pk(Agent(A)))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(Text1)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
| rule_12: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
| rule_13: "[| t :ISO_onepass_pk;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(inv(pk(Agent(A)))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(Text1)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)))
#(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ))
#t) : ISO_onepass_pk"
section {* Fixed-point Definition (ISO_onepass_pk) *}
constdefs ISO_onepass_pk_fp::"Fact set""ISO_onepass_pk_fp == {m. ( ? Abs_NI3 Abs_NI4 Abs_NI5 a18 a19 a20 a21 a22 a23 a24 a25 i11 i12 i13 Abs_Text13 Abs_Text14 Abs_Text15 Abs_NA3 a12 a13 a14 Abs_NA4 a15 a16 a17 Abs_NA5 i8 i9 i10 Abs_Text11 Abs_Text12 Abs_NI0 Abs_NI1 Abs_NA1 i3 i4 i5 i6 i7 Abs_NI2 a9 a10 a11 Abs_NA2 sid0 a6 a7 a8 a5 i0 i1 i2 a0 a1 Abs_NA0 a2 a3 a4 Abs_Text10 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(honest(a4)), pk(Agent(honest(a5))))), Agent(dishonest(i0)), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(honest(a4)), pk(Agent(honest(a5))))), Agent(honest(a6)), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(inv(pk(Agent(dishonest(i0))))))
| (m = Iknows(pk(Agent(dishonest(i0)))))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1)))))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), pk(Agent(honest(a1))), SID(sid0)] ))
| (m = Iknows(pk(Agent(honest(a0)))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text10))))))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text10))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((absText1(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Text10))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(honest(a4)), pk(Agent(honest(a5))))), Agent(dishonest(i0)), Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i1)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a7)), Agent(dishonest(i2)))) Abs_Text10)), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(honest(a9)), pk(Agent(honest(a10))))), crypt(inv(pk(Agent(honest(a11)))), pair(Nonce((absNA(pair(Agent(honest(a12)), Agent(dishonest(i3)))) Abs_NA1)), pair(Agent(dishonest(i4)), Nonce((absText1(pair(Agent(honest(a13)), Agent(dishonest(i5)))) Abs_Text11)))))), SID(sid0)] ))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeText1), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10))))
| (m = State(rA, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), pk(Agent(honest(a2))), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(honest(a4)), pk(Agent(honest(a5))))), Agent(honest(a6)), Nonce((absNA(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_Text10)), pair(crypt(inv(pk(Agent(honest(a11)))), pair(Agent(honest(a12)), pk(Agent(honest(a13))))), crypt(inv(pk(Agent(honest(a14)))), pair(Nonce((absNA(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_NA1)), pair(Agent(honest(a17)), Nonce((absText1(pair(Agent(honest(a18)), Agent(honest(a19)))) Abs_Text11)))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((ni Abs_NI0)), Nonce((ni Abs_NI1)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a2)), Nonce((ni Abs_NI3))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a4)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((ni Abs_NI4)), pair(Agent(honest(a5)), Nonce((ni Abs_NI5)))))), SID(sid0)] ))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), pair(Agent(honest(a3)), Nonce((absText1(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text10)))))))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2)))))))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_Text10)))))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text10))))))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text10))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText1(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text10))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Agent(honest(a0)), Nonce((absText1(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0)), pair(Agent(honest(a2)), Nonce((absText1(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text10))))))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeText1), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), crypt(inv(pk(Agent(honest(a6)))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_NA1)), pair(Agent(honest(a9)), Nonce((absText1(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_Text11))))), pk(Agent(honest(a12))), Agent(honest(a13)), crypt(inv(pk(Agent(honest(a14)))), pair(Agent(honest(a15)), pk(Agent(honest(a16))))), pair(crypt(inv(pk(Agent(honest(a17)))), pair(Agent(honest(a18)), pk(Agent(honest(a19))))), crypt(inv(pk(Agent(honest(a20)))), pair(Nonce((absNA(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NA2)), pair(Agent(honest(a23)), Nonce((absText1(pair(Agent(honest(a24)), Agent(honest(a25)))) Abs_Text12)))))), SID(sid0)] ))
| (m = Iknows(Nonce((absText1(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_Text10))))
| (m = Iknows(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))))
| (m = Iknows(Nonce((absText1(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_Text10))))
| (m = Iknows(Nonce((absNA(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text10))))))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text10))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText1(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text10))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Agent(honest(a0)), Nonce((absText1(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0)), pair(Agent(honest(a2)), Nonce((absText1(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text10))))))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((absText1(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Text10)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), Nonce((absText1(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_Text11)), crypt(inv(pk(Agent(dishonest(i2)))), pair(Nonce((absText1(pair(Agent(honest(a4)), Agent(dishonest(i3)))) Abs_Text12)), pair(Agent(honest(a5)), Nonce((absText1(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_Text13))))), pk(Agent(dishonest(i5))), Agent(dishonest(i6)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i9)), pk(Agent(dishonest(i10))))), crypt(inv(pk(Agent(dishonest(i11)))), pair(Nonce((absText1(pair(Agent(honest(a9)), Agent(dishonest(i12)))) Abs_Text14)), pair(Agent(honest(a10)), Nonce((absText1(pair(Agent(honest(a11)), Agent(dishonest(i13)))) Abs_Text15)))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i2)))), pair(Nonce((absText1(pair(Agent(honest(a4)), Agent(dishonest(i3)))) Abs_Text11)), pair(Agent(honest(a5)), Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_NA1))))), pk(Agent(dishonest(i5))), Agent(dishonest(i6)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i9)), pk(Agent(dishonest(i10))))), crypt(inv(pk(Agent(dishonest(i11)))), pair(Nonce((absText1(pair(Agent(honest(a9)), Agent(dishonest(i12)))) Abs_Text12)), pair(Agent(honest(a10)), Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i13)))) Abs_NA2)))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((absText1(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_Text10)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((absText1(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_Text11)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text12)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text13))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absText1(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_Text14)), pair(Agent(honest(a12)), Nonce((absText1(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text15)))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText1), Nonce((absNA(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text11)), pair(Agent(honest(a6)), Nonce((absNA(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_NA1))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absText1(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_Text12)), pair(Agent(honest(a12)), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((ni Abs_NI0)), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absText1(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_Text11)), pair(Agent(honest(a4)), Nonce((ni Abs_NI1))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a5)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absText1(pair(Agent(honest(a7)), Agent(dishonest(i10)))) Abs_Text12)), pair(Agent(honest(a8)), Nonce((ni Abs_NI2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i2)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i3)))) Abs_NA1)), pair(Agent(honest(a5)), Nonce((absText1(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_Text11))))), pk(Agent(dishonest(i5))), Agent(dishonest(i6)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i9)), pk(Agent(dishonest(i10))))), crypt(inv(pk(Agent(dishonest(i11)))), pair(Nonce((absNA(pair(Agent(honest(a9)), Agent(dishonest(i12)))) Abs_NA2)), pair(Agent(honest(a10)), Nonce((absText1(pair(Agent(honest(a11)), Agent(dishonest(i13)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_NA1)), crypt(inv(pk(Agent(dishonest(i2)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i3)))) Abs_NA2)), pair(Agent(honest(a5)), Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_NA3))))), pk(Agent(dishonest(i5))), Agent(dishonest(i6)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i9)), pk(Agent(dishonest(i10))))), crypt(inv(pk(Agent(dishonest(i11)))), pair(Nonce((absNA(pair(Agent(honest(a9)), Agent(dishonest(i12)))) Abs_NA4)), pair(Agent(honest(a10)), Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i13)))) Abs_NA5)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_NA1)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text11))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_NA2)), pair(Agent(honest(a12)), Nonce((absText1(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA1)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_NA2)), pair(Agent(honest(a6)), Nonce((absNA(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_NA3))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_NA4)), pair(Agent(honest(a12)), Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA5)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((ni Abs_NI0)), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_NA1)), pair(Agent(honest(a4)), Nonce((ni Abs_NI1))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a5)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i10)))) Abs_NA2)), pair(Agent(honest(a8)), Nonce((ni Abs_NI2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), Nonce((absText1(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text11)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absText1(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text12)), pair(Agent(honest(a7)), Nonce((absText1(pair(Agent(honest(a8)), Agent(dishonest(i2)))) Abs_Text13))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absText1(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_Text14)), pair(Agent(honest(a13)), Nonce((absText1(pair(Agent(honest(a14)), Agent(dishonest(i10)))) Abs_Text15)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absText1(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text11)), pair(Agent(honest(a7)), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i2)))) Abs_NA1))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absText1(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_Text12)), pair(Agent(honest(a13)), Nonce((absNA(pair(Agent(honest(a14)), Agent(dishonest(i10)))) Abs_NA2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((absText1(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text11)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absText1(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_Text12)), pair(Agent(honest(a8)), Nonce((absText1(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_Text13))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a12)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absText1(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text14)), pair(Agent(honest(a15)), Nonce((absText1(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_Text15)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), Nonce((absText1(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absText1(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_Text11)), pair(Agent(honest(a8)), Nonce((absNA(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA1))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a12)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absText1(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text12)), pair(Agent(honest(a15)), Nonce((absNA(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_NA2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((ni Abs_NI0)), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absText1(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text11)), pair(Agent(honest(a6)), Nonce((ni Abs_NI1))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absText1(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_Text12)), pair(Agent(honest(a11)), Nonce((ni Abs_NI2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NA1)), pair(Agent(honest(a7)), Nonce((absText1(pair(Agent(honest(a8)), Agent(dishonest(i2)))) Abs_Text11))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_NA2)), pair(Agent(honest(a13)), Nonce((absText1(pair(Agent(honest(a14)), Agent(dishonest(i10)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA1)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NA2)), pair(Agent(honest(a7)), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i2)))) Abs_NA3))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a10)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((absNA(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_NA4)), pair(Agent(honest(a13)), Nonce((absNA(pair(Agent(honest(a14)), Agent(dishonest(i10)))) Abs_NA5)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA1)), pair(Agent(honest(a8)), Nonce((absText1(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_Text11))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a12)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA2)), pair(Agent(honest(a15)), Nonce((absText1(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA1)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA2)), pair(Agent(honest(a8)), Nonce((absNA(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA3))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a12)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absNA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_NA4)), pair(Agent(honest(a15)), Nonce((absNA(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_NA5)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((ni Abs_NI0)), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA1)), pair(Agent(honest(a6)), Nonce((ni Abs_NI1))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((absNA(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA2)), pair(Agent(honest(a11)), Nonce((ni Abs_NI2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text10)), Nonce((ni Abs_NI0)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a3)), Nonce((absText1(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_Text11))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a5)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a7)), Nonce((absText1(pair(Agent(honest(a8)), Agent(dishonest(i10)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NA0)), Nonce((ni Abs_NI0)), crypt(inv(pk(Agent(dishonest(i1)))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a3)), Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_NA1))))), pk(Agent(dishonest(i3))), Agent(dishonest(i4)), crypt(inv(pk(Agent(honest(a5)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), pair(crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i7)), pk(Agent(dishonest(i8))))), crypt(inv(pk(Agent(dishonest(i9)))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a7)), Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i10)))) Abs_NA2)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absText1(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text10)), Nonce((ni Abs_NI0)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a4)), Nonce((absText1(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text11))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a9)), Nonce((absText1(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_Text12)))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), Nonce((ni Abs_NI0)), crypt(inv(pk(Agent(dishonest(i0)))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a4)), Nonce((absNA(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_NA1))))), pk(Agent(dishonest(i1))), Agent(dishonest(i2)), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), pair(crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i5)), pk(Agent(dishonest(i6))))), crypt(inv(pk(Agent(dishonest(i7)))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a9)), Nonce((absNA(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_NA2)))))), SID(sid0)] ))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NA0)), pair(Agent(honest(a6)), Nonce((absText1(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_Text10))))))))
| (m = Iknows(pair(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2))))), crypt(inv(pk(Agent(honest(a3)))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_Text10))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText1(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Agent(dishonest(i1)), Nonce((absText1(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text10))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Agent(honest(a0)), Nonce((absText1(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_Text10)))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0)), pair(Agent(honest(a2)), Nonce((absText1(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text10))))))
)}"
section {* Checking Fixed-point (ISO_onepass_pk) *}
lemma fp_attack_free: "~ (Attack m : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), crypt(inv(pk(Agent(honest(a)))), pair(Agent(honest(a)), pk(Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] ) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), crypt(inv(pk(Agent(honest(a)))), pair(Agent(honest(a)), pk(Agent(honest(a))))), Agent(honest(a)), SID(sid)] ) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(inv(pk(Agent(dishonest(i))))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(pk(Agent(dishonest(i)))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(dishonest(i)), pk(Agent(dishonest(i)))))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "Iknows(SID(sid)) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "Iknows(Agent(honest(a))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "State(rB, [Agent(honest(a)), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "Iknows(pk(Agent(honest(a)))) : ISO_onepass_pk_fp"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : ISO_onepass_pk_fp;
Iknows(inv(K)) : ISO_onepass_pk_fp|]
==>
(Iknows(M) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : ISO_onepass_pk_fp;
Iknows(K) : ISO_onepass_pk_fp|]
==>
(Iknows(M) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : ISO_onepass_pk_fp;
Iknows(K) : ISO_onepass_pk_fp|]
==>
(Iknows(M) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : ISO_onepass_pk_fp|]
==>
(Iknows(M1) : ISO_onepass_pk_fp) &
(Iknows(M2) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : ISO_onepass_pk_fp;
Iknows(M) : ISO_onepass_pk_fp|]
==>
(Attack(pair(secrecy, M)) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeNA), M, SID(sid)) : ISO_onepass_pk_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeText1), M, SID(sid)) : ISO_onepass_pk_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Text1 .
M = Nonce((absText1(pair(B, A)) Abs_Text1)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
State(rA, [Agent(A), Step(0), inv(pk(Agent(A))), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Agent(B), SID(sid)] ) : ISO_onepass_pk_fp|]
==>
(Witness(Agent(A), Agent(B), Purpose(purposeText1), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1))) : ISO_onepass_pk_fp) &
(State(rA, [Agent(A), Step(1), inv(pk(Agent(A))), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Agent(B), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1)), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(B), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1)))))), SID(sid)] ) : ISO_onepass_pk_fp) &
(Iknows(pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Agent(B), Nonce((absText1(pair(Agent(A), Agent(B))) Abs_Text1))))))) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : ISO_onepass_pk_fp;
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(A)))) : ISO_onepass_pk_fp;
Iknows(Nonce(NA)) : ISO_onepass_pk_fp;
Iknows(Agent(B)) : ISO_onepass_pk_fp;
Iknows(Nonce(Text1)) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(honest(a))))) : ISO_onepass_pk_fp;
Iknows(Agent(A)) : ISO_onepass_pk_fp;
Iknows(pk(Agent(A))) : ISO_onepass_pk_fp;
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(honest(a))))) : ISO_onepass_pk_fp;
Iknows(Agent(A)) : ISO_onepass_pk_fp;
Iknows(pk(Agent(A))) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(A)))) : ISO_onepass_pk_fp;
Iknows(Nonce(NA)) : ISO_onepass_pk_fp;
Iknows(Agent(B)) : ISO_onepass_pk_fp;
Iknows(Nonce(Text1)) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(honest(a))))) : ISO_onepass_pk_fp;
Iknows(Agent(A)) : ISO_onepass_pk_fp;
Iknows(crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_13: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), SID(sid)] ) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(honest(a))))) : ISO_onepass_pk_fp;
Iknows(Agent(A)) : ISO_onepass_pk_fp;
Iknows(inv(pk(Agent(A)))) : ISO_onepass_pk_fp;
Iknows(Nonce(NA)) : ISO_onepass_pk_fp;
Iknows(Agent(B)) : ISO_onepass_pk_fp;
Iknows(Nonce(Text1)) : ISO_onepass_pk_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText1), Nonce(Text1), SID(sid)) : ISO_onepass_pk_fp) &
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Nonce(Text1), Nonce(NA), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1)))), pk(Agent(A)), Agent(A), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), pair(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), crypt(inv(pk(Agent(A))), pair(Nonce(NA), pair(Agent(B), Nonce(Text1))))), SID(sid)] ) : ISO_onepass_pk_fp)"
by(simp only: ISO_onepass_pk_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (ISO_onepass_pk) *}
lemma over_approx: "t : ISO_onepass_pk ==> (set t) <= ISO_onepass_pk_fp"
apply(rule ISO_onepass_pk.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_13, (assumption | simp)+)
done
end (* theory *)

View File

@ -0,0 +1,376 @@
header {* Analysing ISO_twopass_symm *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/ISOsymKeyTwoPassUnilateralAuthProt.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"ISOsymKeyTwoPassUnilateralAuthProt"
imports
ofmc
begin
section {* Protocol Model (ISO_twopass_symm) *}
datatype Role = rA | rB
datatype Purpose = purposeNI | purposeNB | purposeText1 | purposeText2 | purposeText3
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "absNB" "Msg" "nat"
| "absText2" "Msg" "nat"
| "NI"
| "NB"
| "Text1"
| "Text2"
| "Text3"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
(* Functions *)
| "sk" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (ISO_twopass_symm) *}
inductive_set
ISO_twopass_symm::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : ISO_twopass_symm"
| init_1: "[ Iknows(Agent(dishonest(i)))] : ISO_twopass_symm"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(dishonest(i))))), Agent(dishonest(i)), SID(sid)] )] : ISO_twopass_symm"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] )] : ISO_twopass_symm"
| init_4: "[ Iknows(Step(0))] : ISO_twopass_symm"
| init_5: "[ Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(dishonest(i))))))] : ISO_twopass_symm"
| init_6: "[ Iknows(SID(sid))] : ISO_twopass_symm"
| init_7: "[ Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))))] : ISO_twopass_symm"
| init_8: "[ Iknows(Agent(honest(a)))] : ISO_twopass_symm"
| init_9: "[ State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] )] : ISO_twopass_symm"
| init_10: "[ State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] )] : ISO_twopass_symm"
| init_11: "[ Iknows(SymKey(sk(pair(Agent(honest(a)), Agent(dishonest(i))))))] : ISO_twopass_symm"
| rule_0: "[| t :ISO_twopass_symm;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : ISO_twopass_symm"
| rule_1: "[| t :ISO_twopass_symm;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : ISO_twopass_symm"
| rule_2: "[| t :ISO_twopass_symm;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : ISO_twopass_symm"
| rule_3: "[| t :ISO_twopass_symm;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : ISO_twopass_symm"
| rule_4: "[| t :ISO_twopass_symm;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : ISO_twopass_symm"
| rule_5: "[| t :ISO_twopass_symm;
Request(A, B, Purpose(purposeNB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NB .
M = Nonce((absNB(pair(B, A)) Abs_NB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : ISO_twopass_symm"
| rule_6: "[| t :ISO_twopass_symm;
Request(A, B, Purpose(purposeText2), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Text2 .
M = Nonce((absText2(pair(B, A)) Abs_Text2)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : ISO_twopass_symm"
| rule_7: "[| t :ISO_twopass_symm;
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), SID(sid)] ) : (set t)|]
==>
((State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), SID(sid)] ))
#(Iknows(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB))))
#t) : ISO_twopass_symm"
| rule_8: "[| t :ISO_twopass_symm;
State(rA, [Agent(A), Step(0), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(B), SID(sid)] ) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Witness(Agent(A), Agent(B), Purpose(purposeText2), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2))))
#(State(rA, [Agent(A), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(B), Nonce(NB), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2)), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2))))), SID(sid)] ))
#(Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2)))))))
#t) : ISO_twopass_symm"
| rule_9: "[| t :ISO_twopass_symm;
State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText2), Nonce(Text2), SID(sid)))
#(State(rB, [Agent(B), Step(2), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), Nonce(Text2), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2)))), SID(sid)] ))
#t) : ISO_twopass_symm"
| rule_10: "[| t :ISO_twopass_symm;
State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), SID(sid)] ) : (set t);
Iknows(SymKey(sk(pair(Agent(A), Agent(B))))) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(Text2)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeText2), Nonce(Text2), SID(sid)))
#(State(rB, [Agent(B), Step(2), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), Nonce(Text2), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2)))), SID(sid)] ))
#t) : ISO_twopass_symm"
section {* Fixed-point Definition (ISO_twopass_symm) *}
constdefs ISO_twopass_symm_fp::"Fact set""ISO_twopass_symm_fp == {m. ( ? Abs_NB2 Abs_NB3 Abs_NI1 i7 Abs_Text22 Abs_Text23 a8 a9 a10 a11 a12 a13 a14 i4 i5 Abs_NB1 a6 a7 i6 sid0 a3 a4 a5 i3 Abs_NI0 Abs_NB0 a2 a0 i0 Abs_Text20 i1 a1 i2 Abs_Text21 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(dishonest(i0))))), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(SymKey(sk(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))))))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SID(sid0)] ))
| (m = Iknows(SymKey(sk(pair(Agent(honest(a0)), Agent(dishonest(i0)))))))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absNB(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NB0)), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), SID(sid0)] ))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText2), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Text20))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(dishonest(i0))))), Agent(dishonest(i1)), Nonce((ni Abs_NI0)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a3)), Agent(dishonest(i3))))), pair(Nonce((ni Abs_NI1)), pair(Agent(dishonest(i4)), Nonce((absText2(pair(Agent(honest(a4)), Agent(dishonest(i5)))) Abs_Text21))))), SID(sid0)] ))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeText2), Nonce((absText2(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text20))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((ni Abs_NI0)), Nonce((absText2(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a6)), Agent(honest(a7))))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a8)), Nonce((absText2(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_Text21))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((ni Abs_NI0)), pair(Agent(honest(a2)), Nonce((absText2(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_Text20)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(dishonest(i0))))), pair(Nonce((ni Abs_NI0)), pair(Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text20)))))))
| (m = Iknows(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0))))
| (m = Iknows(Nonce((absNB(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NB0))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20))))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(dishonest(i0))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a4)), Agent(dishonest(i4))))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_NB1)), pair(Agent(dishonest(i6)), Nonce((absText2(pair(Agent(honest(a6)), Agent(dishonest(i7)))) Abs_Text21))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(dishonest(i0))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a5)), Agent(dishonest(i3))))), pair(Nonce((absNB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NB1)), pair(Agent(dishonest(i4)), Nonce((absText2(pair(Agent(honest(a8)), Agent(dishonest(i5)))) Abs_Text21))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absNB(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a7)), Agent(honest(a8))))), pair(Nonce((absNB(pair(Agent(honest(a9)), Agent(dishonest(i1)))) Abs_NB1)), pair(Agent(honest(a10)), Nonce((absText2(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_Text21))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absNB(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a8)), Agent(honest(a9))))), pair(Nonce((absNB(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_NB1)), pair(Agent(honest(a12)), Nonce((absText2(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text21))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText2), Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), Nonce((absNB(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_NB1)), scrypt(SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a4))))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_NB2)), pair(Agent(honest(a6)), Nonce((absNB(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_NB3))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText2), Nonce((absNB(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), Nonce((absNB(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NB1)), scrypt(SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a5))))), pair(Nonce((absNB(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_NB2)), pair(Agent(honest(a7)), Nonce((absNB(pair(Agent(honest(a8)), Agent(honest(a9)))) Abs_NB3))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText2), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), Nonce((ni Abs_NI0)), scrypt(SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a3))))), pair(Nonce((absNB(pair(Agent(honest(a4)), Agent(dishonest(i4)))) Abs_NB1)), pair(Agent(honest(a5)), Nonce((ni Abs_NI1))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NB0)), pair(Agent(honest(a4)), Nonce((absText2(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text20)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_NB0)), pair(Agent(honest(a3)), Nonce((absText2(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text20)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(dishonest(i0))))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NB0)), pair(Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_Text20)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(dishonest(i0))))), pair(Nonce((absNB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NB0)), pair(Agent(dishonest(i2)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i3)))) Abs_Text20)))))))
| (m = Iknows(Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_Text20))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), pair(Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text20))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NB0)), pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_Text20))))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(dishonest(i0))))), Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_Text20)), Nonce((absText2(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_Text21)), scrypt(SymKey(sk(pair(Agent(honest(a4)), Agent(dishonest(i4))))), pair(Nonce((absText2(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_Text22)), pair(Agent(dishonest(i6)), Nonce((absText2(pair(Agent(honest(a6)), Agent(dishonest(i7)))) Abs_Text23))))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absText2(pair(Agent(honest(a4)), Agent(dishonest(i0)))) Abs_Text20)), Nonce((absText2(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_Text21)), scrypt(SymKey(sk(pair(Agent(honest(a7)), Agent(honest(a8))))), pair(Nonce((absText2(pair(Agent(honest(a9)), Agent(dishonest(i1)))) Abs_Text22)), pair(Agent(honest(a10)), Nonce((absText2(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_Text23))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeText2), Nonce((absText2(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_Text20)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absNB(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(honest(a8)), Agent(honest(a9))))), pair(Nonce((absNB(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_NB1)), pair(Agent(honest(a12)), Nonce((absText2(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_Text21))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeText2), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Text20)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), Agent(dishonest(i1)), Nonce((absNB(pair(Agent(honest(a2)), Agent(dishonest(i2)))) Abs_NB0)), Nonce((absText2(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_Text20)), scrypt(SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a4))))), pair(Nonce((absNB(pair(Agent(honest(a5)), Agent(dishonest(i5)))) Abs_NB1)), pair(Agent(honest(a6)), Nonce((absText2(pair(Agent(honest(a7)), Agent(dishonest(i6)))) Abs_Text21))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_Text20)), pair(Agent(honest(a3)), Nonce((absText2(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_Text21)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(dishonest(i0))))), pair(Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_Text20)), pair(Agent(dishonest(i2)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i3)))) Abs_Text21)))))))
| (m = Iknows(pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_Text20))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NB0)), pair(Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text20))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NB0)), pair(Agent(dishonest(i0)), Nonce((absText2(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_Text20))))))
| (m = Iknows(pair(Nonce((absText2(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_Text20)), pair(Agent(dishonest(i1)), Nonce((absText2(pair(Agent(honest(a1)), Agent(dishonest(i2)))) Abs_Text21))))))
)}"
section {* Checking Fixed-point (ISO_twopass_symm) *}
lemma fp_attack_free: "~ (Attack m : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(dishonest(i))))), Agent(dishonest(i)), SID(sid)] ) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] ) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(dishonest(i)))))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(SID(sid)) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a)))))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "Iknows(Agent(honest(a))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] ) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] ) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "Iknows(SymKey(sk(pair(Agent(honest(a)), Agent(dishonest(i)))))) : ISO_twopass_symm_fp"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : ISO_twopass_symm_fp;
Iknows(inv(K)) : ISO_twopass_symm_fp|]
==>
(Iknows(M) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : ISO_twopass_symm_fp;
Iknows(K) : ISO_twopass_symm_fp|]
==>
(Iknows(M) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : ISO_twopass_symm_fp;
Iknows(K) : ISO_twopass_symm_fp|]
==>
(Iknows(M) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : ISO_twopass_symm_fp|]
==>
(Iknows(M1) : ISO_twopass_symm_fp) &
(Iknows(M2) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : ISO_twopass_symm_fp;
Iknows(M) : ISO_twopass_symm_fp|]
==>
(Attack(pair(secrecy, M)) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeNB), M, SID(sid)) : ISO_twopass_symm_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NB .
M = Nonce((absNB(pair(B, A)) Abs_NB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeText2), M, SID(sid)) : ISO_twopass_symm_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_Text2 .
M = Nonce((absText2(pair(B, A)) Abs_Text2)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), SID(sid)] ) : ISO_twopass_symm_fp|]
==>
(State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB)), SID(sid)] ) : ISO_twopass_symm_fp) &
(Iknows(Nonce((absNB(pair(Agent(B), Agent(A))) Abs_NB))) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rA, [Agent(A), Step(0), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(B), SID(sid)] ) : ISO_twopass_symm_fp;
Iknows(Nonce(NB)) : ISO_twopass_symm_fp|]
==>
(Witness(Agent(A), Agent(B), Purpose(purposeText2), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2))) : ISO_twopass_symm_fp) &
(State(rA, [Agent(A), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(B), Nonce(NB), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2)), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2))))), SID(sid)] ) : ISO_twopass_symm_fp) &
(Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce((absText2(pair(Agent(A), Agent(B))) Abs_Text2)))))) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), SID(sid)] ) : ISO_twopass_symm_fp;
Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2))))) : ISO_twopass_symm_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText2), Nonce(Text2), SID(sid)) : ISO_twopass_symm_fp) &
(State(rB, [Agent(B), Step(2), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), Nonce(Text2), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2)))), SID(sid)] ) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), SID(sid)] ) : ISO_twopass_symm_fp;
Iknows(SymKey(sk(pair(Agent(A), Agent(B))))) : ISO_twopass_symm_fp;
Iknows(Nonce(NB)) : ISO_twopass_symm_fp;
Iknows(Agent(B)) : ISO_twopass_symm_fp;
Iknows(Nonce(Text2)) : ISO_twopass_symm_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeText2), Nonce(Text2), SID(sid)) : ISO_twopass_symm_fp) &
(State(rB, [Agent(B), Step(2), SymKey(sk(pair(Agent(A), Agent(B)))), Agent(A), Nonce(NB), Nonce(Text2), scrypt(SymKey(sk(pair(Agent(A), Agent(B)))), pair(Nonce(NB), pair(Agent(B), Nonce(Text2)))), SID(sid)] ) : ISO_twopass_symm_fp)"
by(simp only: ISO_twopass_symm_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (ISO_twopass_symm) *}
lemma over_approx: "t : ISO_twopass_symm ==> (set t) <= ISO_twopass_symm_fp"
apply(rule ISO_twopass_symm.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
done
end (* theory *)

83
examples/IsaMakefile Normal file
View File

@ -0,0 +1,83 @@
#############################################################################
# Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
#
# IsaMakefile ---
# This file is part of Isabelle-OFMC.
#
# Copyright (c) 2009 Achim D. Brucker, Germany
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# * Neither the name of the copyright holders nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
##############################################################################
# $Id: IsaMakefile 927 2009-11-01 22:36:10Z brucker $
default: ofmc-anb
images:
test: ofmc-anb
all: images test
## global settings
SRC = $(ISABELLE_HOME)/src
OUT = $(ISABELLE_OUTPUT)
LOG = $(OUT)/log
HEAP = ofmc-anb
MV = mv
CP = cp
USEDIR = $(ISATOOL) usedir -b -g true -v true -i true -d pdf ## -D generated
USEDIR = $(ISATOOL) usedir -b
HOSTNAME = $(shell,$(ISATOOL) getenv HOSTNAME)
export HOSTNAME
## ofmc-isabelle
$(HEAP): $(LOG)/HOL-$(HEAP).gz
$(LOG)/HOL-$(HEAP).gz: ROOT.ML document/root.tex *.thy
@$(RM) -rf $(ISABELLE_BROWSER_INFO)/HOL/$(HEAP)/document
@$(USEDIR) ofmc $(HEAP)
@$(CP) $(ISABELLE_BROWSER_INFO)/HOL/ofmc/$(HEAP)/document.pdf $(HEAP).pdf
thygen:
for i in AnB/*.AnB; do echo -e $$i; anb2thy $$i > `basename $$i .AnB`.thy; done
thygen-noproof:
for i in AnB/*.AnB; do echo -e $$i; anb2thy --noproof $$i > `basename $$i .AnB`.thy; done
fpgen:
for i in AnB/*.AnB; do echo -e $$i; ofmc $$i -ot Isa > AnB/`basename $$i .AnB`.fp; done
## clean
clean:
@$(RM) -f $(LOG)/HOL-$(HEAP).gz

76
examples/ROOT.ML Normal file
View File

@ -0,0 +1,76 @@
(*****************************************************************************
* HOL-OCL --- connecting OFMC and Isabelle/HOL
*
* ROOT.ML ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ROOT.ML 931 2009-11-01 22:44:01Z brucker $ *)
val today = (Date.toString(Date.fromTimeUniv (Time.now())))^" (UTC)"
val hostname = getOpt (OS.Process.getEnv "HOSTNAME", "hostname not set")
val timer = Timer.startRealTimer ()
val log_file = "document/report.tex"
val _ = File.write (Path.explode (log_file))
( "% This file was generated automatically \n"
^"\\section{Runtime Report}\n"
^"All reported runtime are measured on host ``"^hostname^"'' on "^today^".\n\n"
^"\\begin{tabular}{lr}\n"
)
fun log_thy thy =
let
val start = Timer.checkRealTimer timer
val _ = use_thy thy
val stop = Timer.checkRealTimer timer
val duration = Time.-(stop,start)
val _ = File.append (Path.explode(log_file)) (" "^thy^" & "^(Time.toString duration)^"\\\\\n")
in () end
val _ = map log_thy [
"ISOsymKeyTwoPassUnilateralAuthProt",
"Denning-Sacco",
"nsl",
"ISOpubKeyOnePassUnilateralAuthProt",
"WideMouthFrog",
"Bilateral-Key_Exchange",
"nsl-ks"
]
val _ = File.append (Path.explode (log_file)) ("\\end{tabular}")

466
examples/WideMouthFrog.thy Normal file
View File

@ -0,0 +1,466 @@
header {* Analysing WideMouthFrog *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/WideMouthFrog.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"WideMouthFrog"
imports
ofmc
begin
section {* Protocol Model (WideMouthFrog) *}
datatype Role = rA | rB | rs
datatype Purpose = purposeKAB | purposeNI | purposeTA | purposeTS
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "absTA" "Msg" "nat"
| "absTS" "Msg" "nat"
| "NI"
| "TA"
| "TS"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
| "absKAB" "Msg" "nat"
(* Functions *)
| "sk" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (WideMouthFrog) *}
inductive_set
WideMouthFrog::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : WideMouthFrog"
| init_1: "[ Iknows(Agent(dishonest(i)))] : WideMouthFrog"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] )] : WideMouthFrog"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] )] : WideMouthFrog"
| init_4: "[ Iknows(Step(0))] : WideMouthFrog"
| init_5: "[ Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))))] : WideMouthFrog"
| init_6: "[ Iknows(SID(sid))] : WideMouthFrog"
| init_7: "[ Iknows(Agent(honest(a)))] : WideMouthFrog"
| init_8: "[ State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] )] : WideMouthFrog"
| init_9: "[ State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] )] : WideMouthFrog"
| init_10: "[ State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(dishonest(i)), Agent(dishonest(i)), SID(sid)] )] : WideMouthFrog"
| init_11: "[ State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), Agent(honest(a)), SID(sid)] )] : WideMouthFrog"
| init_12: "[ State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(honest(a)), Agent(dishonest(i)), SID(sid)] )] : WideMouthFrog"
| init_13: "[ State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), Agent(honest(a)), SID(sid)] )] : WideMouthFrog"
| rule_0: "[| t :WideMouthFrog;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : WideMouthFrog"
| rule_1: "[| t :WideMouthFrog;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : WideMouthFrog"
| rule_2: "[| t :WideMouthFrog;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : WideMouthFrog"
| rule_3: "[| t :WideMouthFrog;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : WideMouthFrog"
| rule_4: "[| t :WideMouthFrog;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : WideMouthFrog"
| rule_5: "[| t :WideMouthFrog;
Request(A, B, Purpose(purposeTA), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_TA .
M = Nonce((absTA(pair(B, A)) Abs_TA)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : WideMouthFrog"
| rule_6: "[| t :WideMouthFrog;
Request(A, B, Purpose(purposeKAB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_KAB .
M = SymKey((absKAB(pair(B, A)) Abs_KAB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : WideMouthFrog"
| rule_7: "[| t :WideMouthFrog;
Request(A, B, Purpose(purposeTS), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_TS .
M = Nonce((absTS(pair(B, A)) Abs_TS)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : WideMouthFrog"
| rule_8: "[| t :WideMouthFrog;
State(rA, [Agent(A), Step(0), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), SID(sid)] ) : (set t)|]
==>
((Secret(SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB))))
#(State(rA, [Agent(A), Step(1), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), pair(Agent(B), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)))))), SID(sid)] ))
#(Iknows(pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), pair(Agent(B), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB))))))))
#t) : WideMouthFrog"
| rule_9: "[| t :WideMouthFrog;
State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))) : (set t)|]
==>
((State(rs, [Agent(honest(a)), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SymKey(KAB), Nonce(TA), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB)))), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))), Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB)))), SID(sid)] ))
#(Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB))))))
#t) : WideMouthFrog"
| rule_10: "[| t :WideMouthFrog;
State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(sk(pair(Agent(A), Agent(honest(a)))))) : (set t);
Iknows(Nonce(TA)) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(SymKey(KAB)) : (set t)|]
==>
((State(rs, [Agent(honest(a)), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SymKey(KAB), Nonce(TA), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB)))), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))), Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB)))), SID(sid)] ))
#(Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB))))))
#t) : WideMouthFrog"
| rule_11: "[| t :WideMouthFrog;
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SID(sid)] ) : (set t);
Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB))))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeKAB), SymKey(KAB), SID(sid)))
#(State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SymKey(KAB), Nonce(TS), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB)))), SID(sid)] ))
#t) : WideMouthFrog"
| rule_12: "[| t :WideMouthFrog;
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SID(sid)] ) : (set t);
Iknows(SymKey(sk(pair(Agent(B), Agent(honest(a)))))) : (set t);
Iknows(Nonce(TS)) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(SymKey(KAB)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeKAB), SymKey(KAB), SID(sid)))
#(State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SymKey(KAB), Nonce(TS), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB)))), SID(sid)] ))
#t) : WideMouthFrog"
section {* Fixed-point Definition (WideMouthFrog) *}
constdefs WideMouthFrog_fp::"Fact set""WideMouthFrog_fp == {m. ( ? Abs_TA2 Abs_TA1 a21 a22 a23 a24 a25 a26 a27 a28 a29 a30 a31 a32 a33 a34 a17 a18 a19 a20 i19 i20 i21 i22 i23 i24 i18 i12 Abs_TS2 i13 i14 Abs_TS3 i15 Abs_TS4 i16 i17 Abs_NI0 Abs_NI1 i6 a9 Abs_NI2 a10 a11 i7 Abs_KAB2 a12 i8 a13 a14 a15 i9 i10 a16 i11 Abs_KAB3 Abs_TS1 a8 i5 Abs_KAB1 sid0 i4 a5 a6 a7 a3 Abs_TA0 a4 a1 a2 i0 i1 Abs_TS0 i2 a0 i3 Abs_KAB0 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0)))))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(honest(a2)), Agent(honest(a3))))), Agent(dishonest(i1)), Agent(honest(a4)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(honest(a3)), Agent(honest(a4))))), Agent(honest(a5)), Agent(honest(a6)), SID(sid0)] ))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_TA0)), pair(Agent(honest(a5)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0))))))))
| (m = Secret(SymKey((absKAB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_KAB0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_KAB0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_TA0)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0)), pair(Agent(honest(a5)), scrypt(SymKey(sk(pair(Agent(honest(a6)), Agent(honest(a7))))), pair(Nonce((absTA(pair(Agent(honest(a8)), Agent(dishonest(i3)))) Abs_TA1)), pair(Agent(dishonest(i4)), SymKey((absKAB(pair(Agent(honest(a9)), Agent(dishonest(i5)))) Abs_KAB1)))))), SID(sid0)] ))
| (m = Secret(SymKey((absKAB(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_KAB0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), Nonce((absTA(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_TA0)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0)), pair(Agent(honest(a8)), scrypt(SymKey(sk(pair(Agent(honest(a9)), Agent(honest(a10))))), pair(Nonce((absTA(pair(Agent(honest(a11)), Agent(honest(a12)))) Abs_TA1)), pair(Agent(honest(a13)), SymKey((absKAB(pair(Agent(honest(a14)), Agent(honest(a15)))) Abs_KAB1)))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a3))))), Nonce((ni Abs_NI0)), scrypt(SymKey(sk(pair(Agent(dishonest(i5)), Agent(honest(a4))))), pair(Nonce((ni Abs_NI1)), pair(Agent(dishonest(i6)), SymKey(sk(pair(Agent(dishonest(i7)), Agent(honest(a5)))))))), pair(Agent(dishonest(i8)), scrypt(SymKey(sk(pair(Agent(dishonest(i9)), Agent(honest(a6))))), pair(Nonce((ni Abs_NI2)), pair(Agent(dishonest(i10)), SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a7))))))))), Nonce((absTS(pair(Agent(dishonest(i12)), Agent(dishonest(i13)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i14)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i15)), Agent(dishonest(i16)))) Abs_TS1)), pair(Agent(dishonest(i17)), SymKey(sk(pair(Agent(dishonest(i18)), Agent(honest(a9)))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a5))))), Nonce((ni Abs_NI0)), scrypt(SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a6))))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a7)), SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a8)))))))), pair(Agent(dishonest(i5)), scrypt(SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a9))))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a10)), SymKey(sk(pair(Agent(dishonest(i7)), Agent(honest(a11))))))))), Nonce((absTS(pair(Agent(honest(a12)), Agent(dishonest(i8)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a13)), Agent(honest(a14))))), pair(Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i9)))) Abs_TS1)), pair(Agent(dishonest(i10)), SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a16)))))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absTS(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_TS0)), pair(Agent(dishonest(i1)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a3))))))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0))))), pair(Nonce((absTS(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_TS0)), pair(Agent(dishonest(i3)), SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a1))))))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absTA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_TA0)), pair(Agent(honest(a4)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_KAB0)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absTA(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_KAB0)))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_TA0)), pair(Agent(honest(a5)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a0))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0)), pair(Agent(dishonest(i2)), SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))))))))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a3))))), Nonce((absTS(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i7)), Agent(honest(a4))))), pair(Nonce((absTS(pair(Agent(dishonest(i8)), Agent(dishonest(i9)))) Abs_TS1)), pair(Agent(dishonest(i10)), SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a5)))))))), pair(Agent(dishonest(i12)), scrypt(SymKey(sk(pair(Agent(dishonest(i13)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(dishonest(i14)), Agent(dishonest(i15)))) Abs_TS2)), pair(Agent(dishonest(i16)), SymKey(sk(pair(Agent(dishonest(i17)), Agent(honest(a7))))))))), Nonce((absTS(pair(Agent(dishonest(i18)), Agent(dishonest(i19)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i20)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i21)), Agent(dishonest(i22)))) Abs_TS4)), pair(Agent(dishonest(i23)), SymKey(sk(pair(Agent(dishonest(i24)), Agent(honest(a9)))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(honest(a2)), Agent(honest(a3))))), Agent(dishonest(i1)), Agent(honest(a4)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a5))))), Nonce((absTS(pair(Agent(honest(a6)), Agent(dishonest(i3)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a7)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(honest(a9)), Agent(dishonest(i4)))) Abs_TS1)), pair(Agent(dishonest(i5)), SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a10)))))))), pair(Agent(honest(a11)), scrypt(SymKey(sk(pair(Agent(honest(a12)), Agent(honest(a13))))), pair(Nonce((absTS(pair(Agent(honest(a14)), Agent(dishonest(i7)))) Abs_TS2)), pair(Agent(dishonest(i8)), SymKey(sk(pair(Agent(dishonest(i9)), Agent(honest(a15))))))))), Nonce((absTS(pair(Agent(dishonest(i10)), Agent(honest(a16)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a17))))), pair(Nonce((absTS(pair(Agent(dishonest(i12)), Agent(honest(a18)))) Abs_TS4)), pair(Agent(honest(a19)), SymKey(sk(pair(Agent(dishonest(i13)), Agent(honest(a20)))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(honest(a2)), Agent(honest(a3))))), Agent(dishonest(i1)), Agent(honest(a4)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((absTA(pair(Agent(honest(a6)), Agent(dishonest(i3)))) Abs_TA0)), scrypt(SymKey(sk(pair(Agent(honest(a7)), Agent(honest(a8))))), pair(Nonce((absTA(pair(Agent(honest(a9)), Agent(dishonest(i4)))) Abs_TA1)), pair(Agent(dishonest(i5)), SymKey((absKAB(pair(Agent(honest(a10)), Agent(dishonest(i6)))) Abs_KAB1))))), pair(Agent(honest(a11)), scrypt(SymKey(sk(pair(Agent(honest(a12)), Agent(honest(a13))))), pair(Nonce((absTA(pair(Agent(honest(a14)), Agent(dishonest(i7)))) Abs_TA2)), pair(Agent(dishonest(i8)), SymKey((absKAB(pair(Agent(honest(a15)), Agent(dishonest(i9)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(dishonest(i10)), Agent(honest(a16)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a17))))), pair(Nonce((absTS(pair(Agent(dishonest(i12)), Agent(honest(a18)))) Abs_TS1)), pair(Agent(honest(a19)), SymKey((absKAB(pair(Agent(honest(a20)), Agent(dishonest(i13)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(honest(a3)), Agent(honest(a4))))), Agent(honest(a5)), Agent(honest(a6)), SymKey((absKAB(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_KAB0)), Nonce((absTA(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_TA0)), scrypt(SymKey(sk(pair(Agent(honest(a11)), Agent(honest(a12))))), pair(Nonce((absTA(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_TA1)), pair(Agent(honest(a15)), SymKey((absKAB(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_KAB1))))), pair(Agent(honest(a18)), scrypt(SymKey(sk(pair(Agent(honest(a19)), Agent(honest(a20))))), pair(Nonce((absTA(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_TA2)), pair(Agent(honest(a23)), SymKey((absKAB(pair(Agent(honest(a24)), Agent(honest(a25)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a28)), Agent(honest(a29))))), pair(Nonce((absTS(pair(Agent(honest(a30)), Agent(honest(a31)))) Abs_TS1)), pair(Agent(honest(a32)), SymKey((absKAB(pair(Agent(honest(a33)), Agent(honest(a34)))) Abs_KAB3))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeKAB), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a1))))), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a3))))), Nonce((absTS(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a5)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(honest(a7)), Agent(dishonest(i3)))) Abs_TS1)), pair(Agent(dishonest(i4)), SymKey(sk(pair(Agent(dishonest(i5)), Agent(honest(a8)))))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_KAB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_KAB0)), Nonce((absTA(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_TA0)), scrypt(SymKey(sk(pair(Agent(honest(a5)), Agent(honest(a6))))), pair(Nonce((absTA(pair(Agent(honest(a7)), Agent(dishonest(i3)))) Abs_TA1)), pair(Agent(dishonest(i4)), SymKey((absKAB(pair(Agent(honest(a8)), Agent(dishonest(i5)))) Abs_KAB1))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_KAB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_KAB0)), Nonce((absTA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_TA0)), scrypt(SymKey(sk(pair(Agent(honest(a8)), Agent(honest(a9))))), pair(Nonce((absTA(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_TA1)), pair(Agent(honest(a12)), SymKey((absKAB(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_KAB1))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absTS(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_TS0)), pair(Agent(honest(a4)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(honest(a6)))) Abs_KAB0)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0))))), pair(Nonce((absTS(pair(Agent(dishonest(i1)), Agent(honest(a1)))) Abs_TS0)), pair(Agent(honest(a2)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_KAB0)))))))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0))))), pair(Nonce((absTS(pair(Agent(dishonest(i1)), Agent(honest(a1)))) Abs_TS0)), pair(Agent(honest(a2)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a3))))))))))
| (m = Iknows(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_TA0)), pair(Agent(honest(a5)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a0))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0)), pair(Agent(dishonest(i2)), SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_KAB0)))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey((absKAB(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_KAB0))))))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((absTS(pair(Agent(dishonest(i3)), Agent(honest(a6)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a7))))), pair(Nonce((absTS(pair(Agent(dishonest(i5)), Agent(honest(a8)))) Abs_TS1)), pair(Agent(honest(a9)), SymKey((absKAB(pair(Agent(honest(a10)), Agent(dishonest(i6)))) Abs_KAB1))))), pair(Agent(dishonest(i7)), scrypt(SymKey(sk(pair(Agent(dishonest(i8)), Agent(honest(a11))))), pair(Nonce((absTS(pair(Agent(dishonest(i9)), Agent(honest(a12)))) Abs_TS2)), pair(Agent(honest(a13)), SymKey((absKAB(pair(Agent(honest(a14)), Agent(dishonest(i10)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i11)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(honest(a16)), Agent(honest(a17))))), pair(Nonce((absTS(pair(Agent(honest(a18)), Agent(dishonest(i12)))) Abs_TS4)), pair(Agent(dishonest(i13)), SymKey((absKAB(pair(Agent(honest(a19)), Agent(dishonest(i14)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a5))))), Nonce((absTS(pair(Agent(dishonest(i3)), Agent(honest(a6)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a7))))), pair(Nonce((absTS(pair(Agent(dishonest(i5)), Agent(honest(a8)))) Abs_TS1)), pair(Agent(honest(a9)), SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a10)))))))), pair(Agent(dishonest(i7)), scrypt(SymKey(sk(pair(Agent(dishonest(i8)), Agent(honest(a11))))), pair(Nonce((absTS(pair(Agent(dishonest(i9)), Agent(honest(a12)))) Abs_TS2)), pair(Agent(honest(a13)), SymKey(sk(pair(Agent(dishonest(i10)), Agent(honest(a14))))))))), Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i11)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(honest(a16)), Agent(honest(a17))))), pair(Nonce((absTS(pair(Agent(honest(a18)), Agent(dishonest(i12)))) Abs_TS4)), pair(Agent(dishonest(i13)), SymKey(sk(pair(Agent(dishonest(i14)), Agent(honest(a19)))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(honest(a3)), Agent(honest(a4))))), Agent(honest(a5)), Agent(honest(a6)), SymKey((absKAB(pair(Agent(honest(a7)), Agent(honest(a8)))) Abs_KAB0)), Nonce((absTS(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a11)), Agent(honest(a12))))), pair(Nonce((absTS(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_TS1)), pair(Agent(honest(a15)), SymKey((absKAB(pair(Agent(honest(a16)), Agent(honest(a17)))) Abs_KAB1))))), pair(Agent(honest(a18)), scrypt(SymKey(sk(pair(Agent(honest(a19)), Agent(honest(a20))))), pair(Nonce((absTS(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_TS2)), pair(Agent(honest(a23)), SymKey((absKAB(pair(Agent(honest(a24)), Agent(honest(a25)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(honest(a26)), Agent(honest(a27)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(honest(a28)), Agent(honest(a29))))), pair(Nonce((absTS(pair(Agent(honest(a30)), Agent(honest(a31)))) Abs_TS4)), pair(Agent(honest(a32)), SymKey((absKAB(pair(Agent(honest(a33)), Agent(honest(a34)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey(sk(pair(Agent(dishonest(i2)), Agent(honest(a5))))), Nonce((absTS(pair(Agent(dishonest(i3)), Agent(dishonest(i4)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i5)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(dishonest(i6)), Agent(dishonest(i7)))) Abs_TS1)), pair(Agent(honest(a7)), SymKey(sk(pair(Agent(dishonest(i8)), Agent(honest(a8)))))))), pair(Agent(dishonest(i9)), scrypt(SymKey(sk(pair(Agent(dishonest(i10)), Agent(honest(a9))))), pair(Nonce((absTS(pair(Agent(dishonest(i11)), Agent(dishonest(i12)))) Abs_TS2)), pair(Agent(honest(a10)), SymKey(sk(pair(Agent(dishonest(i13)), Agent(honest(a11))))))))), Nonce((absTS(pair(Agent(honest(a12)), Agent(dishonest(i14)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(honest(a13)), Agent(honest(a14))))), pair(Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i15)))) Abs_TS4)), pair(Agent(dishonest(i16)), SymKey(sk(pair(Agent(dishonest(i17)), Agent(honest(a16)))))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(honest(a3)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(honest(a5)))) Abs_KAB0)), Nonce((absTS(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a8)), Agent(honest(a9))))), pair(Nonce((absTS(pair(Agent(honest(a10)), Agent(honest(a11)))) Abs_TS1)), pair(Agent(honest(a12)), SymKey((absKAB(pair(Agent(honest(a13)), Agent(honest(a14)))) Abs_KAB1))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(honest(a0)), Agent(honest(a1))))), pair(Nonce((absTS(pair(Agent(honest(a2)), Agent(dishonest(i0)))) Abs_TS0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i2)))) Abs_KAB0)))))))
| (m = Iknows(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0))))
| (m = Iknows(SymKey((absKAB(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_KAB0))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_TA0)), pair(Agent(honest(a5)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a0))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0)), pair(Agent(dishonest(i2)), SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_KAB0)))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey((absKAB(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_KAB0))))))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(honest(a2)), Agent(honest(a3))))), Agent(dishonest(i1)), Agent(honest(a4)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((absTS(pair(Agent(honest(a6)), Agent(dishonest(i3)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a7)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(honest(a9)), Agent(dishonest(i4)))) Abs_TS1)), pair(Agent(dishonest(i5)), SymKey((absKAB(pair(Agent(honest(a10)), Agent(dishonest(i6)))) Abs_KAB1))))), pair(Agent(honest(a11)), scrypt(SymKey(sk(pair(Agent(honest(a12)), Agent(honest(a13))))), pair(Nonce((absTS(pair(Agent(honest(a14)), Agent(dishonest(i7)))) Abs_TS2)), pair(Agent(dishonest(i8)), SymKey((absKAB(pair(Agent(honest(a15)), Agent(dishonest(i9)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(dishonest(i10)), Agent(honest(a16)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a17))))), pair(Nonce((absTS(pair(Agent(dishonest(i12)), Agent(honest(a18)))) Abs_TS4)), pair(Agent(honest(a19)), SymKey((absKAB(pair(Agent(honest(a20)), Agent(dishonest(i13)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i4)))) Abs_KAB0)), Nonce((absTS(pair(Agent(dishonest(i5)), Agent(honest(a4)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a5))))), pair(Nonce((absTS(pair(Agent(dishonest(i7)), Agent(honest(a6)))) Abs_TS1)), pair(Agent(dishonest(i8)), SymKey((absKAB(pair(Agent(honest(a7)), Agent(dishonest(i9)))) Abs_KAB1))))), pair(Agent(dishonest(i10)), scrypt(SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i12)), Agent(honest(a9)))) Abs_TS2)), pair(Agent(dishonest(i13)), SymKey((absKAB(pair(Agent(honest(a10)), Agent(dishonest(i14)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(dishonest(i15)), Agent(dishonest(i16)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i17)), Agent(honest(a11))))), pair(Nonce((absTS(pair(Agent(dishonest(i18)), Agent(dishonest(i19)))) Abs_TS4)), pair(Agent(dishonest(i20)), SymKey((absKAB(pair(Agent(honest(a12)), Agent(dishonest(i21)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey(sk(pair(Agent(dishonest(i4)), Agent(honest(a3))))), Nonce((absTS(pair(Agent(dishonest(i5)), Agent(honest(a4)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a5))))), pair(Nonce((absTS(pair(Agent(dishonest(i7)), Agent(honest(a6)))) Abs_TS1)), pair(Agent(dishonest(i8)), SymKey(sk(pair(Agent(dishonest(i9)), Agent(honest(a7)))))))), pair(Agent(dishonest(i10)), scrypt(SymKey(sk(pair(Agent(dishonest(i11)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i12)), Agent(honest(a9)))) Abs_TS2)), pair(Agent(dishonest(i13)), SymKey(sk(pair(Agent(dishonest(i14)), Agent(honest(a10))))))))), Nonce((absTS(pair(Agent(dishonest(i15)), Agent(dishonest(i16)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i17)), Agent(honest(a11))))), pair(Nonce((absTS(pair(Agent(dishonest(i18)), Agent(dishonest(i19)))) Abs_TS4)), pair(Agent(dishonest(i20)), SymKey(sk(pair(Agent(dishonest(i21)), Agent(honest(a12)))))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i4)))) Abs_KAB0)), Nonce((absTS(pair(Agent(dishonest(i5)), Agent(dishonest(i6)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i7)), Agent(honest(a4))))), pair(Nonce((absTS(pair(Agent(dishonest(i8)), Agent(dishonest(i9)))) Abs_TS1)), pair(Agent(dishonest(i10)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i11)))) Abs_KAB1))))), pair(Agent(dishonest(i12)), scrypt(SymKey(sk(pair(Agent(dishonest(i13)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(dishonest(i14)), Agent(dishonest(i15)))) Abs_TS2)), pair(Agent(dishonest(i16)), SymKey((absKAB(pair(Agent(honest(a7)), Agent(dishonest(i17)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(dishonest(i18)), Agent(dishonest(i19)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(dishonest(i20)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i21)), Agent(dishonest(i22)))) Abs_TS4)), pair(Agent(dishonest(i23)), SymKey((absKAB(pair(Agent(honest(a9)), Agent(dishonest(i24)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2))))), Agent(dishonest(i2)), Agent(dishonest(i3)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i4)))) Abs_KAB0)), Nonce((ni Abs_NI0)), scrypt(SymKey(sk(pair(Agent(dishonest(i5)), Agent(honest(a4))))), pair(Nonce((ni Abs_NI1)), pair(Agent(dishonest(i6)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i7)))) Abs_KAB1))))), pair(Agent(dishonest(i8)), scrypt(SymKey(sk(pair(Agent(dishonest(i9)), Agent(honest(a6))))), pair(Nonce((ni Abs_NI2)), pair(Agent(dishonest(i10)), SymKey((absKAB(pair(Agent(honest(a7)), Agent(dishonest(i11)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(dishonest(i12)), Agent(dishonest(i13)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i14)), Agent(honest(a8))))), pair(Nonce((absTS(pair(Agent(dishonest(i15)), Agent(dishonest(i16)))) Abs_TS1)), pair(Agent(dishonest(i17)), SymKey((absKAB(pair(Agent(honest(a9)), Agent(dishonest(i18)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((absTS(pair(Agent(dishonest(i3)), Agent(dishonest(i4)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(dishonest(i5)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(dishonest(i6)), Agent(dishonest(i7)))) Abs_TS1)), pair(Agent(honest(a7)), SymKey((absKAB(pair(Agent(honest(a8)), Agent(dishonest(i8)))) Abs_KAB1))))), pair(Agent(dishonest(i9)), scrypt(SymKey(sk(pair(Agent(dishonest(i10)), Agent(honest(a9))))), pair(Nonce((absTS(pair(Agent(dishonest(i11)), Agent(dishonest(i12)))) Abs_TS2)), pair(Agent(honest(a10)), SymKey((absKAB(pair(Agent(honest(a11)), Agent(dishonest(i13)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(honest(a12)), Agent(dishonest(i14)))) Abs_TS3)), scrypt(SymKey(sk(pair(Agent(honest(a13)), Agent(honest(a14))))), pair(Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i15)))) Abs_TS4)), pair(Agent(dishonest(i16)), SymKey((absKAB(pair(Agent(honest(a16)), Agent(dishonest(i17)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a3))))), Agent(honest(a4)), Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a5)), Agent(dishonest(i2)))) Abs_KAB0)), Nonce((ni Abs_NI0)), scrypt(SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a6))))), pair(Nonce((ni Abs_NI1)), pair(Agent(honest(a7)), SymKey((absKAB(pair(Agent(honest(a8)), Agent(dishonest(i4)))) Abs_KAB1))))), pair(Agent(dishonest(i5)), scrypt(SymKey(sk(pair(Agent(dishonest(i6)), Agent(honest(a9))))), pair(Nonce((ni Abs_NI2)), pair(Agent(honest(a10)), SymKey((absKAB(pair(Agent(honest(a11)), Agent(dishonest(i7)))) Abs_KAB2)))))), Nonce((absTS(pair(Agent(honest(a12)), Agent(dishonest(i8)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a13)), Agent(honest(a14))))), pair(Nonce((absTS(pair(Agent(honest(a15)), Agent(dishonest(i9)))) Abs_TS1)), pair(Agent(dishonest(i10)), SymKey((absKAB(pair(Agent(honest(a16)), Agent(dishonest(i11)))) Abs_KAB3))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), Agent(dishonest(i0)), SymKey((absKAB(pair(Agent(honest(a3)), Agent(dishonest(i1)))) Abs_KAB0)), Nonce((absTS(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_TS0)), scrypt(SymKey(sk(pair(Agent(honest(a5)), Agent(honest(a6))))), pair(Nonce((absTS(pair(Agent(honest(a7)), Agent(dishonest(i3)))) Abs_TS1)), pair(Agent(dishonest(i4)), SymKey((absKAB(pair(Agent(honest(a8)), Agent(dishonest(i5)))) Abs_KAB1))))), SID(sid0)] ))
| (m = Iknows(scrypt(SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a0))))), pair(Nonce((absTS(pair(Agent(dishonest(i1)), Agent(dishonest(i2)))) Abs_TS0)), pair(Agent(dishonest(i3)), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i4)))) Abs_KAB0)))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_TA0)), pair(Agent(honest(a5)), SymKey((absKAB(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(honest(a0)), scrypt(SymKey(sk(pair(Agent(honest(a1)), Agent(honest(a2))))), pair(Nonce((absTA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_TA0)), pair(Agent(dishonest(i1)), SymKey((absKAB(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_KAB0))))))))
| (m = Iknows(pair(Agent(dishonest(i0)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a0))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0)), pair(Agent(dishonest(i2)), SymKey(sk(pair(Agent(dishonest(i3)), Agent(honest(a0)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey(sk(pair(Agent(dishonest(i0)), Agent(honest(a1))))))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey(sk(pair(Agent(dishonest(i1)), Agent(honest(a2)))))))))
| (m = Iknows(pair(Agent(honest(a0)), SymKey((absKAB(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_KAB0)))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(honest(a0)))) Abs_TS0)), pair(Agent(honest(a1)), SymKey((absKAB(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_KAB0))))))
| (m = Iknows(pair(Agent(dishonest(i0)), SymKey((absKAB(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_KAB0)))))
| (m = Iknows(pair(Nonce((absTS(pair(Agent(dishonest(i0)), Agent(dishonest(i1)))) Abs_TS0)), pair(Agent(dishonest(i2)), SymKey((absKAB(pair(Agent(honest(a0)), Agent(dishonest(i3)))) Abs_KAB0))))))
)}"
section {* Checking Fixed-point (WideMouthFrog) *}
lemma fp_attack_free: "~ (Attack m : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a)))))) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(SID(sid)) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(Agent(honest(a))) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "State(rB, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(dishonest(i)), Agent(dishonest(i)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(dishonest(i)), Agent(honest(a)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_12: "State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), SymKey(sk(pair(Agent(dishonest(i)), Agent(honest(a))))), Agent(honest(a)), Agent(dishonest(i)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma init_13: "State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), SymKey(sk(pair(Agent(honest(a)), Agent(honest(a))))), Agent(honest(a)), Agent(honest(a)), SID(sid)] ) : WideMouthFrog_fp"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : WideMouthFrog_fp;
Iknows(inv(K)) : WideMouthFrog_fp|]
==>
(Iknows(M) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : WideMouthFrog_fp;
Iknows(K) : WideMouthFrog_fp|]
==>
(Iknows(M) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : WideMouthFrog_fp;
Iknows(K) : WideMouthFrog_fp|]
==>
(Iknows(M) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : WideMouthFrog_fp|]
==>
(Iknows(M1) : WideMouthFrog_fp) &
(Iknows(M2) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : WideMouthFrog_fp;
Iknows(M) : WideMouthFrog_fp|]
==>
(Attack(pair(secrecy, M)) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeTA), M, SID(sid)) : WideMouthFrog_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_TA .
M = Nonce((absTA(pair(B, A)) Abs_TA)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeKAB), M, SID(sid)) : WideMouthFrog_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_KAB .
M = SymKey((absKAB(pair(B, A)) Abs_KAB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
Request(A, B, Purpose(purposeTS), M, SID(sid)) : WideMouthFrog_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_TS .
M = Nonce((absTS(pair(B, A)) Abs_TS)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rA, [Agent(A), Step(0), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), SID(sid)] ) : WideMouthFrog_fp|]
==>
(Secret(SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)), Agent(B)) : WideMouthFrog_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeKAB), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB))) : WideMouthFrog_fp) &
(State(rA, [Agent(A), Step(1), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), pair(Agent(B), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB)))))), SID(sid)] ) : WideMouthFrog_fp) &
(Iknows(pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce((absTA(pair(Agent(A), Agent(B))) Abs_TA)), pair(Agent(B), SymKey((absKAB(pair(Agent(A), Agent(B))) Abs_KAB))))))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SID(sid)] ) : WideMouthFrog_fp;
Iknows(Agent(A)) : WideMouthFrog_fp;
Iknows(scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))) : WideMouthFrog_fp|]
==>
(State(rs, [Agent(honest(a)), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SymKey(KAB), Nonce(TA), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB)))), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))), Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB)))), SID(sid)] ) : WideMouthFrog_fp) &
(Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB))))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rs, [Agent(honest(a)), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SID(sid)] ) : WideMouthFrog_fp;
Iknows(Agent(A)) : WideMouthFrog_fp;
Iknows(SymKey(sk(pair(Agent(A), Agent(honest(a)))))) : WideMouthFrog_fp;
Iknows(Nonce(TA)) : WideMouthFrog_fp;
Iknows(Agent(B)) : WideMouthFrog_fp;
Iknows(SymKey(KAB)) : WideMouthFrog_fp|]
==>
(State(rs, [Agent(honest(a)), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), SymKey(sk(pair(Agent(A), Agent(honest(a))))), Agent(B), Agent(A), SymKey(KAB), Nonce(TA), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB)))), pair(Agent(A), scrypt(SymKey(sk(pair(Agent(A), Agent(honest(a))))), pair(Nonce(TA), pair(Agent(B), SymKey(KAB))))), Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB)))), SID(sid)] ) : WideMouthFrog_fp) &
(Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce((absTS(pair(Agent(B), Agent(A))) Abs_TS)), pair(Agent(A), SymKey(KAB))))) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SID(sid)] ) : WideMouthFrog_fp;
Iknows(scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB))))) : WideMouthFrog_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeKAB), SymKey(KAB), SID(sid)) : WideMouthFrog_fp) &
(State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SymKey(KAB), Nonce(TS), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB)))), SID(sid)] ) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(0), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SID(sid)] ) : WideMouthFrog_fp;
Iknows(SymKey(sk(pair(Agent(B), Agent(honest(a)))))) : WideMouthFrog_fp;
Iknows(Nonce(TS)) : WideMouthFrog_fp;
Iknows(Agent(A)) : WideMouthFrog_fp;
Iknows(SymKey(KAB)) : WideMouthFrog_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeKAB), SymKey(KAB), SID(sid)) : WideMouthFrog_fp) &
(State(rB, [Agent(B), Step(1), SymKey(sk(pair(Agent(B), Agent(honest(a))))), Agent(A), SymKey(KAB), Nonce(TS), scrypt(SymKey(sk(pair(Agent(B), Agent(honest(a))))), pair(Nonce(TS), pair(Agent(A), SymKey(KAB)))), SID(sid)] ) : WideMouthFrog_fp)"
by(simp only: WideMouthFrog_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (WideMouthFrog) *}
lemma over_approx: "t : WideMouthFrog ==> (set t) <= WideMouthFrog_fp"
apply(rule WideMouthFrog.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac init_12, (assumption | simp)+)
apply(propagate_fp, cut_tac init_13, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
done
end (* theory *)

View File

@ -0,0 +1,38 @@
\documentclass[11pt,a4paper,DIVcalc,twoside]{scrartcl}
\usepackage{amsmath}
\usepackage{graphicx}
\usepackage[T1]{fontenc}
\usepackage{amsmath,amsfonts,amssymb}
\usepackage{isabelle}
\usepackage{isabellesym}
\isabellestyle{it}
%\usepackage{fixisa}
% <isabelle-section-setup>
\renewcommand{\isamarkupheader}[1]{\section{#1}}
\renewcommand{\isamarkupchapter}[1]{\subsection{#1}}
\renewcommand{\isamarkupsection}[1]{\subsection{#1}}
\renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}}
\usepackage[hyperref,dvipsnames,table]{xcolor}
% urls in roman style, theory text in math-similar italics
\isabellestyle{it}
\newcommand{\includeIfExists}[1]{\IfFileExists{#1}{\include{#1}}{}}
\title{Testsuite}
\author{}
\begin{document}
\maketitle
\tableofcontents
\input{session.tex}
\includeIfExists{report.tex}
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End:

814
examples/nsl-ks.thy Normal file
View File

@ -0,0 +1,814 @@
header {* Analysing NSL *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/nsl-ks.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"nsl-ks"
imports
ofmc
begin
section {* Protocol Model (NSL) *}
datatype Role = rA | rB | rs
datatype Purpose = purposeNI | purposeNA | purposeNB
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "na" "Msg" "nat"
| "nb" "Msg" "nat"
| "NI"
| "NA"
| "NB"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
(* Functions *)
| "pk" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (NSL) *}
inductive_set
NSL::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : NSL"
| init_1: "[ Iknows(Agent(dishonest(i)))] : NSL"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), Agent(dishonest(i)), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] )] : NSL"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), Agent(honest(a)), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] )] : NSL"
| init_4: "[ Iknows(Step(0))] : NSL"
| init_5: "[ Iknows(pk(Agent(honest(a))))] : NSL"
| init_6: "[ Iknows(Agent(honest(a)))] : NSL"
| init_7: "[ Iknows(inv(pk(Agent(dishonest(i)))))] : NSL"
| init_8: "[ Iknows(pk(Agent(dishonest(i))))] : NSL"
| init_9: "[ Iknows(SID(sid))] : NSL"
| init_10: "[ Iknows(Agent(honest(a)))] : NSL"
| init_11: "[ State(rB, [Agent(honest(a)), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] )] : NSL"
| init_12: "[ State(rs, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] )] : NSL"
| rule_0: "[| t :NSL;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_1: "[| t :NSL;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_2: "[| t :NSL;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_3: "[| t :NSL;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : NSL"
| rule_4: "[| t :NSL;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : NSL"
| rule_5: "[| t :NSL;
Request(A, B, Purpose(purposeNA), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((na(pair(B, A)) Abs_NA)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : NSL"
| rule_6: "[| t :NSL;
Request(A, B, Purpose(purposeNB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Arg1 Abs_NB .
M = Nonce((nb(pair(B, pair(A, Arg1))) Abs_NB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : NSL"
| rule_7: "[| t :NSL;
State(rA, [Agent(A), Step(0), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), SID(sid)] ) : (set t)|]
==>
((State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ))
#(Iknows(pair(Agent(A), Agent(B))))
#t) : NSL"
| rule_8: "[| t :NSL;
State(rs, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((State(rs, [Agent(honest(a)), Step(1), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), SID(sid)] ))
#(Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B))))))
#t) : NSL"
| rule_9: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : (set t);
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B))))) : (set t)|]
==>
((Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))))
#(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))))
#t) : NSL"
| rule_10: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(pk(Agent(B))) : (set t)|]
==>
((Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))))
#(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))))
#t) : NSL"
| rule_11: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))))
#(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))))
#t) : NSL"
| rule_12: "[| t :NSL;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A)))) : (set t)|]
==>
((State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ))
#(Iknows(pair(Agent(B), Agent(A))))
#t) : NSL"
| rule_13: "[| t :NSL;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ))
#(Iknows(pair(Agent(B), Agent(A))))
#t) : NSL"
| rule_14: "[| t :NSL;
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ))
#(Iknows(pair(Agent(B), Agent(A))))
#t) : NSL"
| rule_15: "[| t :NSL;
State(rs, [Agent(honest(a)), Step(1), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((State(rs, [Agent(honest(a)), Step(2), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), pair(Agent(B), Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), SID(sid)] ))
#(Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))))
#t) : NSL"
| rule_16: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : (set t)|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_17: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(pk(Agent(A))) : (set t)|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_18: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_19: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_20: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(pk(Agent(A))) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_21: "[| t :NSL;
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : (set t);
Iknows(inv(pk(Agent(honest(a))))) : (set t);
Iknows(Agent(A)) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_22: "[| t :NSL;
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B))))) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_23: "[| t :NSL;
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(pk(Agent(A))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_24: "[| t :NSL;
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_25: "[| t :NSL;
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), Nonce(NB))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
| rule_26: "[| t :NSL;
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
| rule_27: "[| t :NSL;
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
section {* Fixed-point Definition (NSL) *}
constdefs NSL_fp::"Fact set""NSL_fp == {m. ( ? Abs_NA3 Abs_NA4 Abs_NA5 i13 Abs_NI1 Abs_NI2 a16 a17 a18 a19 a20 a21 a22 a23 a24 a25 a26 a27 a28 Abs_NA1 Abs_NA2 a3 a4 a5 a6 a7 i2 i3 a8 i4 i5 a9 i6 i7 a10 i8 Abs_NB2 i9 a11 i10 Abs_NB3 a12 i11 Abs_NB4 a13 a14 a15 i12 Abs_NB5 sid0 Abs_NI0 Abs_NA0 a0 i0 Abs_NB0 a1 i1 Abs_NB1 a2 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), Agent(honest(a1)), pk(Agent(honest(a2))), Agent(honest(a3)), inv(pk(Agent(honest(a4)))), pk(Agent(honest(a5))), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(pk(Agent(honest(a0)))))
| (m = Iknows(Agent(honest(a0))))
| (m = Iknows(inv(pk(Agent(dishonest(i0))))))
| (m = Iknows(pk(Agent(dishonest(i0)))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), SID(sid0)] ))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = State(rA, [Agent(honest(a0)), Step(1), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), pair(Agent(honest(a5)), Agent(dishonest(i1))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(1), Agent(honest(a1)), pk(Agent(honest(a2))), Agent(honest(a3)), inv(pk(Agent(honest(a4)))), pk(Agent(honest(a5))), pair(Agent(honest(a6)), Agent(honest(a7))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Agent(dishonest(i1)), pair(Agent(dishonest(i2)), Agent(dishonest(i3))), crypt(inv(pk(Agent(honest(a2)))), pair(Agent(dishonest(i4)), pk(Agent(dishonest(i5))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Agent(dishonest(i0)), pair(Agent(dishonest(i1)), Agent(honest(a3))), crypt(inv(pk(Agent(honest(a4)))), pair(Agent(honest(a5)), pk(Agent(honest(a6))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Agent(honest(a2)), pair(Agent(honest(a3)), Agent(dishonest(i1))), crypt(inv(pk(Agent(honest(a4)))), pair(Agent(dishonest(i2)), pk(Agent(dishonest(i3))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Agent(honest(a3)), pair(Agent(honest(a4)), Agent(honest(a5))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(honest(a7)), pk(Agent(honest(a8))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i1)))), pair(Agent(honest(a6)), Agent(dishonest(i2))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a6))), pair(Nonce((ni Abs_NI1)), Agent(honest(a7)))), pair(Agent(honest(a8)), Agent(honest(a9))), SID(sid0)] ))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(honest(a1)), pk(Agent(honest(a2)))))))
| (m = Iknows(crypt(inv(pk(Agent(honest(a0)))), pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1)))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Secret(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((na(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0))))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), pair(Agent(honest(a5)), Agent(dishonest(i1))), pk(Agent(dishonest(i2))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA0)), crypt(pk(Agent(dishonest(i6))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i7)))) Abs_NA1)), Agent(honest(a9)))), SID(sid0)] ))
| (m = Secret(Nonce((na(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNA), Nonce((na(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0))))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(honest(a1)), pk(Agent(honest(a2))), Agent(honest(a3)), inv(pk(Agent(honest(a4)))), pk(Agent(honest(a5))), pair(Agent(honest(a6)), Agent(honest(a7))), pk(Agent(honest(a8))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(honest(a10)), pk(Agent(honest(a11))))), Nonce((na(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_NA0)), crypt(pk(Agent(honest(a14))), pair(Nonce((na(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_NA1)), Agent(honest(a17)))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Agent(dishonest(i1)), pair(Agent(dishonest(i2)), Agent(dishonest(i3))), crypt(inv(pk(Agent(honest(a2)))), pair(Agent(dishonest(i4)), pk(Agent(dishonest(i5))))), pair(Agent(dishonest(i6)), Agent(dishonest(i7))), crypt(inv(pk(Agent(honest(a3)))), pair(Agent(dishonest(i8)), pk(Agent(dishonest(i9))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Agent(dishonest(i0)), pair(Agent(dishonest(i1)), Agent(honest(a3))), crypt(inv(pk(Agent(honest(a4)))), pair(Agent(honest(a5)), pk(Agent(honest(a6))))), pair(Agent(honest(a7)), Agent(dishonest(i2))), crypt(inv(pk(Agent(honest(a8)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Agent(honest(a2)), pair(Agent(honest(a3)), Agent(dishonest(i1))), crypt(inv(pk(Agent(honest(a4)))), pair(Agent(dishonest(i2)), pk(Agent(dishonest(i3))))), pair(Agent(dishonest(i4)), Agent(honest(a5))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(honest(a7)), pk(Agent(honest(a8))))), SID(sid0)] ))
| (m = State(rs, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Agent(honest(a3)), pair(Agent(honest(a4)), Agent(honest(a5))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(honest(a7)), pk(Agent(honest(a8))))), pair(Agent(honest(a9)), Agent(honest(a10))), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(honest(a12)), pk(Agent(honest(a13))))), SID(sid0)] ))
| (m = Secret(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i1)))), pair(Agent(honest(a6)), Agent(dishonest(i2))), pk(Agent(dishonest(i3))), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i4)), pk(Agent(dishonest(i5))))), Nonce((nb(pair(Agent(honest(a8)), pair(Agent(dishonest(i6)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i7))), pair(Nonce((ni Abs_NI2)), pair(Nonce((nb(pair(Agent(honest(a9)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB1)), Agent(honest(a10))))), SID(sid0)] ))
| (m = Secret(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(honest(a1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((nb(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a6))), pair(Nonce((ni Abs_NI1)), Agent(honest(a7)))), pair(Agent(honest(a8)), Agent(honest(a9))), pk(Agent(honest(a10))), crypt(inv(pk(Agent(honest(a11)))), pair(Agent(honest(a12)), pk(Agent(honest(a13))))), Nonce((nb(pair(Agent(honest(a14)), pair(Agent(honest(a15)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a16))), pair(Nonce((ni Abs_NI2)), pair(Nonce((nb(pair(Agent(honest(a17)), pair(Agent(honest(a18)), Step(0)))) Abs_NB1)), Agent(honest(a19))))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(honest(a2)), Step(0)))) Abs_NB0)), Agent(honest(a3)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((na(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), Agent(honest(a3))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)), Agent(honest(a1))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((na(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA0)), crypt(pk(Agent(honest(a8))), pair(Nonce((na(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA1)), Agent(honest(a11)))), pair(Agent(honest(a12)), Agent(honest(a13))), SID(sid0)] ))
| (m = Iknows(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))))
| (m = Iknows(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((na(pair(Agent(honest(a5)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(honest(a6))), pair(Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i2)))) Abs_NA1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((na(pair(Agent(honest(a6)), Agent(dishonest(i0)))) Abs_NA0)), crypt(pk(Agent(honest(a7))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i1)))) Abs_NA1)), Agent(honest(a9)))), pair(Agent(honest(a10)), Agent(honest(a11))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((nb(pair(Agent(honest(a5)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((nb(pair(Agent(honest(a7)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((nb(pair(Agent(honest(a6)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a7))), pair(Nonce((nb(pair(Agent(honest(a8)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a9)))), pair(Agent(honest(a10)), Agent(honest(a11))), SID(sid0)] ))
| (m = Secret(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(honest(a1)), Step(1)))) Abs_NB0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((nb(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(1)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((na(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA0)), crypt(pk(Agent(honest(a8))), pair(Nonce((na(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA1)), Agent(honest(a11)))), pair(Agent(honest(a12)), Agent(honest(a13))), pk(Agent(honest(a14))), crypt(inv(pk(Agent(honest(a15)))), pair(Agent(honest(a16)), pk(Agent(honest(a17))))), Nonce((nb(pair(Agent(honest(a18)), pair(Agent(honest(a19)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a20))), pair(Nonce((na(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a23)), pair(Agent(honest(a24)), Step(1)))) Abs_NB1)), Agent(honest(a25))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((na(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(3), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), pair(Agent(honest(a5)), Agent(dishonest(i1))), pk(Agent(dishonest(i2))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA0)), crypt(pk(Agent(dishonest(i6))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i7)))) Abs_NA1)), Agent(honest(a9)))), Nonce((na(pair(Agent(honest(a10)), Agent(dishonest(i8)))) Abs_NA2)), crypt(pk(Agent(honest(a11))), pair(Nonce((na(pair(Agent(honest(a12)), Agent(dishonest(i9)))) Abs_NA3)), pair(Nonce((na(pair(Agent(honest(a13)), Agent(dishonest(i10)))) Abs_NA4)), Agent(dishonest(i11))))), crypt(pk(Agent(dishonest(i12))), Nonce((na(pair(Agent(honest(a14)), Agent(dishonest(i13)))) Abs_NA5))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(3), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), pair(Agent(honest(a5)), Agent(dishonest(i1))), pk(Agent(dishonest(i2))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA0)), crypt(pk(Agent(dishonest(i6))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i7)))) Abs_NA1)), Agent(honest(a9)))), Nonce((nb(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a11))), pair(Nonce((na(pair(Agent(honest(a12)), Agent(dishonest(i9)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a13)), pair(Agent(dishonest(i10)), Step(0)))) Abs_NB1)), Agent(dishonest(i11))))), crypt(pk(Agent(dishonest(i12))), Nonce((nb(pair(Agent(honest(a14)), pair(Agent(dishonest(i13)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(3), Agent(dishonest(i0)), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), pair(Agent(honest(a5)), Agent(dishonest(i1))), pk(Agent(dishonest(i2))), crypt(inv(pk(Agent(honest(a6)))), pair(Agent(dishonest(i3)), pk(Agent(dishonest(i4))))), Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA0)), crypt(pk(Agent(dishonest(i6))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i7)))) Abs_NA1)), Agent(honest(a9)))), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a10))), pair(Nonce((na(pair(Agent(honest(a11)), Agent(dishonest(i8)))) Abs_NA2)), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i9))))), crypt(pk(Agent(dishonest(i10))), Nonce((ni Abs_NI2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(3), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i1)))), pair(Agent(honest(a6)), Agent(dishonest(i2))), pk(Agent(dishonest(i3))), crypt(inv(pk(Agent(honest(a7)))), pair(Agent(dishonest(i4)), pk(Agent(dishonest(i5))))), Nonce((nb(pair(Agent(honest(a8)), pair(Agent(dishonest(i6)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i7))), pair(Nonce((ni Abs_NI2)), pair(Nonce((nb(pair(Agent(honest(a9)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB1)), Agent(honest(a10))))), crypt(pk(Agent(honest(a11))), Nonce((nb(pair(Agent(honest(a12)), pair(Agent(dishonest(i9)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((ni Abs_NI0)))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((na(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), pair(Nonce((nb(pair(Agent(honest(a3)), pair(Agent(honest(a4)), Step(1)))) Abs_NB0)), Agent(honest(a5)))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((na(pair(Agent(honest(a5)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(honest(a6))), pair(Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i2)))) Abs_NA1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), pk(Agent(dishonest(i5))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i6)), pk(Agent(dishonest(i7))))), Nonce((nb(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i9))), pair(Nonce((na(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a12)), pair(Agent(dishonest(i11)), Step(0)))) Abs_NB1)), Agent(honest(a13))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((na(pair(Agent(honest(a6)), Agent(dishonest(i0)))) Abs_NA0)), crypt(pk(Agent(honest(a7))), pair(Nonce((na(pair(Agent(honest(a8)), Agent(dishonest(i1)))) Abs_NA1)), Agent(honest(a9)))), pair(Agent(honest(a10)), Agent(honest(a11))), pk(Agent(honest(a12))), crypt(inv(pk(Agent(honest(a13)))), pair(Agent(honest(a14)), pk(Agent(honest(a15))))), Nonce((nb(pair(Agent(honest(a16)), pair(Agent(honest(a17)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a18))), pair(Nonce((na(pair(Agent(honest(a19)), Agent(dishonest(i2)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a20)), pair(Agent(honest(a21)), Step(0)))) Abs_NB1)), Agent(honest(a22))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((nb(pair(Agent(honest(a5)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((nb(pair(Agent(honest(a7)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), pk(Agent(dishonest(i5))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i6)), pk(Agent(dishonest(i7))))), Nonce((nb(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB2)), crypt(pk(Agent(dishonest(i9))), pair(Nonce((nb(pair(Agent(honest(a11)), pair(Agent(dishonest(i10)), Step(0)))) Abs_NB3)), pair(Nonce((nb(pair(Agent(honest(a12)), pair(Agent(dishonest(i11)), Step(0)))) Abs_NB4)), Agent(honest(a13))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(2), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((nb(pair(Agent(honest(a6)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a7))), pair(Nonce((nb(pair(Agent(honest(a8)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a9)))), pair(Agent(honest(a10)), Agent(honest(a11))), pk(Agent(honest(a12))), crypt(inv(pk(Agent(honest(a13)))), pair(Agent(honest(a14)), pk(Agent(honest(a15))))), Nonce((nb(pair(Agent(honest(a16)), pair(Agent(honest(a17)), Step(0)))) Abs_NB2)), crypt(pk(Agent(honest(a18))), pair(Nonce((nb(pair(Agent(honest(a19)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB3)), pair(Nonce((nb(pair(Agent(honest(a20)), pair(Agent(honest(a21)), Step(0)))) Abs_NB4)), Agent(honest(a22))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((nb(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(1)))) Abs_NB0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(3), Agent(honest(a1)), pk(Agent(honest(a2))), Agent(honest(a3)), inv(pk(Agent(honest(a4)))), pk(Agent(honest(a5))), pair(Agent(honest(a6)), Agent(honest(a7))), pk(Agent(honest(a8))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(honest(a10)), pk(Agent(honest(a11))))), Nonce((na(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_NA0)), crypt(pk(Agent(honest(a14))), pair(Nonce((na(pair(Agent(honest(a15)), Agent(honest(a16)))) Abs_NA1)), Agent(honest(a17)))), Nonce((nb(pair(Agent(honest(a18)), pair(Agent(honest(a19)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a20))), pair(Nonce((na(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a23)), pair(Agent(honest(a24)), Step(1)))) Abs_NB1)), Agent(honest(a25))))), crypt(pk(Agent(honest(a26))), Nonce((nb(pair(Agent(honest(a27)), pair(Agent(honest(a28)), Step(1)))) Abs_NB2))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), Nonce((nb(pair(Agent(honest(a1)), pair(Agent(honest(a2)), Step(1)))) Abs_NB0)))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((nb(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB1)), Agent(honest(a4)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(honest(a2)))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((na(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((nb(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a2))))))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNA), Nonce((na(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(3), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(honest(a5)), Nonce((na(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA0)), crypt(pk(Agent(honest(a8))), pair(Nonce((na(pair(Agent(honest(a9)), Agent(honest(a10)))) Abs_NA1)), Agent(honest(a11)))), pair(Agent(honest(a12)), Agent(honest(a13))), pk(Agent(honest(a14))), crypt(inv(pk(Agent(honest(a15)))), pair(Agent(honest(a16)), pk(Agent(honest(a17))))), Nonce((nb(pair(Agent(honest(a18)), pair(Agent(honest(a19)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a20))), pair(Nonce((na(pair(Agent(honest(a21)), Agent(honest(a22)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a23)), pair(Agent(honest(a24)), Step(1)))) Abs_NB1)), Agent(honest(a25))))), crypt(pk(Agent(honest(a26))), Nonce((nb(pair(Agent(honest(a27)), pair(Agent(honest(a28)), Step(1)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((na(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(3), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((na(pair(Agent(honest(a5)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(honest(a6))), pair(Nonce((na(pair(Agent(honest(a7)), Agent(dishonest(i2)))) Abs_NA1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), pk(Agent(dishonest(i5))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i6)), pk(Agent(dishonest(i7))))), Nonce((nb(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i9))), pair(Nonce((na(pair(Agent(honest(a11)), Agent(dishonest(i10)))) Abs_NA2)), pair(Nonce((nb(pair(Agent(honest(a12)), pair(Agent(dishonest(i11)), Step(0)))) Abs_NB1)), Agent(honest(a13))))), crypt(pk(Agent(honest(a14))), Nonce((nb(pair(Agent(honest(a15)), pair(Agent(dishonest(i12)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(3), pk(Agent(honest(a1))), Agent(honest(a2)), inv(pk(Agent(honest(a3)))), pk(Agent(honest(a4))), Agent(dishonest(i0)), Nonce((nb(pair(Agent(honest(a5)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((nb(pair(Agent(honest(a7)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(dishonest(i3)))), pair(Agent(honest(a8)), Agent(dishonest(i4))), pk(Agent(dishonest(i5))), crypt(inv(pk(Agent(honest(a9)))), pair(Agent(dishonest(i6)), pk(Agent(dishonest(i7))))), Nonce((nb(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB2)), crypt(pk(Agent(dishonest(i9))), pair(Nonce((nb(pair(Agent(honest(a11)), pair(Agent(dishonest(i10)), Step(0)))) Abs_NB3)), pair(Nonce((nb(pair(Agent(honest(a12)), pair(Agent(dishonest(i11)), Step(0)))) Abs_NB4)), Agent(honest(a13))))), crypt(pk(Agent(honest(a14))), Nonce((nb(pair(Agent(honest(a15)), pair(Agent(dishonest(i12)), Step(0)))) Abs_NB5))), SID(sid0)] ))
| (m = Iknows(pair(Agent(honest(a0)), Agent(honest(a1)))))
| (m = Iknows(pair(Agent(honest(a0)), Agent(dishonest(i0)))))
| (m = Iknows(pair(Agent(dishonest(i0)), pk(Agent(dishonest(i1))))))
| (m = Iknows(pair(Agent(honest(a0)), pk(Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((na(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))))
| (m = Iknows(pair(Nonce((nb(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((nb(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a2))))))
)}"
section {* Checking Fixed-point (NSL) *}
lemma fp_attack_free: "~ (Attack m : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), Agent(dishonest(i)), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), Agent(honest(a)), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(pk(Agent(honest(a)))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(Agent(honest(a))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(inv(pk(Agent(dishonest(i))))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "Iknows(pk(Agent(dishonest(i)))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_9: "Iknows(SID(sid)) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_10: "Iknows(Agent(honest(a))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_11: "State(rB, [Agent(honest(a)), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(honest(a)))), pk(Agent(honest(a))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_12: "State(rs, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : NSL_fp;
Iknows(inv(K)) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : NSL_fp;
Iknows(K) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : NSL_fp;
Iknows(K) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : NSL_fp|]
==>
(Iknows(M1) : NSL_fp) &
(Iknows(M2) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : NSL_fp;
Iknows(M) : NSL_fp|]
==>
(Attack(pair(secrecy, M)) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeNA), M, SID(sid)) : NSL_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((na(pair(B, A)) Abs_NA)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeNB), M, SID(sid)) : NSL_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Arg1 Abs_NB .
M = Nonce((nb(pair(B, pair(A, Arg1))) Abs_NB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
State(rA, [Agent(A), Step(0), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), SID(sid)] ) : NSL_fp|]
==>
(State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : NSL_fp) &
(Iknows(pair(Agent(A), Agent(B))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rs, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] ) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(State(rs, [Agent(honest(a)), Step(1), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B))))) : NSL_fp|]
==>
(Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)) : NSL_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp|]
==>
(Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)) : NSL_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rA, [Agent(A), Step(1), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(Secret(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)) : NSL_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A)))) : NSL_fp|]
==>
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp) &
(Iknows(pair(Agent(B), Agent(A))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_13: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp) &
(Iknows(pair(Agent(B), Agent(A))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_14: "[|
State(rB, [Agent(B), Step(0), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp) &
(Iknows(pair(Agent(B), Agent(A))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_15: "[|
State(rs, [Agent(honest(a)), Step(1), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(State(rs, [Agent(honest(a)), Step(2), inv(pk(Agent(honest(a)))), Agent(B), Agent(A), pair(Agent(A), Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), pair(Agent(B), Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_16: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : NSL_fp|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_17: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
Iknows(pk(Agent(A))) : NSL_fp|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_18: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_19: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A))))) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_20: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
Iknows(pk(Agent(A))) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_21: "[|
State(rB, [Agent(B), Step(1), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), SID(sid)] ) : NSL_fp;
Iknows(inv(pk(Agent(honest(a))))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((na(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((nb(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_22: "[|
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B))))) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_23: "[|
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(A))) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_24: "[|
State(rA, [Agent(A), Step(2), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(3), Agent(B), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(A))), pk(Agent(A)), pair(Agent(A), Agent(B)), pk(Agent(B)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(B), pk(Agent(B)))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_25: "[|
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_26: "[|
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_27: "[|
State(rB, [Agent(B), Step(2), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(3), pk(Agent(honest(a))), Agent(honest(a)), inv(pk(Agent(B))), pk(Agent(B)), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), pair(Agent(B), Agent(A)), pk(Agent(A)), crypt(inv(pk(Agent(honest(a)))), pair(Agent(A), pk(Agent(A)))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (NSL) *}
lemma over_approx: "t : NSL ==> (set t) <= NSL_fp"
apply(rule NSL.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac init_9, (assumption | simp)+)
apply(propagate_fp, cut_tac init_10, (assumption | simp)+)
apply(propagate_fp, cut_tac init_11, (assumption | simp)+)
apply(propagate_fp, cut_tac init_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_13, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_14, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_15, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_16, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_17, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_18, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_19, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_20, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_21, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_22, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_23, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_24, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_25, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_26, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_27, (assumption | simp)+)
done
end (* theory *)

592
examples/nsl.thy Normal file
View File

@ -0,0 +1,592 @@
header {* Analysing NSL *}
(* ***********************************
This file is automatically generated from the AnB file "AnB/nsl.AnB".
Backend: Open Source Fixedpoint Model Checker version 2009c
************************************ *)
theory
"nsl"
imports
ofmc
begin
section {* Protocol Model (NSL) *}
datatype Role = rA | rB
datatype Purpose = purposeNA | purposeNB
datatype Agent = honest nat
| dishonest nat
datatype Nonce = "ni" "nat"
| "absNA" "Msg" "nat"
| "absNB" "Msg" "nat"
| "NI"
| "NA"
| "NB"
and Msg = Nonce "Nonce"
| Agent "Agent"
| Purpose "Purpose"
| pair "Msg*Msg"
| scrypt "Msg*Msg"
| crypt "Msg*Msg"
| inv "Msg"
| SID "nat"
| Step "nat"
| authentication
| secrecy
(* SymKeys *)
| SymKey "Msg"
(* Functions *)
| "pk" "Msg"
datatype Fact = Iknows Msg
| State "Role * (Msg list)"
| Secret "Msg * Msg"
| Attack "Msg"
| Witness "Msg * Msg * Msg * Msg"
| Request "Msg * Msg * Msg * Msg * Msg"
section {* Inductive Protocol Definition (NSL) *}
inductive_set
NSL::"Fact list set"
where
init_0: "[ Iknows(Nonce((ni Abs_NI)))] : NSL"
| init_1: "[ Iknows(Agent(dishonest(i)))] : NSL"
| init_2: "[ State(rA, [Agent(honest(a)), Step(0), Agent(dishonest(i)), inv(pk(Agent(honest(a)))), SID(sid)] )] : NSL"
| init_3: "[ State(rA, [Agent(honest(a)), Step(0), Agent(honest(a)), inv(pk(Agent(honest(a)))), SID(sid)] )] : NSL"
| init_4: "[ Iknows(Step(0))] : NSL"
| init_5: "[ Iknows(inv(pk(Agent(dishonest(i)))))] : NSL"
| init_6: "[ Iknows(SID(sid))] : NSL"
| init_7: "[ Iknows(Agent(honest(a)))] : NSL"
| init_8: "[ State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] )] : NSL"
| rule_0: "[| t :NSL;
Iknows(crypt(K, M)) : (set t);
Iknows(inv(K)) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_1: "[| t :NSL;
Iknows(crypt(inv(K), M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_2: "[| t :NSL;
Iknows(scrypt(K, M)) : (set t);
Iknows(K) : (set t)|]
==>
((Iknows(M))
#t) : NSL"
| rule_3: "[| t :NSL;
Iknows(pair(M1, M2)) : (set t)|]
==>
((Iknows(M1))
#(Iknows(M2))
#t) : NSL"
| rule_4: "[| t :NSL;
Secret(M, Agent(honest(a))) : (set t);
Iknows(M) : (set t)|]
==>
((Attack(pair(secrecy, M)))
#t) : NSL"
| rule_5: "[| t :NSL;
Request(A, B, Purpose(purposeNA), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : NSL"
| rule_6: "[| t :NSL;
Request(A, B, Purpose(purposeNB), M, SID(sid)) : (set t);
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Arg1 Abs_NB .
M = Nonce((absNB(pair(B, pair(A, Arg1))) Abs_NB)))|]
==>
((Attack(pair(authentication, pair(A, pair(B, M)))))
#t) : NSL"
| rule_7: "[| t :NSL;
State(rA, [Agent(A), Step(0), Agent(B), inv(pk(Agent(A))), SID(sid)] ) : (set t)|]
==>
((Secret(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)))
#(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))))
#(State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))))
#t) : NSL"
| rule_8: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : (set t)|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_9: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_10: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))) : (set t);
Iknows(Agent(A)) : (set t)|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_11: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A)))) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_12: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_13: "[| t :NSL;
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Agent(A)) : (set t);
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
((Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)))
#(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))))
#(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ))
#(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))))
#t) : NSL"
| rule_14: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B))))) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_15: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(pk(Agent(A))) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_16: "[| t :NSL;
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : (set t);
Iknows(Agent(A)) : (set t);
Iknows(Nonce(NA)) : (set t);
Iknows(Nonce(NB)) : (set t);
Iknows(Agent(B)) : (set t)|]
==>
((Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)))
#(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#(Iknows(crypt(pk(Agent(B)), Nonce(NB))))
#t) : NSL"
| rule_17: "[| t :NSL;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(crypt(pk(Agent(B)), Nonce(NB))) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
| rule_18: "[| t :NSL;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(pk(Agent(B))) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
| rule_19: "[| t :NSL;
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : (set t);
Iknows(Agent(B)) : (set t);
Iknows(Nonce(NB)) : (set t)|]
==>
((Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)))
#(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ))
#t) : NSL"
section {* Fixed-point Definition (NSL) *}
constdefs NSL_fp::"Fact set""NSL_fp == {m. ( ? Abs_NA3 Abs_NA4 Abs_NA5 i9 Abs_NI1 Abs_NI2 a11 a12 a13 a14 a15 a16 a17 a18 a19 Abs_NA1 Abs_NA2 a3 a4 i2 i3 a5 i4 Abs_NB2 i5 a6 i6 Abs_NB3 a7 i7 Abs_NB4 a8 a9 a10 i8 Abs_NB5 sid0 Abs_NI0 Abs_NA0 a0 i0 Abs_NB0 a1 i1 Abs_NB1 a2 .
(m = Iknows(Nonce((ni Abs_NI0))))
| (m = Iknows(Agent(dishonest(i0))))
| (m = State(rA, [Agent(honest(a0)), Step(0), Agent(dishonest(i0)), inv(pk(Agent(honest(a1)))), SID(sid0)] ))
| (m = State(rA, [Agent(honest(a0)), Step(0), Agent(honest(a1)), inv(pk(Agent(honest(a2)))), SID(sid0)] ))
| (m = Iknows(Step(0)))
| (m = Iknows(inv(pk(Agent(dishonest(i0))))))
| (m = Iknows(SID(sid0)))
| (m = Iknows(Agent(honest(a0))))
| (m = State(rB, [Agent(honest(a0)), Step(0), inv(pk(Agent(honest(a1)))), SID(sid0)] ))
| (m = Secret(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), Agent(dishonest(i0)), inv(pk(Agent(honest(a1)))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(dishonest(i2))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_NA1)), Agent(honest(a4)))), SID(sid0)] ))
| (m = Secret(Nonce((absNA(pair(Agent(honest(a0)), Agent(honest(a1)))) Abs_NA0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNA), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0))))
| (m = State(rA, [Agent(honest(a0)), Step(1), Agent(honest(a1)), inv(pk(Agent(honest(a2)))), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), crypt(pk(Agent(honest(a5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA1)), Agent(honest(a8)))), SID(sid0)] ))
| (m = Secret(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(dishonest(i1))))
| (m = Witness(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a2))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i1)))), Nonce((absNB(pair(Agent(honest(a3)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((ni Abs_NI2)), pair(Nonce((absNB(pair(Agent(honest(a4)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB1)), Agent(honest(a5))))), SID(sid0)] ))
| (m = Secret(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(honest(a1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a3))), pair(Nonce((ni Abs_NI1)), Agent(honest(a4)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(honest(a6)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a7))), pair(Nonce((ni Abs_NI2)), pair(Nonce((absNB(pair(Agent(honest(a8)), pair(Agent(honest(a9)), Step(0)))) Abs_NB1)), Agent(honest(a10))))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(honest(a2)), Step(0)))) Abs_NB0)), Agent(honest(a3)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), Agent(honest(a3))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)), Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Secret(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(honest(a1)), Step(1)))) Abs_NB0)), Agent(honest(a2))))
| (m = Witness(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(1)))) Abs_NB0))))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), crypt(pk(Agent(honest(a5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA1)), Agent(honest(a8)))), Nonce((absNB(pair(Agent(honest(a9)), pair(Agent(honest(a10)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a11))), pair(Nonce((absNA(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a14)), pair(Agent(honest(a15)), Step(1)))) Abs_NB1)), Agent(honest(a16))))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(honest(a2)))) Abs_NA0)), pair(Nonce((absNB(pair(Agent(honest(a3)), pair(Agent(honest(a4)), Step(1)))) Abs_NB0)), Agent(honest(a5)))))))
| (m = Iknows(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0))))
| (m = Iknows(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(honest(a3))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_NA1)), Agent(dishonest(i3)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i6)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(dishonest(i7)), Step(0)))) Abs_NB1)), Agent(honest(a8))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i0)))) Abs_NA0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i1)))) Abs_NA1)), Agent(honest(a6)))), Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(honest(a8)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a9))), pair(Nonce((absNA(pair(Agent(honest(a10)), Agent(dishonest(i2)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a11)), pair(Agent(honest(a12)), Step(0)))) Abs_NB1)), Agent(honest(a13))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a3))), pair(Nonce((absNB(pair(Agent(honest(a4)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(dishonest(i3)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB2)), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNB(pair(Agent(honest(a6)), pair(Agent(dishonest(i6)), Step(0)))) Abs_NB3)), pair(Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(dishonest(i7)), Step(0)))) Abs_NB4)), Agent(honest(a8))))), SID(sid0)] ))
| (m = State(rB, [Agent(honest(a0)), Step(1), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Nonce((absNB(pair(Agent(honest(a3)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a4))), pair(Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a6)))), Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(honest(a8)), Step(0)))) Abs_NB2)), crypt(pk(Agent(honest(a9))), pair(Nonce((absNB(pair(Agent(honest(a10)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB3)), pair(Nonce((absNB(pair(Agent(honest(a11)), pair(Agent(honest(a12)), Step(0)))) Abs_NB4)), Agent(honest(a13))))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNB), Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(1)))) Abs_NB0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(honest(a1)), inv(pk(Agent(honest(a2)))), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), crypt(pk(Agent(honest(a5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA1)), Agent(honest(a8)))), Nonce((absNB(pair(Agent(honest(a9)), pair(Agent(honest(a10)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a11))), pair(Nonce((absNA(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a14)), pair(Agent(honest(a15)), Step(1)))) Abs_NB1)), Agent(honest(a16))))), crypt(pk(Agent(honest(a17))), Nonce((absNB(pair(Agent(honest(a18)), pair(Agent(honest(a19)), Step(1)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(dishonest(i0)), inv(pk(Agent(honest(a1)))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(dishonest(i2))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_NA1)), Agent(honest(a4)))), Nonce((absNA(pair(Agent(honest(a5)), Agent(dishonest(i4)))) Abs_NA2)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA3)), pair(Nonce((absNA(pair(Agent(honest(a8)), Agent(dishonest(i6)))) Abs_NA4)), Agent(dishonest(i7))))), crypt(pk(Agent(dishonest(i8))), Nonce((absNA(pair(Agent(honest(a9)), Agent(dishonest(i9)))) Abs_NA5))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(dishonest(i0)), inv(pk(Agent(honest(a1)))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(dishonest(i2))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_NA1)), Agent(honest(a4)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a6))), pair(Nonce((absNA(pair(Agent(honest(a7)), Agent(dishonest(i5)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a8)), pair(Agent(dishonest(i6)), Step(0)))) Abs_NB1)), Agent(dishonest(i7))))), crypt(pk(Agent(dishonest(i8))), Nonce((absNB(pair(Agent(honest(a9)), pair(Agent(dishonest(i9)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNB), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rA, [Agent(honest(a0)), Step(2), Agent(dishonest(i0)), inv(pk(Agent(honest(a1)))), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(dishonest(i2))), pair(Nonce((absNA(pair(Agent(honest(a3)), Agent(dishonest(i3)))) Abs_NA1)), Agent(honest(a4)))), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i4)))) Abs_NA2)), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i5))))), crypt(pk(Agent(dishonest(i6))), Nonce((ni Abs_NI2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((ni Abs_NI0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((ni Abs_NI0)), crypt(pk(Agent(honest(a2))), pair(Nonce((ni Abs_NI1)), Agent(dishonest(i1)))), Nonce((absNB(pair(Agent(honest(a3)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i3))), pair(Nonce((ni Abs_NI2)), pair(Nonce((absNB(pair(Agent(honest(a4)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB1)), Agent(honest(a5))))), crypt(pk(Agent(honest(a6))), Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(dishonest(i5)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((ni Abs_NI0)))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(honest(a2)), Step(1)))) Abs_NB0)))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB1)), Agent(honest(a4)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(honest(a2)))))))
| (m = Iknows(crypt(pk(Agent(honest(a0))), pair(Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(honest(a3)), Step(0)))) Abs_NB0)), Agent(honest(a4)))))))
| (m = Iknows(crypt(pk(Agent(dishonest(i0))), pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i1)))) Abs_NA0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB0)), Agent(honest(a2)))))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a2))))))
| (m = Request(Agent(honest(a0)), Agent(honest(a1)), Purpose(purposeNA), Nonce((absNA(pair(Agent(honest(a2)), Agent(honest(a3)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(honest(a2)), Nonce((absNA(pair(Agent(honest(a3)), Agent(honest(a4)))) Abs_NA0)), crypt(pk(Agent(honest(a5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(honest(a7)))) Abs_NA1)), Agent(honest(a8)))), Nonce((absNB(pair(Agent(honest(a9)), pair(Agent(honest(a10)), Step(1)))) Abs_NB0)), crypt(pk(Agent(honest(a11))), pair(Nonce((absNA(pair(Agent(honest(a12)), Agent(honest(a13)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a14)), pair(Agent(honest(a15)), Step(1)))) Abs_NB1)), Agent(honest(a16))))), crypt(pk(Agent(honest(a17))), Nonce((absNB(pair(Agent(honest(a18)), pair(Agent(honest(a19)), Step(1)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((absNA(pair(Agent(honest(a1)), Agent(dishonest(i1)))) Abs_NA0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((absNA(pair(Agent(honest(a2)), Agent(dishonest(i1)))) Abs_NA0)), crypt(pk(Agent(honest(a3))), pair(Nonce((absNA(pair(Agent(honest(a4)), Agent(dishonest(i2)))) Abs_NA1)), Agent(dishonest(i3)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB0)), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNA(pair(Agent(honest(a6)), Agent(dishonest(i6)))) Abs_NA2)), pair(Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(dishonest(i7)), Step(0)))) Abs_NB1)), Agent(honest(a8))))), crypt(pk(Agent(honest(a9))), Nonce((absNB(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB2))), SID(sid0)] ))
| (m = Request(Agent(honest(a0)), Agent(dishonest(i0)), Purpose(purposeNA), Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), SID(sid0)))
| (m = State(rB, [Agent(honest(a0)), Step(2), inv(pk(Agent(honest(a1)))), Agent(dishonest(i0)), Nonce((absNB(pair(Agent(honest(a2)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), crypt(pk(Agent(honest(a3))), pair(Nonce((absNB(pair(Agent(honest(a4)), pair(Agent(dishonest(i2)), Step(0)))) Abs_NB1)), Agent(dishonest(i3)))), Nonce((absNB(pair(Agent(honest(a5)), pair(Agent(dishonest(i4)), Step(0)))) Abs_NB2)), crypt(pk(Agent(dishonest(i5))), pair(Nonce((absNB(pair(Agent(honest(a6)), pair(Agent(dishonest(i6)), Step(0)))) Abs_NB3)), pair(Nonce((absNB(pair(Agent(honest(a7)), pair(Agent(dishonest(i7)), Step(0)))) Abs_NB4)), Agent(honest(a8))))), crypt(pk(Agent(honest(a9))), Nonce((absNB(pair(Agent(honest(a10)), pair(Agent(dishonest(i8)), Step(0)))) Abs_NB5))), SID(sid0)] ))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1)))))
| (m = Iknows(pair(Nonce((ni Abs_NI0)), pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), Agent(honest(a1))))))
| (m = Iknows(pair(Nonce((absNA(pair(Agent(honest(a0)), Agent(dishonest(i0)))) Abs_NA0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB0)), Agent(honest(a2))))))
| (m = Iknows(pair(Nonce((absNB(pair(Agent(honest(a0)), pair(Agent(dishonest(i0)), Step(0)))) Abs_NB0)), pair(Nonce((absNB(pair(Agent(honest(a1)), pair(Agent(dishonest(i1)), Step(0)))) Abs_NB1)), Agent(honest(a2))))))
)}"
section {* Checking Fixed-point (NSL) *}
lemma fp_attack_free: "~ (Attack m : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_0: "Iknows(Nonce((ni Abs_NI))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_1: "Iknows(Agent(dishonest(i))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_2: "State(rA, [Agent(honest(a)), Step(0), Agent(dishonest(i)), inv(pk(Agent(honest(a)))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_3: "State(rA, [Agent(honest(a)), Step(0), Agent(honest(a)), inv(pk(Agent(honest(a)))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_4: "Iknows(Step(0)) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_5: "Iknows(inv(pk(Agent(dishonest(i))))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_6: "Iknows(SID(sid)) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_7: "Iknows(Agent(honest(a))) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma init_8: "State(rB, [Agent(honest(a)), Step(0), inv(pk(Agent(honest(a)))), SID(sid)] ) : NSL_fp"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_0: "[|
Iknows(crypt(K, M)) : NSL_fp;
Iknows(inv(K)) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_1: "[|
Iknows(crypt(inv(K), M)) : NSL_fp;
Iknows(K) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_2: "[|
Iknows(scrypt(K, M)) : NSL_fp;
Iknows(K) : NSL_fp|]
==>
(Iknows(M) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_3: "[|
Iknows(pair(M1, M2)) : NSL_fp|]
==>
(Iknows(M1) : NSL_fp) &
(Iknows(M2) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_4: "[|
Secret(M, Agent(honest(a))) : NSL_fp;
Iknows(M) : NSL_fp|]
==>
(Attack(pair(secrecy, M)) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_5: "[|
Request(A, B, Purpose(purposeNA), M, SID(sid)) : NSL_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Abs_NA .
M = Nonce((absNA(pair(B, A)) Abs_NA)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_6: "[|
Request(A, B, Purpose(purposeNB), M, SID(sid)) : NSL_fp;
~ ( ? i .
B = Agent(dishonest(i)));
~ ( ? B A Arg1 Abs_NB .
M = Nonce((absNB(pair(B, pair(A, Arg1))) Abs_NB)))|]
==>
(Attack(pair(authentication, pair(A, pair(B, M)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_7: "[|
State(rA, [Agent(A), Step(0), Agent(B), inv(pk(Agent(A))), SID(sid)] ) : NSL_fp|]
==>
(Secret(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(B)) : NSL_fp) &
(Witness(Agent(A), Agent(B), Purpose(purposeNA), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp) &
(State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_8: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A)))) : NSL_fp|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_9: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp;
Iknows(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_10: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA))) : NSL_fp;
Iknows(Agent(A)) : NSL_fp|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), crypt(pk(Agent(B)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(1)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_11: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A)))) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_12: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_13: "[|
State(rB, [Agent(B), Step(0), inv(pk(Agent(B))), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
~ ( ? A B Abs_NA .
Nonce(NA) = Nonce((absNA(pair(Agent(A), Agent(B))) Abs_NA)))|]
==>
(Secret(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(A)) : NSL_fp) &
(Witness(Agent(B), Agent(A), Purpose(purposeNB), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB))) : NSL_fp) &
(State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B)))), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce((absNB(pair(Agent(B), pair(Agent(A), Step(0)))) Abs_NB)), Agent(B))))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_14: "[|
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B))))) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_15: "[|
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(A))) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_16: "[|
State(rA, [Agent(A), Step(1), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), SID(sid)] ) : NSL_fp;
Iknows(Agent(A)) : NSL_fp;
Iknows(Nonce(NA)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp;
Iknows(Agent(B)) : NSL_fp|]
==>
(Request(Agent(A), Agent(B), Purpose(purposeNB), Nonce(NB), SID(sid)) : NSL_fp) &
(State(rA, [Agent(A), Step(2), Agent(B), inv(pk(Agent(A))), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp) &
(Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_17: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(crypt(pk(Agent(B)), Nonce(NB))) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_18: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(pk(Agent(B))) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
lemma rule_19: "[|
State(rB, [Agent(B), Step(1), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), SID(sid)] ) : NSL_fp;
Iknows(Agent(B)) : NSL_fp;
Iknows(Nonce(NB)) : NSL_fp|]
==>
(Request(Agent(B), Agent(A), Purpose(purposeNA), Nonce(NA), SID(sid)) : NSL_fp) &
(State(rB, [Agent(B), Step(2), inv(pk(Agent(B))), Agent(A), Nonce(NA), crypt(pk(Agent(B)), pair(Nonce(NA), Agent(A))), Nonce(NB), crypt(pk(Agent(A)), pair(Nonce(NA), pair(Nonce(NB), Agent(B)))), crypt(pk(Agent(B)), Nonce(NB)), SID(sid)] ) : NSL_fp)"
by(simp only: NSL_fp_def, simp only: set2pred, simp, auto?)+
section {* Security Proof(s) (NSL) *}
lemma over_approx: "t : NSL ==> (set t) <= NSL_fp"
apply(rule NSL.induct, simp_all)
apply(propagate_fp, cut_tac init_0, (assumption | simp)+)
apply(propagate_fp, cut_tac init_1, (assumption | simp)+)
apply(propagate_fp, cut_tac init_2, (assumption | simp)+)
apply(propagate_fp, cut_tac init_3, (assumption | simp)+)
apply(propagate_fp, cut_tac init_4, (assumption | simp)+)
apply(propagate_fp, cut_tac init_5, (assumption | simp)+)
apply(propagate_fp, cut_tac init_6, (assumption | simp)+)
apply(propagate_fp, cut_tac init_7, (assumption | simp)+)
apply(propagate_fp, cut_tac init_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_0, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_1, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_2, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_3, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_4, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_5, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_6, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_7, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_8, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_9, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_10, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_11, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_12, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_13, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_14, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_15, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_16, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_17, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_18, (assumption | simp)+)
apply(propagate_fp, cut_tac rule_19, (assumption | simp)+)
done
end (* theory *)

95
src/IsaMakefile Normal file
View File

@ -0,0 +1,95 @@
#############################################################################
# Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
#
# IsaMakefile --- main build setup for Isabelle-OFMC
# This file is part of Isabelle-OFMC.
#
# Copyright (c) 2009 Achim D. Brucker, Germany
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# * Neither the name of the copyright holders nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
##############################################################################
# $Id: IsaMakefile 935 2009-11-02 00:02:50Z brucker $
# determine current source version:
nullstring:=
space := $(nullstring) #
#
REVISION := $(shell svnversion .)
VER_MAIJOR=0
VER_MINOR=0
VER_MICRO=0
VER_TAG=$(space)(dev build: $(REVISION))
CONFIG_SED_SCRIPT='s/<COLLECTIONTYPE>/$(COLLECTIONTYPE)/;\
s/<UNIVERSE>/$(UNIVERSE)/;\
s/<VER_MAIJOR>/$(VER_MAIJOR)/;s/<VER_MINOR>/$(VER_MINOR)/;\
s/<VER_MICRO>/$(VER_MICRO)/;s/<VER_TAG>/${VER_TAG}/;\
s/<XMI_SUPPORT>/$(XMI_SUPPORT)/;\
s/<REVISION>/$(REVISION)/'
## global settings
# make internal configuration
.PHONY: config.sml
ECHO=echo
RM=rm
MV=mv
SED=sed
MLTON=mlton
## targets
HEAP=ofmc
SRC = $(ISABELLE_HOME)/src
OUT = $(ISABELLE_OUTPUT)
LOG = $(OUT)/log
USEDIR = $(ISATOOL) usedir -b -g true -v true -i true -d pdf -D generated
USEDIR = $(ISATOOL) usedir -b
$(LOG)/$(HEAP).gz: config.sml ROOT.ML *.thy *.ML ../bin/anb2thy
@(test -e generated && find generated -name .svn -type d -print0 | xargs -0 /bin/rm -fr || true)
@$(RM) -rf $(ISABELLE_BROWSER_INFO)/HOL/HOL/$(HEAP)/document
@($(USEDIR) HOL $(HEAP) \
|| \
($(ECHO) -e "\033[1;31;40m";\
$(ECHO) -e "\a *************************************************" ;\
$(ECHO) -e "\a ****************** BUILD FAILED ***************" ;\
$(ECHO) -e "\a *************************************************" ;\
$(ECHO) -e "\033[1;37;40m\033[0;37;0m")\
|| true)
config.sml:
@$(RM) -rf config.sml
@$(SED) -e $(CONFIG_SED_SCRIPT) config.sml.in > config.sml
../bin/anb2thy: encoder/*.sml
$(MLTON) encoder/anb2thy.cm
$(MV) encoder/anb2thy ../bin

75
src/ROOT.ML Normal file
View File

@ -0,0 +1,75 @@
(*****************************************************************************
* Isabelle/OFMC --- connecting OFMC and Isabelle/HOL
*
* ROOT.ML --- main file for Isabelle-OFMC.
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ROOT.ML 935 2009-11-02 00:02:50Z brucker $ *)
use "config.sml";
OS.FileSys.chDir "encoder";
use "root.sml";
OS.FileSys.chDir "..";
use "config.sml";
val isabelle_version = Distribution.version
val ofmc_version = Int.toString(ofmc_ver_major)^"."^Int.toString(ofmc_ver_minor)^"."
^Int.toString(ofmc_ver_micro)^ofmc_ver_tag
val version = "Isabelle/ofmc "^ofmc_version^", based on "^isabelle_version;
fun infostr _ = (
("\n")^
(" Isabelle/ofmc "^ofmc_version^" \n")^
(" connecting OFMC and Isabelle/HOL \n")^
(" Copyright (c) 2009 Achim D. Brucker \n")^
(" \n")^
(" Configuration: \n")^
(" - ofmc binary: "^(ofmc_connector.ofmc_home()^ofmc_connector.ofmc)^"\n" )^
(" - Isabelle: "^(isabelle_version)^"\n" )^
(" - ML-system: "^(ml_system)^"\n" ));
fun info () = writeln (infostr());
use_thy "ofmc";
val welcome = Toplevel.imperative (info);
val welcomeP =
OuterSyntax.improper_command "welcome" "print welcome message" OuterKeyword.diag
(Scan.succeed (Toplevel.no_timing o welcome));

82
src/config.sml Normal file
View File

@ -0,0 +1,82 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* config.sml.in --- main configuration file for Isabelle-OFMC
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: config.sml.in 349 2009-01-16 19:17:39Z brucker $ *)
structure config =
struct
val ofmc_id = "$Id: config.sml.in 349 2009-01-16 19:17:39Z brucker $"
end;
(** Major version number.
*
* Modify when incompatible changes are made to published interfaces.
*)
val ofmc_ver_major = 0
(* Minor version number.
*
* Modify when new functionality is added or new interfaces are
* defined, but all changes are backward compatible.
*)
val ofmc_ver_minor = 0
(** Patch number.
*
* Modify for every released patch.
*)
val ofmc_ver_micro= 0
(** Version tag: a string describing the version.
*
* This tag remains " (dev build)" in the repository so that we can
* always see from "version()" that the software has been built
* from the repository rather than a "blessed" distribution.
*
* When rolling a tarball, we automatically replace this text with ""
* for final releases; in prereleases, it becomes " (Alpha)",
* " (Beta 1)", etc., as appropriate.
*
*)
val ofmc_ver_tag = " (dev build: 929:933M)"

82
src/config.sml.in Normal file
View File

@ -0,0 +1,82 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* config.sml.in --- main configuration file for Isabelle-OFMC
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: config.sml.in 349 2009-01-16 19:17:39Z brucker $ *)
structure config =
struct
val ofmc_id = "$Id: config.sml.in 349 2009-01-16 19:17:39Z brucker $"
end;
(** Major version number.
*
* Modify when incompatible changes are made to published interfaces.
*)
val ofmc_ver_major = <VER_MAIJOR>
(* Minor version number.
*
* Modify when new functionality is added or new interfaces are
* defined, but all changes are backward compatible.
*)
val ofmc_ver_minor = <VER_MINOR>
(** Patch number.
*
* Modify for every released patch.
*)
val ofmc_ver_micro= <VER_MICRO>
(** Version tag: a string describing the version.
*
* This tag remains " (dev build)" in the repository so that we can
* always see from "version()" that the software has been built
* from the repository rather than a "blessed" distribution.
*
* When rolling a tarball, we automatically replace this text with ""
* for final releases; in prereleases, it becomes " (Alpha)",
* " (Beta 1)", etc., as appropriate.
*
*)
val ofmc_ver_tag = "<VER_TAG>"

68
src/encoder/anb2thy.cm Normal file
View File

@ -0,0 +1,68 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* encoder.cm ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: anb2thy.cm 870 2009-10-30 11:05:03Z brucker $ *)
Group is
#if(defined(SMLNJ_VERSION) && (SMLNJ_MINOR_VERSION < 60))
$/basis.cm
$/ml-yacc-lib.cm
#endif
#if(defined(SMLNJ_VERSION) && (SMLNJ_MINOR_VERSION >= 60))
$smlnj/basis/basis.cm
$smlnj/ml-yacc/ml-yacc-lib.cm
#endif
ofmcfp.sml
#if(defined(SMLNJ_VERSION))
ofmc-fp.grm
ofmc-fp.lex
#else
"ml-yacc-lib/base.sig"
"ml-yacc-lib/join.sml"
"ml-yacc-lib/lrtable.sml"
"ml-yacc-lib/stream.sml"
"ml-yacc-lib/parser2.sml"
ofmc-fp.grm.sig
ofmc-fp.lex.sml
ofmc-fp.grm.sml
#endif
ofmc_connector.sml
ofmc_abstraction.sml
ofmc_thygen.sml

View File

@ -0,0 +1,323 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: base.sig 6662 2007-07-04 06:41:30Z brucker $ *)
(* ML-Yacc Parser Generator (c) 1989 Andrew W. Appel, David R. Tarditi *)
(* base.sig: Base signature file for SML-Yacc. This file contains signatures
that must be loaded before any of the files produced by ML-Yacc are loaded
*)
(* STREAM: signature for a lazy stream.*)
signature STREAM =
sig type 'xa stream
val streamify : (unit -> '_a) -> '_a stream
val cons : '_a * '_a stream -> '_a stream
val get : '_a stream -> '_a * '_a stream
end
(* LR_TABLE: signature for an LR Table.
The list of actions and gotos passed to mkLrTable must be ordered by state
number. The values for state 0 are the first in the list, the values for
state 1 are next, etc.
*)
signature LR_TABLE =
sig
datatype ('a,'b) pairlist = EMPTY | PAIR of 'a * 'b * ('a,'b) pairlist
datatype state = STATE of int
datatype term = T of int
datatype nonterm = NT of int
datatype action = SHIFT of state
| REDUCE of int
| ACCEPT
| ERROR
type table
val numStates : table -> int
val numRules : table -> int
val describeActions : table -> state ->
(term,action) pairlist * action
val describeGoto : table -> state -> (nonterm,state) pairlist
val action : table -> state * term -> action
val goto : table -> state * nonterm -> state
val initialState : table -> state
exception Goto of state * nonterm
val mkLrTable : {actions : ((term,action) pairlist * action) array,
gotos : (nonterm,state) pairlist array,
numStates : int, numRules : int,
initialState : state} -> table
end
(* TOKEN: signature revealing the internal structure of a token. This signature
TOKEN distinct from the signature {parser name}_TOKENS produced by ML-Yacc.
The {parser name}_TOKENS structures contain some types and functions to
construct tokens from values and positions.
The representation of token was very carefully chosen here to allow the
polymorphic parser to work without knowing the types of semantic values
or line numbers.
This has had an impact on the TOKENS structure produced by SML-Yacc, which
is a structure parameter to lexer functors. We would like to have some
type 'a token which functions to construct tokens would create. A
constructor function for a integer token might be
INT: int * 'a * 'a -> 'a token.
This is not possible because we need to have tokens with the representation
given below for the polymorphic parser.
Thus our constructur functions for tokens have the form:
INT: int * 'a * 'a -> (svalue,'a) token
This in turn has had an impact on the signature that lexers for SML-Yacc
must match and the types that a user must declare in the user declarations
section of lexers.
*)
signature TOKEN =
sig
structure LrTable : LR_TABLE
datatype ('a,'b) token = TOKEN of LrTable.term * ('a * 'b * 'b)
val sameToken : ('a,'b) token * ('a,'b) token -> bool
end
(* LR_PARSER: signature for a polymorphic LR parser *)
signature LR_PARSER =
sig
structure Stream: STREAM
structure LrTable : LR_TABLE
structure Token : TOKEN
sharing LrTable = Token.LrTable
exception ParseError
val parse : {table : LrTable.table,
lexer : ('_b,'_c) Token.token Stream.stream,
arg: 'arg,
saction : int *
'_c *
(LrTable.state * ('_b * '_c * '_c)) list *
'arg ->
LrTable.nonterm *
('_b * '_c * '_c) *
((LrTable.state *('_b * '_c * '_c)) list),
void : '_b,
ec : { is_keyword : LrTable.term -> bool,
noShift : LrTable.term -> bool,
preferred_change : (LrTable.term list * LrTable.term list) list,
errtermvalue : LrTable.term -> '_b,
showTerminal : LrTable.term -> string,
terms: LrTable.term list,
error : string * '_c * '_c -> unit
},
lookahead : int (* max amount of lookahead used in *)
(* error correction *)
} -> '_b *
(('_b,'_c) Token.token Stream.stream)
end
(* LEXER: a signature that most lexers produced for use with SML-Yacc's
output will match. The user is responsible for declaring type token,
type pos, and type svalue in the UserDeclarations section of a lexer.
Note that type token is abstract in the lexer. This allows SML-Yacc to
create a TOKENS signature for use with lexers produced by ML-Lex that
treats the type token abstractly. Lexers that are functors parametrized by
a Tokens structure matching a TOKENS signature cannot examine the structure
of tokens.
*)
signature LEXER =
sig
structure UserDeclarations :
sig
type ('a,'b) token
type pos
type svalue
end
val makeLexer : (int -> string) -> unit ->
(UserDeclarations.svalue,UserDeclarations.pos) UserDeclarations.token
end
(* ARG_LEXER: the %arg option of ML-Lex allows users to produce lexers which
also take an argument before yielding a function from unit to a token
*)
signature ARG_LEXER =
sig
structure UserDeclarations :
sig
type ('a,'b) token
type pos
type svalue
type arg
end
val makeLexer : (int -> string) -> UserDeclarations.arg -> unit ->
(UserDeclarations.svalue,UserDeclarations.pos) UserDeclarations.token
end
(* PARSER_DATA: the signature of ParserData structures in {parser name}LrValsFun
produced by SML-Yacc. All such structures match this signature.
The {parser name}LrValsFun produces a structure which contains all the values
except for the lexer needed to call the polymorphic parser mentioned
before.
*)
signature PARSER_DATA =
sig
(* the type of line numbers *)
type pos
(* the type of semantic values *)
type svalue
(* the type of the user-supplied argument to the parser *)
type arg
(* the intended type of the result of the parser. This value is
produced by applying extract from the structure Actions to the
final semantic value resultiing from a parse.
*)
type result
structure LrTable : LR_TABLE
structure Token : TOKEN
sharing Token.LrTable = LrTable
(* structure Actions contains the functions which mantain the
semantic values stack in the parser. Void is used to provide
a default value for the semantic stack.
*)
structure Actions :
sig
val actions : int * pos *
(LrTable.state * (svalue * pos * pos)) list * arg->
LrTable.nonterm * (svalue * pos * pos) *
((LrTable.state *(svalue * pos * pos)) list)
val void : svalue
val extract : svalue -> result
end
(* structure EC contains information used to improve error
recovery in an error-correcting parser *)
structure EC :
sig
val is_keyword : LrTable.term -> bool
val noShift : LrTable.term -> bool
val preferred_change : (LrTable.term list * LrTable.term list) list
val errtermvalue : LrTable.term -> svalue
val showTerminal : LrTable.term -> string
val terms: LrTable.term list
end
(* table is the LR table for the parser *)
val table : LrTable.table
end
(* signature PARSER is the signature that most user parsers created by
SML-Yacc will match.
*)
signature PARSER =
sig
structure Token : TOKEN
structure Stream : STREAM
exception ParseError
(* type pos is the type of line numbers *)
type pos
(* type result is the type of the result from the parser *)
type result
(* the type of the user-supplied argument to the parser *)
type arg
(* type svalue is the type of semantic values for the semantic value
stack
*)
type svalue
(* val makeLexer is used to create a stream of tokens for the parser *)
val makeLexer : (int -> string) ->
(svalue,pos) Token.token Stream.stream
(* val parse takes a stream of tokens and a function to print
errors and returns a value of type result and a stream containing
the unused tokens
*)
val parse : int * ((svalue,pos) Token.token Stream.stream) *
(string * pos * pos -> unit) * arg ->
result * (svalue,pos) Token.token Stream.stream
val sameToken : (svalue,pos) Token.token * (svalue,pos) Token.token ->
bool
end
(* signature ARG_PARSER is the signature that will be matched by parsers whose
lexer takes an additional argument.
*)
signature ARG_PARSER =
sig
structure Token : TOKEN
structure Stream : STREAM
exception ParseError
type arg
type lexarg
type pos
type result
type svalue
val makeLexer : (int -> string) -> lexarg ->
(svalue,pos) Token.token Stream.stream
val parse : int * ((svalue,pos) Token.token Stream.stream) *
(string * pos * pos -> unit) * arg ->
result * (svalue,pos) Token.token Stream.stream
val sameToken : (svalue,pos) Token.token * (svalue,pos) Token.token ->
bool
end

View File

@ -0,0 +1,118 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: join.sml 6662 2007-07-04 06:41:30Z brucker $ *)
(* ML-Yacc Parser Generator (c) 1989 Andrew W. Appel, David R. Tarditi *)
(* functor Join creates a user parser by putting together a Lexer structure,
an LrValues structure, and a polymorphic parser structure. Note that
the Lexer and LrValues structure must share the type pos (i.e. the type
of line numbers), the type svalues for semantic values, and the type
of tokens.
*)
functor Join(structure Lex : LEXER
structure ParserData: PARSER_DATA
structure LrParser : LR_PARSER
sharing ParserData.LrTable = LrParser.LrTable
sharing ParserData.Token = LrParser.Token
sharing type Lex.UserDeclarations.svalue = ParserData.svalue
sharing type Lex.UserDeclarations.pos = ParserData.pos
sharing type Lex.UserDeclarations.token = ParserData.Token.token)
: PARSER =
struct
structure Token = ParserData.Token
structure Stream = LrParser.Stream
exception ParseError = LrParser.ParseError
type arg = ParserData.arg
type pos = ParserData.pos
type result = ParserData.result
type svalue = ParserData.svalue
val makeLexer = LrParser.Stream.streamify o Lex.makeLexer
val parse = fn (lookahead,lexer,error,arg) =>
(fn (a,b) => (ParserData.Actions.extract a,b))
(LrParser.parse {table = ParserData.table,
lexer=lexer,
lookahead=lookahead,
saction = ParserData.Actions.actions,
arg=arg,
void= ParserData.Actions.void,
ec = {is_keyword = ParserData.EC.is_keyword,
noShift = ParserData.EC.noShift,
preferred_change = ParserData.EC.preferred_change,
errtermvalue = ParserData.EC.errtermvalue,
error=error,
showTerminal = ParserData.EC.showTerminal,
terms = ParserData.EC.terms}}
)
val sameToken = Token.sameToken
end
(* functor JoinWithArg creates a variant of the parser structure produced
above. In this case, the makeLexer take an additional argument before
yielding a value of type unit -> (svalue,pos) token
*)
functor JoinWithArg(structure Lex : ARG_LEXER
structure ParserData: PARSER_DATA
structure LrParser : LR_PARSER
sharing ParserData.LrTable = LrParser.LrTable
sharing ParserData.Token = LrParser.Token
sharing type Lex.UserDeclarations.svalue = ParserData.svalue
sharing type Lex.UserDeclarations.pos = ParserData.pos
sharing type Lex.UserDeclarations.token = ParserData.Token.token)
: ARG_PARSER =
struct
structure Token = ParserData.Token
structure Stream = LrParser.Stream
exception ParseError = LrParser.ParseError
type arg = ParserData.arg
type lexarg = Lex.UserDeclarations.arg
type pos = ParserData.pos
type result = ParserData.result
type svalue = ParserData.svalue
val makeLexer = fn s => fn arg =>
LrParser.Stream.streamify (Lex.makeLexer s arg)
val parse = fn (lookahead,lexer,error,arg) =>
(fn (a,b) => (ParserData.Actions.extract a,b))
(LrParser.parse {table = ParserData.table,
lexer=lexer,
lookahead=lookahead,
saction = ParserData.Actions.actions,
arg=arg,
void= ParserData.Actions.void,
ec = {is_keyword = ParserData.EC.is_keyword,
noShift = ParserData.EC.noShift,
preferred_change = ParserData.EC.preferred_change,
errtermvalue = ParserData.EC.errtermvalue,
error=error,
showTerminal = ParserData.EC.showTerminal,
terms = ParserData.EC.terms}}
)
val sameToken = Token.sameToken
end;

View File

@ -0,0 +1,83 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: lrtable.sml 6662 2007-07-04 06:41:30Z brucker $ *)
(* ML-Yacc Parser Generator (c) 1989 Andrew W. Appel, David R. Tarditi *)
structure LrTable : LR_TABLE =
struct
open Array List
infix 9 sub
datatype ('a,'b) pairlist = EMPTY
| PAIR of 'a * 'b * ('a,'b) pairlist
datatype term = T of int
datatype nonterm = NT of int
datatype state = STATE of int
datatype action = SHIFT of state
| REDUCE of int (* rulenum from grammar *)
| ACCEPT
| ERROR
exception Goto of state * nonterm
type table = {states: int, rules : int,initialState: state,
action: ((term,action) pairlist * action) array,
goto : (nonterm,state) pairlist array}
val numStates = fn ({states,...} : table) => states
val numRules = fn ({rules,...} : table) => rules
val describeActions =
fn ({action,...} : table) =>
fn (STATE s) => action sub s
val describeGoto =
fn ({goto,...} : table) =>
fn (STATE s) => goto sub s
fun findTerm (T term,row,default) =
let fun find (PAIR (T key,data,r)) =
if key < term then find r
else if key=term then data
else default
| find EMPTY = default
in find row
end
fun findNonterm (NT nt,row) =
let fun find (PAIR (NT key,data,r)) =
if key < nt then find r
else if key=nt then SOME data
else NONE
| find EMPTY = NONE
in find row
end
val action = fn ({action,...} : table) =>
fn (STATE state,term) =>
let val (row,default) = action sub state
in findTerm(term,row,default)
end
val goto = fn ({goto,...} : table) =>
fn (a as (STATE state,nonterm)) =>
case findNonterm(nonterm,goto sub state)
of SOME state => state
| NONE => raise (Goto a)
val initialState = fn ({initialState,...} : table) => initialState
val mkLrTable = fn {actions,gotos,initialState,numStates,numRules} =>
({action=actions,goto=gotos,
states=numStates,
rules=numRules,
initialState=initialState} : table)
end;

View File

@ -0,0 +1,566 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: parser2.sml 6662 2007-07-04 06:41:30Z brucker $ *)
(* ML-Yacc Parser Generator (c) 1989 Andrew W. Appel, David R. Tarditi *)
(* parser.sml: This is a parser driver for LR tables with an error-recovery
routine added to it. The routine used is described in detail in this
article:
'A Practical Method for LR and LL Syntactic Error Diagnosis and
Recovery', by M. Burke and G. Fisher, ACM Transactions on
Programming Langauges and Systems, Vol. 9, No. 2, April 1987,
pp. 164-197.
This program is an implementation is the partial, deferred method discussed
in the article. The algorithm and data structures used in the program
are described below.
This program assumes that all semantic actions are delayed. A semantic
action should produce a function from unit -> value instead of producing the
normal value. The parser returns the semantic value on the top of the
stack when accept is encountered. The user can deconstruct this value
and apply the unit -> value function in it to get the answer.
It also assumes that the lexer is a lazy stream.
Data Structures:
----------------
* The parser:
The state stack has the type
(state * (semantic value * line # * line #)) list
The parser keeps a queue of (state stack * lexer pair). A lexer pair
consists of a terminal * value pair and a lexer. This allows the
parser to reconstruct the states for terminals to the left of a
syntax error, and attempt to make error corrections there.
The queue consists of a pair of lists (x,y). New additions to
the queue are cons'ed onto y. The first element of x is the top
of the queue. If x is nil, then y is reversed and used
in place of x.
Algorithm:
----------
* The steady-state parser:
This parser keeps the length of the queue of state stacks at
a steady state by always removing an element from the front when
another element is placed on the end.
It has these arguments:
stack: current stack
queue: value of the queue
lexPair ((terminal,value),lex stream)
When SHIFT is encountered, the state to shift to and the value are
are pushed onto the state stack. The state stack and lexPair are
placed on the queue. The front element of the queue is removed.
When REDUCTION is encountered, the rule is applied to the current
stack to yield a triple (nonterm,value,new stack). A new
stack is formed by adding (goto(top state of stack,nonterm),value)
to the stack.
When ACCEPT is encountered, the top value from the stack and the
lexer are returned.
When an ERROR is encountered, fixError is called. FixError
takes the arguments to the parser, fixes the error if possible and
returns a new set of arguments.
* The distance-parser:
This parser includes an additional argument distance. It pushes
elements on the queue until it has parsed distance tokens, or an
ACCEPT or ERROR occurs. It returns a stack, lexer, the number of
tokens left unparsed, a queue, and an action option.
*)
signature FIFO =
sig type 'a queue
val empty : 'a queue
exception Empty
val get : 'a queue -> 'a * 'a queue
val put : 'a * 'a queue -> 'a queue
end
(* drt (12/15/89) -- the functor should be used in development work, but
it wastes space in the release version.
functor ParserGen(structure LrTable : LR_TABLE
structure Stream : STREAM) : LR_PARSER =
*)
structure LrParser :> LR_PARSER =
struct
structure LrTable = LrTable
structure Stream = Stream
fun eqT (LrTable.T i, LrTable.T i') = i = i'
structure Token : TOKEN =
struct
structure LrTable = LrTable
datatype ('a,'b) token = TOKEN of LrTable.term * ('a * 'b * 'b)
val sameToken = fn (TOKEN(t,_),TOKEN(t',_)) => eqT (t,t')
end
open LrTable
open Token
val DEBUG1 = false
val DEBUG2 = false
exception ParseError
exception ParseImpossible of int
structure Fifo :> FIFO =
struct
type 'a queue = ('a list * 'a list)
val empty = (nil,nil)
exception Empty
fun get(a::x, y) = (a, (x,y))
| get(nil, nil) = raise Empty
| get(nil, y) = get(rev y, nil)
fun put(a,(x,y)) = (x,a::y)
end
type ('a,'b) elem = (state * ('a * 'b * 'b))
type ('a,'b) stack = ('a,'b) elem list
type ('a,'b) lexv = ('a,'b) token
type ('a,'b) lexpair = ('a,'b) lexv * (('a,'b) lexv Stream.stream)
type ('a,'b) distanceParse =
('a,'b) lexpair *
('a,'b) stack *
(('a,'b) stack * ('a,'b) lexpair) Fifo.queue *
int ->
('a,'b) lexpair *
('a,'b) stack *
(('a,'b) stack * ('a,'b) lexpair) Fifo.queue *
int *
action option
type ('a,'b) ecRecord =
{is_keyword : term -> bool,
preferred_change : (term list * term list) list,
error : string * 'b * 'b -> unit,
errtermvalue : term -> 'a,
terms : term list,
showTerminal : term -> string,
noShift : term -> bool}
local
val print = fn s => TextIO.output(TextIO.stdOut,s)
val println = fn s => (print s; print "\n")
val showState = fn (STATE s) => "STATE " ^ (Int.toString s)
in
fun printStack(stack: ('a,'b) stack, n: int) =
case stack
of (state,_) :: rest =>
(print("\t" ^ Int.toString n ^ ": ");
println(showState state);
printStack(rest, n+1))
| nil => ()
fun prAction showTerminal
(stack as (state,_) :: _, next as (TOKEN (term,_),_), action) =
(println "Parse: state stack:";
printStack(stack, 0);
print(" state="
^ showState state
^ " next="
^ showTerminal term
^ " action="
);
case action
of SHIFT state => println ("SHIFT " ^ (showState state))
| REDUCE i => println ("REDUCE " ^ (Int.toString i))
| ERROR => println "ERROR"
| ACCEPT => println "ACCEPT")
| prAction _ (_,_,action) = ()
end
(* ssParse: parser which maintains the queue of (state * lexvalues) in a
steady-state. It takes a table, showTerminal function, saction
function, and fixError function. It parses until an ACCEPT is
encountered, or an exception is raised. When an error is encountered,
fixError is called with the arguments of parseStep (lexv,stack,and
queue). It returns the lexv, and a new stack and queue adjusted so
that the lexv can be parsed *)
val ssParse =
fn (table,showTerminal,saction,fixError,arg) =>
let val prAction = prAction showTerminal
val action = LrTable.action table
val goto = LrTable.goto table
fun parseStep(args as
(lexPair as (TOKEN (terminal, value as (_,leftPos,_)),
lexer
),
stack as (state,_) :: _,
queue)) =
let val nextAction = action (state,terminal)
val _ = if DEBUG1 then prAction(stack,lexPair,nextAction)
else ()
in case nextAction
of SHIFT s =>
let val newStack = (s,value) :: stack
val newLexPair = Stream.get lexer
val (_,newQueue) =Fifo.get(Fifo.put((newStack,newLexPair),
queue))
in parseStep(newLexPair,(s,value)::stack,newQueue)
end
| REDUCE i =>
(case saction(i,leftPos,stack,arg)
of (nonterm,value,stack as (state,_) :: _) =>
parseStep(lexPair,(goto(state,nonterm),value)::stack,
queue)
| _ => raise (ParseImpossible 197))
| ERROR => parseStep(fixError args)
| ACCEPT =>
(case stack
of (_,(topvalue,_,_)) :: _ =>
let val (token,restLexer) = lexPair
in (topvalue,Stream.cons(token,restLexer))
end
| _ => raise (ParseImpossible 202))
end
| parseStep _ = raise (ParseImpossible 204)
in parseStep
end
(* distanceParse: parse until n tokens are shifted, or accept or
error are encountered. Takes a table, showTerminal function, and
semantic action function. Returns a parser which takes a lexPair
(lex result * lexer), a state stack, a queue, and a distance
(must be > 0) to parse. The parser returns a new lex-value, a stack
with the nth token shifted on top, a queue, a distance, and action
option. *)
val distanceParse =
fn (table,showTerminal,saction,arg) =>
let val prAction = prAction showTerminal
val action = LrTable.action table
val goto = LrTable.goto table
fun parseStep(lexPair,stack,queue,0) = (lexPair,stack,queue,0,NONE)
| parseStep(lexPair as (TOKEN (terminal, value as (_,leftPos,_)),
lexer
),
stack as (state,_) :: _,
queue,distance) =
let val nextAction = action(state,terminal)
val _ = if DEBUG1 then prAction(stack,lexPair,nextAction)
else ()
in case nextAction
of SHIFT s =>
let val newStack = (s,value) :: stack
val newLexPair = Stream.get lexer
in parseStep(newLexPair,(s,value)::stack,
Fifo.put((newStack,newLexPair),queue),distance-1)
end
| REDUCE i =>
(case saction(i,leftPos,stack,arg)
of (nonterm,value,stack as (state,_) :: _) =>
parseStep(lexPair,(goto(state,nonterm),value)::stack,
queue,distance)
| _ => raise (ParseImpossible 240))
| ERROR => (lexPair,stack,queue,distance,SOME nextAction)
| ACCEPT => (lexPair,stack,queue,distance,SOME nextAction)
end
| parseStep _ = raise (ParseImpossible 242)
in parseStep : ('_a,'_b) distanceParse
end
(* mkFixError: function to create fixError function which adjusts parser state
so that parse may continue in the presence of an error *)
fun mkFixError({is_keyword,terms,errtermvalue,
preferred_change,noShift,
showTerminal,error,...} : ('_a,'_b) ecRecord,
distanceParse : ('_a,'_b) distanceParse,
minAdvance,maxAdvance)
(lexv as (TOKEN (term,value as (_,leftPos,_)),_),stack,queue) =
let val _ = if DEBUG2 then
error("syntax error found at " ^ (showTerminal term),
leftPos,leftPos)
else ()
fun tokAt(t,p) = TOKEN(t,(errtermvalue t,p,p))
val minDelta = 3
(* pull all the state * lexv elements from the queue *)
val stateList =
let fun f q = let val (elem,newQueue) = Fifo.get q
in elem :: (f newQueue)
end handle Fifo.Empty => nil
in f queue
end
(* now number elements of stateList, giving distance from
error token *)
val (_, numStateList) =
List.foldr (fn (a,(num,r)) => (num+1,(a,num)::r)) (0, []) stateList
(* Represent the set of potential changes as a linked list.
Values of datatype Change hold information about a potential change.
oper = oper to be applied
pos = the # of the element in stateList that would be altered.
distance = the number of tokens beyond the error token which the
change allows us to parse.
new = new terminal * value pair at that point
orig = original terminal * value pair at the point being changed.
*)
datatype ('a,'b) change = CHANGE of
{pos : int, distance : int, leftPos: 'b, rightPos: 'b,
new : ('a,'b) lexv list, orig : ('a,'b) lexv list}
val showTerms = concat o map (fn TOKEN(t,_) => " " ^ showTerminal t)
val printChange = fn c =>
let val CHANGE {distance,new,orig,pos,...} = c
in (print ("{distance= " ^ (Int.toString distance));
print (",orig ="); print(showTerms orig);
print (",new ="); print(showTerms new);
print (",pos= " ^ (Int.toString pos));
print "}\n")
end
val printChangeList = app printChange
(* parse: given a lexPair, a stack, and the distance from the error
token, return the distance past the error token that we are able to parse.*)
fun parse (lexPair,stack,queuePos : int) =
case distanceParse(lexPair,stack,Fifo.empty,queuePos+maxAdvance+1)
of (_,_,_,distance,SOME ACCEPT) =>
if maxAdvance-distance-1 >= 0
then maxAdvance
else maxAdvance-distance-1
| (_,_,_,distance,_) => maxAdvance - distance - 1
(* catList: concatenate results of scanning list *)
fun catList l f = List.foldr (fn(a,r)=> f a @ r) [] l
fun keywordsDelta new = if List.exists (fn(TOKEN(t,_))=>is_keyword t) new
then minDelta else 0
fun tryChange{lex,stack,pos,leftPos,rightPos,orig,new} =
let val lex' = List.foldr (fn (t',p)=>(t',Stream.cons p)) lex new
val distance = parse(lex',stack,pos+length new-length orig)
in if distance >= minAdvance + keywordsDelta new
then [CHANGE{pos=pos,leftPos=leftPos,rightPos=rightPos,
distance=distance,orig=orig,new=new}]
else []
end
(* tryDelete: Try to delete n terminals.
Return single-element [success] or nil.
Do not delete unshiftable terminals. *)
fun tryDelete n ((stack,lexPair as (TOKEN(term,(_,l,r)),_)),qPos) =
let fun del(0,accum,left,right,lexPair) =
tryChange{lex=lexPair,stack=stack,
pos=qPos,leftPos=left,rightPos=right,
orig=rev accum, new=[]}
| del(n,accum,left,right,(tok as TOKEN(term,(_,_,r)),lexer)) =
if noShift term then []
else del(n-1,tok::accum,left,r,Stream.get lexer)
in del(n,[],l,r,lexPair)
end
(* tryInsert: try to insert tokens before the current terminal;
return a list of the successes *)
fun tryInsert((stack,lexPair as (TOKEN(_,(_,l,_)),_)),queuePos) =
catList terms (fn t =>
tryChange{lex=lexPair,stack=stack,
pos=queuePos,orig=[],new=[tokAt(t,l)],
leftPos=l,rightPos=l})
(* trySubst: try to substitute tokens for the current terminal;
return a list of the successes *)
fun trySubst ((stack,lexPair as (orig as TOKEN (term,(_,l,r)),lexer)),
queuePos) =
if noShift term then []
else
catList terms (fn t =>
tryChange{lex=Stream.get lexer,stack=stack,
pos=queuePos,
leftPos=l,rightPos=r,orig=[orig],
new=[tokAt(t,r)]})
(* do_delete(toks,lexPair) tries to delete tokens "toks" from "lexPair".
If it succeeds, returns SOME(toks',l,r,lp), where
toks' is the actual tokens (with positions and values) deleted,
(l,r) are the (leftmost,rightmost) position of toks',
lp is what remains of the stream after deletion
*)
fun do_delete(nil,lp as (TOKEN(_,(_,l,_)),_)) = SOME(nil,l,l,lp)
| do_delete([t],(tok as TOKEN(t',(_,l,r)),lp')) =
if eqT (t, t')
then SOME([tok],l,r,Stream.get lp')
else NONE
| do_delete(t::rest,(tok as TOKEN(t',(_,l,r)),lp')) =
if eqT (t,t')
then case do_delete(rest,Stream.get lp')
of SOME(deleted,l',r',lp'') =>
SOME(tok::deleted,l,r',lp'')
| NONE => NONE
else NONE
fun tryPreferred((stack,lexPair),queuePos) =
catList preferred_change (fn (delete,insert) =>
if List.exists noShift delete then [] (* should give warning at
parser-generation time *)
else case do_delete(delete,lexPair)
of SOME(deleted,l,r,lp) =>
tryChange{lex=lp,stack=stack,pos=queuePos,
leftPos=l,rightPos=r,orig=deleted,
new=map (fn t=>(tokAt(t,r))) insert}
| NONE => [])
val changes = catList numStateList tryPreferred @
catList numStateList tryInsert @
catList numStateList trySubst @
catList numStateList (tryDelete 1) @
catList numStateList (tryDelete 2) @
catList numStateList (tryDelete 3)
val findMaxDist = fn l =>
foldr (fn (CHANGE {distance,...},high) => Int.max(distance,high)) 0 l
(* maxDist: max distance past error taken that we could parse *)
val maxDist = findMaxDist changes
(* remove changes which did not parse maxDist tokens past the error token *)
val changes = catList changes
(fn(c as CHANGE{distance,...}) =>
if distance=maxDist then [c] else [])
in case changes
of (l as change :: _) =>
let fun print_msg (CHANGE {new,orig,leftPos,rightPos,...}) =
let val s =
case (orig,new)
of (_::_,[]) => "deleting " ^ (showTerms orig)
| ([],_::_) => "inserting " ^ (showTerms new)
| _ => "replacing " ^ (showTerms orig) ^
" with " ^ (showTerms new)
in error ("syntax error: " ^ s,leftPos,rightPos)
end
val _ =
(if length l > 1 andalso DEBUG2 then
(print "multiple fixes possible; could fix it by:\n";
app print_msg l;
print "chosen correction:\n")
else ();
print_msg change)
(* findNth: find nth queue entry from the error
entry. Returns the Nth queue entry and the portion of
the queue from the beginning to the nth-1 entry. The
error entry is at the end of the queue.
Examples:
queue = a b c d e
findNth 0 = (e,a b c d)
findNth 1 = (d,a b c)
*)
val findNth = fn n =>
let fun f (h::t,0) = (h,rev t)
| f (h::t,n) = f(t,n-1)
| f (nil,_) = let exception FindNth
in raise FindNth
end
in f (rev stateList,n)
end
val CHANGE {pos,orig,new,...} = change
val (last,queueFront) = findNth pos
val (stack,lexPair) = last
val lp1 = foldl(fn (_,(_,r)) => Stream.get r) lexPair orig
val lp2 = foldr(fn(t,r)=>(t,Stream.cons r)) lp1 new
val restQueue =
Fifo.put((stack,lp2),
foldl Fifo.put Fifo.empty queueFront)
val (lexPair,stack,queue,_,_) =
distanceParse(lp2,stack,restQueue,pos)
in (lexPair,stack,queue)
end
| nil => (error("syntax error found at " ^ (showTerminal term),
leftPos,leftPos); raise ParseError)
end
val parse = fn {arg,table,lexer,saction,void,lookahead,
ec=ec as {showTerminal,...} : ('_a,'_b) ecRecord} =>
let val distance = 15 (* defer distance tokens *)
val minAdvance = 1 (* must parse at least 1 token past error *)
val maxAdvance = Int.max(lookahead,0)(* max distance for parse check *)
val lexPair = Stream.get lexer
val (TOKEN (_,(_,leftPos,_)),_) = lexPair
val startStack = [(initialState table,(void,leftPos,leftPos))]
val startQueue = Fifo.put((startStack,lexPair),Fifo.empty)
val distanceParse = distanceParse(table,showTerminal,saction,arg)
val fixError = mkFixError(ec,distanceParse,minAdvance,maxAdvance)
val ssParse = ssParse(table,showTerminal,saction,fixError,arg)
fun loop (lexPair,stack,queue,_,SOME ACCEPT) =
ssParse(lexPair,stack,queue)
| loop (lexPair,stack,queue,0,_) = ssParse(lexPair,stack,queue)
| loop (lexPair,stack,queue,distance,SOME ERROR) =
let val (lexPair,stack,queue) = fixError(lexPair,stack,queue)
in loop (distanceParse(lexPair,stack,queue,distance))
end
| loop _ = let exception ParseInternal
in raise ParseInternal
end
in loop (distanceParse(lexPair,startStack,startQueue,distance))
end
end;

View File

@ -0,0 +1,29 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: root.sml 6662 2007-07-04 06:41:30Z brucker $ *)
use "base.sig";
use "join.sml";
use "lrtable.sml";
use "stream.sml";
use "parser2.sml";

View File

@ -0,0 +1,43 @@
(******************************************************************************
* STANDARD ML OF NEW JERSEY COPYRIGHT NOTICE, LICENSE AND DISCLAIMER.
*
* Copyright (c) 1989-2002 by Lucent Technologies
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted,
* provided that the above copyright notice appear in all copies and that
* both the copyright notice and this permission notice and warranty
* disclaimer appear in supporting documentation, and that the name of
* Lucent Technologies, Bell Labs or any Lucent entity not be used in
* advertising or publicity pertaining to distribution of the software
* without specific, written prior permission.
*
* Lucent disclaims all warranties with regard to this software,
* including all implied warranties of merchantability and fitness. In no
* event shall Lucent be liable for any special, indirect or
* consequential damages or any damages whatsoever resulting from loss of
* use, data or profits, whether in an action of contract, negligence or
* other tortious action, arising out of or in connection with the use
* or performance of this software.
******************************************************************************)
(* $Id: stream.sml 6662 2007-07-04 06:41:30Z brucker $ *)
(* ML-Yacc Parser Generator (c) 1989 Andrew W. Appel, David R. Tarditi *)
(* Stream: a structure implementing a lazy stream. The signature STREAM
is found in base.sig *)
structure Stream :> STREAM =
struct
datatype 'a str = EVAL of 'a * 'a str ref | UNEVAL of (unit->'a)
type 'a stream = 'a str ref
fun get(ref(EVAL t)) = t
| get(s as ref(UNEVAL f)) =
let val t = (f(), ref(UNEVAL f)) in s := EVAL t; t end
fun streamify f = ref(UNEVAL f)
fun cons(a,s) = ref(EVAL(a,s))
end;

208
src/encoder/ofmc-fp.grm Normal file
View File

@ -0,0 +1,208 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc-fp.grm ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc-fp.grm 901 2009-11-01 17:12:18Z brucker $ *)
open OfmcFp
fun rmOuterOp (Operator(_,[msg])) = msg
| rmOuterOp s = s
%%
%eop EOF
%left TMETAIMPLIES
%name OfmcFpParser
%term EOF
| SIMPLE_NAME of string
| TABSTRACTION of string
| TATTACK of string
| TARROW of string
| TMINUS of string
| TCAT of string
| TCBRACKET of string
| TCOLON of string
| TWHITESPACE of string
| TEQ of string
| TNEQ of string
| TBAR of string
| TCOMMA of string
| TCPAREN of string
| TCRYPT of string
| TQUOTE of string
| TEXP of string
| TFACT of string
| TFIXEDPOINT of string
| TFPState of string
| TIKNOWS of string
| TINITIAL of string
| TINV of string
| TKNOWLEDGE of string
| TMETAIMPLIES of string
| TOBRACKET of string
| TOPAREN of string
| TPROTOCOL of string
| TBACKEND of string
| TREQUEST of string
| TRULES of string
| TSCRYPT of string
| TSECRET of string
| TSECSTATE of string
| TSECTION of string
| TSEMICOLON of string
| TSTATE of string
| TSTEP of string
| TTYPES of string
| TWITNESS of string
| TXOR of string
%nonterm START of ofmc_fp
| ofmc_fp of ofmc_fp
| simple_name of string
| role of string
| factname of string
| msglist of Msg list
| msg of Msg
| knowledge of (string * Fact) list
| facts of Fact list
| fact of Fact
| nfacts of Fact list
| nfact of Fact
| rules of Rule list
| abstractions of (Msg * Msg) list
| typname of string
| typnames of string list
| simple_names of string
| typ of string * (string list)
| typlist of (string * (string list)) list
| types of (string * (string list)) list
%pos (int * int * int)
%noshift EOF
%%
START: ofmc_fp (ofmc_fp)
ofmc_fp: TPROTOCOL TCOLON simple_name (update_protocol simple_name empty_ofmc_fp)
| TPROTOCOL TCOLON simple_name ofmc_fp (update_protocol simple_name ofmc_fp)
| TBACKEND TCOLON simple_names (update_backend simple_names empty_ofmc_fp)
| TBACKEND TCOLON simple_names ofmc_fp (update_backend simple_names ofmc_fp)
| TTYPES TCOLON types (update_types ((types_of empty_ofmc_fp)@types) empty_ofmc_fp)
| TTYPES TCOLON types ofmc_fp (update_types ((types_of ofmc_fp)@types) ofmc_fp)
| TSECTION TINITIAL TSECSTATE TCOLON knowledge (update_knowledge knowledge empty_ofmc_fp)
| TSECTION TINITIAL TSECSTATE TCOLON knowledge ofmc_fp (update_knowledge knowledge ofmc_fp)
| TSECTION TRULES TCOLON rules (update_rules rules empty_ofmc_fp)
| TSECTION TRULES TCOLON rules ofmc_fp (update_rules rules ofmc_fp)
| TSECTION TFIXEDPOINT TCOLON knowledge (update_fixedpoint knowledge empty_ofmc_fp)
| TSECTION TFIXEDPOINT TCOLON knowledge ofmc_fp (update_fixedpoint knowledge ofmc_fp)
| TSECTION TABSTRACTION TCOLON abstractions (update_abstractions ((abstractions_of empty_ofmc_fp )@abstractions) empty_ofmc_fp)
| TSECTION TABSTRACTION TCOLON (update_abstractions ((abstractions_of empty_ofmc_fp )@[]) empty_ofmc_fp)
| TSECTION TABSTRACTION TCOLON abstractions ofmc_fp (update_abstractions ((abstractions_of ofmc_fp)@abstractions) ofmc_fp)
rules: TSTEP TCOLON facts TMETAIMPLIES facts ([(NONE, facts1, facts2)])
| TSTEP TCOLON facts TMETAIMPLIES facts rules ((NONE, facts1, facts2)::rules)
| TSTEP TCOLON facts TBAR nfacts TMETAIMPLIES facts ([(NONE, facts1@nfacts, facts)])
| TSTEP TCOLON facts TBAR nfacts TMETAIMPLIES facts rules ((NONE, facts1@nfacts, facts)::rules)
| TSTEP simple_name TCOLON facts TMETAIMPLIES facts ([(SOME simple_name, facts1, facts2)])
| TSTEP simple_name TCOLON facts TMETAIMPLIES facts rules ((SOME simple_name, facts1, facts2)::rules)
| TSTEP simple_name TCOLON facts TBAR nfacts TMETAIMPLIES facts ([(SOME simple_name, facts1@nfacts, facts2)])
| TSTEP simple_name TCOLON facts TBAR nfacts TMETAIMPLIES facts rules ((SOME simple_name, facts1@nfacts, facts2)::rules)
knowledge: factname TCOLON fact TSEMICOLON ([(factname, fact)])
| factname TCOLON fact TSEMICOLON knowledge ((factname, fact)::(knowledge))
facts: fact ([fact])
| fact TSEMICOLON facts (fact::facts)
fact: TSTATE TOPAREN role TCOMMA TOBRACKET msglist TCBRACKET TCPAREN (State(role, msglist))
| TIKNOWS TOPAREN msg TCPAREN (Iknows(msg))
| TATTACK TOPAREN msg TCPAREN (Attack(msg))
| TSECRET TOPAREN msglist TCPAREN (Secret(msglist))
| TWITNESS TOPAREN msglist TCPAREN (Witness(msglist))
| TREQUEST TOPAREN msglist TCPAREN (Request(msglist))
nfacts: nfact ([nfact])
| nfact TSEMICOLON nfacts (nfact::nfacts)
nfact: msg TNEQ msg (NotEqual(msg1,msg2))
msglist: msg ([msg])
| msg TCOMMA msglist (msg::msglist)
msg: SIMPLE_NAME (Atom SIMPLE_NAME)
| SIMPLE_NAME TOPAREN msglist TCPAREN (Operator(SIMPLE_NAME,msglist))
| SIMPLE_NAME msg (Operator(SIMPLE_NAME,[msg]))
| TOPAREN msg TCPAREN (msg)
role: SIMPLE_NAME (SIMPLE_NAME)
factname: SIMPLE_NAME (SIMPLE_NAME)
simple_name:SIMPLE_NAME (SIMPLE_NAME)
abstractions: msg TARROW msg ([(rmOuterOp msg2,msg1)])
| msg TARROW msg TSEMICOLON abstractions ((rmOuterOp msg2,msg1)::abstractions)
types: TOBRACKET typlist TCBRACKET (typlist)
typlist: typ ([typ])
| typ TCOMMA typlist (typ::typlist)
typ: TOPAREN SIMPLE_NAME TCOMMA TOBRACKET typnames TCBRACKET TCPAREN ((SIMPLE_NAME,typnames))
| TOPAREN SIMPLE_NAME SIMPLE_NAME SIMPLE_NAME TCOMMA TOBRACKET typnames TCBRACKET TCPAREN ((SIMPLE_NAME,typnames))
| TOPAREN SIMPLE_NAME TCOMMA TOBRACKET TCBRACKET TCPAREN ((SIMPLE_NAME,[]))
| TOPAREN SIMPLE_NAME SIMPLE_NAME SIMPLE_NAME TCOMMA TOBRACKET TCBRACKET TCPAREN ((SIMPLE_NAME,[]))
typnames: typname ([typname])
| typname TCOMMA typnames (typname::typnames)
simple_names: simple_name (simple_name)
| simple_name simple_names (simple_name^" "^simple_names)
| simple_name TMINUS simple_names (simple_name^" "^simple_names)
typname: TQUOTE SIMPLE_NAME TQUOTE (SIMPLE_NAME)

View File

@ -0,0 +1,54 @@
signature OfmcFpParser_TOKENS =
sig
type ('a,'b) token
type svalue
val TXOR: (string) * 'a * 'a -> (svalue,'a) token
val TWITNESS: (string) * 'a * 'a -> (svalue,'a) token
val TTYPES: (string) * 'a * 'a -> (svalue,'a) token
val TSTEP: (string) * 'a * 'a -> (svalue,'a) token
val TSTATE: (string) * 'a * 'a -> (svalue,'a) token
val TSEMICOLON: (string) * 'a * 'a -> (svalue,'a) token
val TSECTION: (string) * 'a * 'a -> (svalue,'a) token
val TSECSTATE: (string) * 'a * 'a -> (svalue,'a) token
val TSECRET: (string) * 'a * 'a -> (svalue,'a) token
val TSCRYPT: (string) * 'a * 'a -> (svalue,'a) token
val TRULES: (string) * 'a * 'a -> (svalue,'a) token
val TREQUEST: (string) * 'a * 'a -> (svalue,'a) token
val TBACKEND: (string) * 'a * 'a -> (svalue,'a) token
val TPROTOCOL: (string) * 'a * 'a -> (svalue,'a) token
val TOPAREN: (string) * 'a * 'a -> (svalue,'a) token
val TOBRACKET: (string) * 'a * 'a -> (svalue,'a) token
val TMETAIMPLIES: (string) * 'a * 'a -> (svalue,'a) token
val TKNOWLEDGE: (string) * 'a * 'a -> (svalue,'a) token
val TINV: (string) * 'a * 'a -> (svalue,'a) token
val TINITIAL: (string) * 'a * 'a -> (svalue,'a) token
val TIKNOWS: (string) * 'a * 'a -> (svalue,'a) token
val TFPState: (string) * 'a * 'a -> (svalue,'a) token
val TFIXEDPOINT: (string) * 'a * 'a -> (svalue,'a) token
val TFACT: (string) * 'a * 'a -> (svalue,'a) token
val TEXP: (string) * 'a * 'a -> (svalue,'a) token
val TQUOTE: (string) * 'a * 'a -> (svalue,'a) token
val TCRYPT: (string) * 'a * 'a -> (svalue,'a) token
val TCPAREN: (string) * 'a * 'a -> (svalue,'a) token
val TCOMMA: (string) * 'a * 'a -> (svalue,'a) token
val TBAR: (string) * 'a * 'a -> (svalue,'a) token
val TNEQ: (string) * 'a * 'a -> (svalue,'a) token
val TEQ: (string) * 'a * 'a -> (svalue,'a) token
val TWHITESPACE: (string) * 'a * 'a -> (svalue,'a) token
val TCOLON: (string) * 'a * 'a -> (svalue,'a) token
val TCBRACKET: (string) * 'a * 'a -> (svalue,'a) token
val TCAT: (string) * 'a * 'a -> (svalue,'a) token
val TMINUS: (string) * 'a * 'a -> (svalue,'a) token
val TARROW: (string) * 'a * 'a -> (svalue,'a) token
val TATTACK: (string) * 'a * 'a -> (svalue,'a) token
val TABSTRACTION: (string) * 'a * 'a -> (svalue,'a) token
val SIMPLE_NAME: (string) * 'a * 'a -> (svalue,'a) token
val EOF: 'a * 'a -> (svalue,'a) token
end
signature OfmcFpParser_LRVALS=
sig
structure Tokens : OfmcFpParser_TOKENS
structure ParserData:PARSER_DATA
sharing type ParserData.Token.token = Tokens.token
sharing type ParserData.svalue = Tokens.svalue
end

1434
src/encoder/ofmc-fp.grm.sml Normal file

File diff suppressed because it is too large Load Diff

131
src/encoder/ofmc-fp.lex Normal file
View File

@ -0,0 +1,131 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc-fp.lex ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc-fp.lex 869 2009-10-30 10:36:14Z brucker $ *)
structure Tokens = Tokens
type pos = int * int * int
type svalue = Tokens.svalue
type ('a,'b) token = ('a,'b) Tokens.token
type lexresult= (svalue,pos) token
val pos = ref (0,0,0)
fun eof () = Tokens.EOF((!pos,!pos))
fun error (e,p : (int * int * int),_) = TextIO.output (TextIO.stdOut,
String.concat[
"line ", (Int.toString ((#1 p)+1)), "/",
(Int.toString (#2 p - #3 p)),": ", e, "\n"
])
fun inputPos yypos = ((#1 (!pos), yypos - (#3(!pos)), (#3 (!pos))),
(#1 (!pos), yypos - (#3(!pos)), (#3 (!pos))))
fun inputPos_half yypos = (#1 (!pos), yypos - (#3(!pos)), (#3 (!pos)))
%%
%header (functor OfmcFpParserLexFun(structure Tokens: OfmcFpParser_TOKENS));
alpha=[A-Za-z_];
digit=[0-9];
ws = [\ \t];
%%
\n => (pos := ((#1 (!pos)) + 1, yypos - (#3(!pos)),yypos ); lex());
"(%)[^\n]*\n" => (pos := ((#1 (!pos)) + 1, yypos - (#3(!pos)),yypos ); lex());
"/*""/"*([^*/]|[^*]"/"|"*"[^/])*"*"*"*/" => (lex());
"(*""("*([^*/]|[^*]"("|"*"[^/])*"*"*"*)" => (lex());
{ws}+ => (pos := (#1 (!pos), yypos - (#3(!pos)), (#3 (!pos))); lex());
"-" => (Tokens.TMINUS(yytext,inputPos_half yypos,inputPos_half yypos));
"->" => (Tokens.TARROW(yytext,inputPos_half yypos,inputPos_half yypos));
":" => (Tokens.TCOLON(yytext,inputPos_half yypos,inputPos_half yypos));
"=" => (Tokens.TEQ(yytext,inputPos_half yypos,inputPos_half yypos));
"/=" => (Tokens.TNEQ(yytext,inputPos_half yypos,inputPos_half yypos));
"|" => (Tokens.TBAR(yytext,inputPos_half yypos,inputPos_half yypos));
"\"" => (Tokens.TQUOTE(yytext,inputPos_half yypos,inputPos_half yypos));
"," => (Tokens.TCOMMA(yytext,inputPos_half yypos,inputPos_half yypos));
";" => (Tokens.TSEMICOLON(yytext,inputPos_half yypos,inputPos_half yypos));
"(" => (Tokens.TOPAREN(yytext,inputPos_half yypos,inputPos_half yypos));
")" => (Tokens.TCPAREN(yytext,inputPos_half yypos,inputPos_half yypos));
"[" => (Tokens.TOBRACKET(yytext,inputPos_half yypos,inputPos_half yypos));
"]" => (Tokens.TCBRACKET(yytext,inputPos_half yypos,inputPos_half yypos));
"=>" => (Tokens.TMETAIMPLIES(yytext,inputPos_half yypos,inputPos_half yypos));
"section" => (Tokens.TSECTION(yytext,inputPos_half yypos,inputPos_half yypos));
"rules" => (Tokens.TRULES(yytext,inputPos_half yypos,inputPos_half yypos));
"initial" => (Tokens.TINITIAL(yytext,inputPos_half yypos,inputPos_half yypos));
"state" => (Tokens.TSECSTATE(yytext,inputPos_half yypos,inputPos_half yypos));
"fixedpoint" => (Tokens.TFIXEDPOINT(yytext,inputPos_half yypos,inputPos_half yypos));
"abstraction" => (Tokens.TABSTRACTION(yytext,inputPos_half yypos,inputPos_half yypos));
"Protocol" => (Tokens.TPROTOCOL(yytext,inputPos_half yypos,inputPos_half yypos));
"Backend" => (Tokens.TBACKEND(yytext,inputPos_half yypos,inputPos_half yypos));
"Types" => (Tokens.TTYPES(yytext,inputPos_half yypos,inputPos_half yypos));
"Knowledge" => (Tokens.TKNOWLEDGE(yytext,inputPos_half yypos,inputPos_half yypos));
"Fixed-point" => (Tokens.TFIXEDPOINT(yytext,inputPos_half yypos,inputPos_half yypos));
"Abstraction" => (Tokens.TABSTRACTION(yytext,inputPos_half yypos,inputPos_half yypos));
"State" => (Tokens.TSTATE(yytext,inputPos_half yypos,inputPos_half yypos));
"FPState" => (Tokens.TFPState(yytext,inputPos_half yypos,inputPos_half yypos));
"iknows" => (Tokens.TIKNOWS(yytext,inputPos_half yypos,inputPos_half yypos));
"attack" => (Tokens.TATTACK(yytext,inputPos_half yypos,inputPos_half yypos));
"witness" => (Tokens.TWITNESS(yytext,inputPos_half yypos,inputPos_half yypos));
"request" => (Tokens.TREQUEST(yytext,inputPos_half yypos,inputPos_half yypos));
"wrequest" => (Tokens.TREQUEST(yytext,inputPos_half yypos,inputPos_half yypos));
"secret" => (Tokens.TSECRET(yytext,inputPos_half yypos,inputPos_half yypos));
"Fact" => (Tokens.TFACT(yytext,inputPos_half yypos,inputPos_half yypos));
"Crypt" => (Tokens.TCRYPT(yytext,inputPos_half yypos,inputPos_half yypos));
"step" => (Tokens.TSTEP(yytext,inputPos_half yypos,inputPos_half yypos));
"Scrypt" => (Tokens.TSCRYPT(yytext,inputPos_half yypos,inputPos_half yypos));
"Cat" => (Tokens.TCAT(yytext,inputPos_half yypos,inputPos_half yypos));
"Inv" => (Tokens.TINV(yytext,inputPos_half yypos,inputPos_half yypos));
"Exp" => (Tokens.TEXP(yytext,inputPos_half yypos,inputPos_half yypos));
"Xor" => (Tokens.TXOR(yytext,inputPos_half yypos,inputPos_half yypos));
(_|{alpha}|{digit})+ => (Tokens.SIMPLE_NAME(yytext,inputPos_half yypos,inputPos_half yypos));
. => (error ("ignoring bad character "^yytext,
((#1 (!pos), yypos - (#3(!pos)), (#3 (!pos)))),
((#1 (!pos), yypos - (#3(!pos)), (#3 (!pos)))));
lex());

2223
src/encoder/ofmc-fp.lex.sml Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,137 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc_abstraction.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc_abstraction.sml 929 2009-11-01 22:37:06Z brucker $ *)
structure ofmc_abstraction =
struct
open ofmc_connector
open OfmcFp
datatype CMsg = CVariable of string * string
| COperator of string * string * CMsg list
| Abstraction of CMsg * CMsg
datatype CFact = CState of string * CMsg list
| CIknows of CMsg
| CAttack of CMsg
| CWitness of CMsg list
| CRequest of CMsg list
| CSecret of CMsg list
| CFact of string * CMsg
| CNotEqual of CMsg * CMsg
exception error of string
fun mk_unique [] = []
| mk_unique (x::xs) = if (List.exists (fn e => e = x) xs) then (mk_unique xs) else (x::(mk_unique xs))
fun type_abstraction ofmcfp t =
let
val abs = abstractions_of ofmcfp
val types = sel_types_of t ofmcfp
fun decl_of (Atom a, Atom a') = "\""^a^"\" \"nat\""
| decl_of (Operator (opname,_), Atom a) = "\""^opname^"\" \"Msg\" \"nat\""
fun is_t (_,Atom a) = if (List.exists (fn n => (n=a)) types) then true else false
| is_t (_,_) = false
fun name_of (Atom n, _ ) = n
| name_of (Operator (n,_), _) = n
fun is_not_abs s = if (List.exists (fn a => ((name_of a) =s)) abs) then false else true
val abs_t = List.filter is_t abs
fun is_not_t n = if (List.exists (fn a => (name_of a = n)) abs_t)
then false else true
val abs_nott = List.filter is_not_t types
in
case t of
"Function" => mk_unique (map (fn x => "\""^x^"\" \"Msg\"") (List.filter is_not_abs types))
| "Number" => mk_unique ((map decl_of abs_t)@(map (fn a => "\""^(a)^"\"" ) abs_nott))
| _ => mk_unique ((map decl_of abs_t))
end
fun check_abstraction ofmcfp s =
let
fun name_of (Operator(n,_)) = if (String.isPrefix "__" n)
then String.substring(n,2,(String.size n)-2)
else n
| name_of (Atom (n)) = if (String.isPrefix "__" n)
then String.substring(n,2,(String.size n)-2)
else n
val abstractions = List.filter (fn (a,b) => (name_of a) = s) (abstractions_of ofmcfp)
in
case abstractions of
[] => NONE
| ((a,b)::xs) => SOME ("Abs_"^(name_of b))
end
fun deabstractMsg abstractions (Atom s) = (case check_abstraction abstractions s of
NONE => CVariable(s,"")
| SOME a => Abstraction(COperator(s,"",[]),CVariable(a,"")))
| deabstractMsg abstractions (Operator(s,ms)) = (case check_abstraction abstractions s of
NONE => COperator(s,"", map (deabstractMsg abstractions) ms)
| SOME a => Abstraction(COperator(s,"", map (deabstractMsg abstractions) ms),
CVariable(a,"")))
fun deabstractFact abstractions (State (n,ms)) = (CState (n, map (deabstractMsg abstractions) ms))
| deabstractFact abstractions (Iknows m) = (CIknows (deabstractMsg abstractions m))
| deabstractFact abstractions (Attack m) = (CAttack (deabstractMsg abstractions m))
| deabstractFact abstractions (Witness ms) = (CWitness (map (deabstractMsg abstractions) ms))
| deabstractFact abstractions (Request ms) = (CRequest (map (deabstractMsg abstractions) ms))
| deabstractFact abstractions (Secret ms) = (CSecret (map (deabstractMsg abstractions) ms))
| deabstractFact abstractions (Fact (n,m)) = (CFact (n, deabstractMsg abstractions m))
| deabstractFact abstractions (NotEqual (n,m)) = (CNotEqual (deabstractMsg abstractions n, deabstractMsg abstractions m))
| deabstractFact _ _ = raise (error "unknown abstract in deabstractFAct")
end

View File

@ -0,0 +1,138 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc_connector.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc_connector.sml 903 2009-11-01 19:05:11Z brucker $ *)
signature OFMC_CONNECTOR =
sig
val ofmc_home: unit -> string
val ofmc: string
val wauth: bool ref
(* val generate_fp : string -> theory -> theory *)
val parseOfmcFpOutput: string -> OfmcFp.ofmc_fp
val parseOfmcFpFile: string -> OfmcFp.ofmc_fp
val parseAnBFile: string -> OfmcFp.ofmc_fp
end
structure ofmc_connector :> OFMC_CONNECTOR =
struct
structure OfmcFpParserLrVals =
OfmcFpParserLrValsFun(structure Token = LrParser.Token)
structure OfmcFpParserLex =
OfmcFpParserLexFun(structure Tokens = OfmcFpParserLrVals.Tokens)
structure OfmcFpParserParser = Join(structure LrParser = LrParser
structure ParserData = OfmcFpParserLrVals.ParserData
structure Lex = OfmcFpParserLex)
val ofmc = "ofmc"
val wauth = ref false
fun ofmc_home () = case OS.Process.getEnv "OFMC_HOME" of
SOME p => p^"/bin"
| NONE => ""
fun invoke lexstream =
let fun print_error (s,i:(int * int * int),_) =
TextIO.output(TextIO.stdOut,
"Error, line .... " ^ (Int.toString (#1 i)) ^"."
^(Int.toString (#2 i ))^ ", " ^ s ^ "\n")
in
OfmcFpParserParser.parse(0,lexstream,print_error,())
end
fun parseOfmcFpFile ofmc_output_file =
let
val infile = TextIO.openIn ofmc_output_file
val lexer = OfmcFpParserParser.makeLexer (fn _ => case ((TextIO.inputLine) infile) of
SOME s => s
| NONE => "")
val dummyEOF = OfmcFpParserLrVals.Tokens.EOF((0,0,0),(0,0,0))
fun loop lexer =
let
val _ = (OfmcFpParserLex.UserDeclarations.pos := (0,0,0);())
val (res,lexer) = invoke lexer
val (nextToken,lexer) = OfmcFpParserParser.Stream.get lexer
in
if OfmcFpParserParser.sameToken(nextToken,dummyEOF)
then ((),res)
else loop lexer
end
in
(#2(loop lexer))
end
fun parseOfmcFpOutput ofmc_output=
let
val line = ref ofmc_output
fun readString _ = let val f = !line val _ = (line := "") in f end
val lexer = OfmcFpParserParser.makeLexer (readString)
val dummyEOF = OfmcFpParserLrVals.Tokens.EOF((0,0,0),(0,0,0))
fun loop lexer =
let
val _ = (OfmcFpParserLex.UserDeclarations.pos := (0,0,0);())
val (res,lexer) = invoke lexer
val (nextToken,lexer) = OfmcFpParserParser.Stream.get lexer
in
if OfmcFpParserParser.sameToken(nextToken,dummyEOF)
then ((),res)
else loop lexer
end
in
(#2(loop lexer))
end
fun parseAnBFile filename =
let
val cmd = if !wauth
then (ofmc_home())^ofmc^" "^filename^" -wauth -ot Isa"
else (ofmc_home())^ofmc^" "^filename^" -ot Isa"
val tmpFile = OS.FileSys.tmpName ()
val ofmcStatus = OS.Process.system(cmd^" > "^tmpFile)
val ofmcOutput = parseOfmcFpFile tmpFile
handle e => (OS.FileSys.remove tmpFile; raise e)
val _ = OS.FileSys.remove tmpFile
in
OfmcFp.update_source filename ofmcOutput
end
end

View File

@ -0,0 +1,70 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc_encoder.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc_encoder.sml 450 2009-02-02 08:59:41Z brucker $ *)
signature OFMC_ENCODER =
sig
val encode_ofmc : OfmcFp.ofmc_fp -> theory -> theory
val ofmcFpTerm_to_term: OfmcFp.ofmc_fp -> term
end
structure ofmc_encoder =
struct
open ofmc_connector
open OfmcFp
open ofmc_abstraction
fun encode_ofmc abstractions thy =
let
val _ = warning "Defining Protocol"
val _ = warning "Defining Fixpoint"
in
thy
end
fun ofmcFpTerm_to_term (CVariable (n,t)) = Free(n,dummyT)
| ofmcFpTerm_to_term (COperator(n,t,ms)) = (Const(n,dummyT)$(foldr1 (op $) (map ofmcFpTerm_to_term ms)))
end

489
src/encoder/ofmc_thygen.sml Normal file
View File

@ -0,0 +1,489 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmc_thygen.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc_thygen.sml 937 2009-11-02 05:21:07Z brucker $ *)
signature OFMC_ENCODER =
sig
val ofmc_thygen: OfmcFp.ofmc_fp -> unit
val ofmc_thygenAnB: string -> unit
val main: string * string list -> unit
end
structure ofmc_thygen =
struct
val varcnt = ref ~1
val noproof = ref false
val version = "0.1"
fun varcount () = ((varcnt := !varcnt + 1); Int.toString(!varcnt))
fun reset_varcount () = ((varcnt := ~1);())
open ofmc_abstraction
fun gen_header ofmcfp =
let
val protocol = protocol_of ofmcfp
fun filename f = let
val filename = (hd o List.rev o (String.tokens (fn c => ( c = #"/") orelse (c = #"\\")))) f
in
if (String.isSubstring ".AnB" filename)
then String.substring(filename,0,(String.size filename) -4)
else filename
end
in
"header {* Analysing "^(protocol)^" *}\n"
^"(* *********************************** \n"
^" This file is automatically generated from the AnB file \""
^(source_of ofmcfp)^"\".\n"
^" Backend: "^(backend_of ofmcfp)^"\n"
^"************************************ *)\n\n"
^"theory"^"\n"
^" \""
^(if source_of ofmcfp = ""
then protocol
else filename (source_of ofmcfp) )
^"\"\n"
^" imports"^"\n"
^" ofmc"^"\n"
^"begin"^"\n\n"
end
fun gen_datatype ofmcfp =
let
fun mk_unique [] = []
| mk_unique (x::xs) = if (List.exists (fn e => e = x) xs) then (mk_unique xs) else (x::(mk_unique xs))
val types = types_of ofmcfp
val agents = sel_types_of "Agent" ofmcfp
val purposes = sel_types_of "Purpose" ofmcfp
val numbers = sel_types_of "Number" ofmcfp
val functions = sel_types_of "Function" ofmcfp
val symkeys = sel_types_of "SymmetricKey" ofmcfp
fun types2string conv [] = "\n"
| types2string conv [x] = (conv x)
| types2string conv (x::xs) = (conv x)^" | "^(types2string conv xs)
val purposes = mk_unique (purposes@(map (fn x => "purpose"^x) numbers))
in
"datatype Role = "^(types2string (fn r => "r"^r) agents)^"\n\n"
^(if purposes = []
then "datatype Purpose = purpose\n"
else "datatype Purpose = "^(types2string (fn x => x) purposes)^"\n")
^"datatype Agent = honest nat\n"
^" | dishonest nat\n\n"
^"datatype Nonce = "^(types2string (fn x => x^"\n") (type_abstraction ofmcfp "Number"))
^" and Msg = Nonce \"Nonce\" \n"
^" | Agent \"Agent\" \n"
^" | Purpose \"Purpose\"\n"
^" | pair \"Msg*Msg\" \n"
^" | scrypt \"Msg*Msg\" \n"
^" | crypt \"Msg*Msg\" \n"
^" | inv \"Msg\" \n"
^" | SID \"nat\" \n"
^" | Step \"nat\" \n"
^" | authentication \n"
^" | secrecy \n"
^"(* SymKeys *)\n"
^" | SymKey \"Msg\"\n"
^(if (type_abstraction ofmcfp "SymmetricKey") = [] then ""
else (" | "^(types2string (fn x => x) (type_abstraction ofmcfp "SymmetricKey"))^"\n"))
^"(* Functions *)\n"
^(if (type_abstraction ofmcfp "Function") = [] then ""
else " | "^(types2string (fn x => x) (type_abstraction ofmcfp "Function"))^"\n")
(* else " | "^(types2string (fn x => x^" \"Msg\"") functions)^"\n") *)
^"\n"
^" datatype Fact = Iknows Msg\n"
^" | State \"Role * (Msg list)\"\n"
^" | Secret \"Msg * Msg\"\n"
^" | Attack \"Msg\"\n"
^" | Witness \"Msg * Msg * Msg * Msg\"\n"
^" | Request \"Msg * Msg * Msg * Msg * Msg\"\n\n\n"
end
fun is_literal ofmcfp (CVariable(n,t)) = let
val types = types_of ofmcfp
val wo_agents = (List.filter (fn (a,b) => a <> "Agent") types)
val constants = List.concat (map (fn t => #2 t) wo_agents)
in
if Int.fromString n = NONE
then if ((List.exists (fn n' => n = n') constants )
orelse n="ni")
then true
else false
else true
end
fun collect_msgvars ofmcfp (CVariable(n,t)) = if is_literal ofmcfp (CVariable(n,t))
then []
else [CVariable(n,t)]
| collect_msgvars ofmcfp (COperator(n,t,ms)) = List.concat (map (collect_msgvars ofmcfp) ms)
| collect_msgvars ofmcfp (Abstraction(m,a)) = (collect_msgvars ofmcfp m)@(collect_msgvars ofmcfp a)
fun collect_vars ofmcfp (CState (s,ms)) = List.concat (map (collect_msgvars ofmcfp) ms)
| collect_vars ofmcfp (CIknows m) = collect_msgvars ofmcfp m
| collect_vars ofmcfp (CAttack m) = collect_msgvars ofmcfp m
| collect_vars ofmcfp (CWitness ms) = List.concat (map (collect_msgvars ofmcfp) ms)
| collect_vars ofmcfp (CRequest ms) = List.concat (map (collect_msgvars ofmcfp) ms)
| collect_vars ofmcfp (CSecret ms) = List.concat (map (collect_msgvars ofmcfp) ms)
| collect_vars ofmcfp (CFact (s,m)) = collect_msgvars ofmcfp m
fun string_of_cmsg (CVariable (s,t)) = s
| string_of_cmsg (COperator (s,t,[])) = s
| string_of_cmsg (COperator (s,t,ms)) = s^"("^(string_of_cmsg_list ms)^")"
| string_of_cmsg (Abstraction (m,n)) = "("^(string_of_cmsg m)^" "^(string_of_cmsg n)^")"
and string_of_cmsg_list [] = ""
| string_of_cmsg_list [m] = string_of_cmsg m
| string_of_cmsg_list (m::ms) = (string_of_cmsg m)^", "^(string_of_cmsg_list ms)
fun gen_exists [] = ""
| gen_exists xs = "? "^(String.concat (map (fn f => string_of_cmsg f^" ") xs))^". \n "
fun string_of_cfact ofmcfp (CState (s,ms)) = "State("^s^", ["^(string_of_cmsg_list ms)^"] )"
| string_of_cfact ofmcfp (CIknows m) = "Iknows("^(string_of_cmsg m)^")"
| string_of_cfact ofmcfp (CAttack m) = "Attack("^(string_of_cmsg m)^")"
| string_of_cfact ofmcfp (CWitness ms) = "Witness("^(string_of_cmsg_list ms)^")"
| string_of_cfact ofmcfp (CRequest ms) = "Request("^(string_of_cmsg_list ms)^")"
| string_of_cfact ofmdfp (CSecret ms) = "Secret("^(string_of_cmsg_list ms)^")"
| string_of_cfact ofmdfp (CFact (s,m)) = "Fact("^s^", "^(string_of_cmsg m)^")"
| string_of_cfact ofmcfp (CNotEqual (n,m)) = "~ ( "^(gen_exists (collect_msgvars ofmcfp m))
^(string_of_cmsg n)^" = "^(string_of_cmsg m)^")"
fun gen_inductive ofmcfp =
let
val protocol = protocol_of ofmcfp
fun gen_knowledge ((k:(string * Fact))::ks) =
let
val protocol = protocol_of ofmcfp
fun string_of_initrule (k:(string * Fact)) = ((#1 k)^": \"[ "
^(string_of_cfact ofmcfp (deabstractFact ofmcfp (#2 k)))
^"] : "^protocol^"\"\n")
in
" "^(string_of_initrule k)
^(String.concat (map (fn k => " | "^(string_of_initrule k)) ks))
end
fun gen_rules rules =
let
val protocol = protocol_of ofmcfp
fun string_of_rule (r:Rule) =
let
val name = case (#1 r) of NONE => "" | SOME s => (s^": ")
fun to_string (CNotEqual (n,m)) = ";\n "^(string_of_cfact ofmcfp (CNotEqual (n,m)))
| to_string f = ";\n "^(string_of_cfact ofmcfp f)^" : (set t)"
in
name^" \"[| t :"^protocol
^(String.concat (map (fn k => to_string (deabstractFact ofmcfp k)) ((#2 r)) ) )
^ "|] \n ==> \n("
^(String.concat (map (fn k => "("^(string_of_cfact ofmcfp (deabstractFact ofmcfp k))^")\n #") ((#3 r))))
^ "t) : "^protocol^"\"\n"
end
in
(String.concat (map (fn k => " | "^(string_of_rule k)) rules))
end
in
"inductive_set\n"
^" "^protocol^"::\"Fact list set\"\n"
^"where\n"
^(gen_knowledge (knowledge_of ofmcfp))
^(gen_rules (rules_of ofmcfp))
end
fun gen_fp ofmcfp =
let
val protocol = protocol_of ofmcfp
val protocolFp = protocol^"_fp"
val inner_quantification = false
fun mk_msgvars_unique (CVariable(n,t)) = if is_literal ofmcfp (CVariable(n,t))
then (CVariable(n,t))
else (CVariable(n^(varcount()),t))
| mk_msgvars_unique (COperator(n,t,ms)) = (COperator(n,t, map mk_msgvars_unique ms))
| mk_msgvars_unique (Abstraction(m,a)) = (Abstraction(mk_msgvars_unique m,
mk_msgvars_unique a))
fun mk_msgvars_unique' v (CVariable(n,t)) = if is_literal ofmcfp (CVariable(n,t))
then (CVariable(n,t))
else
if (v=(CVariable(n,t)))
then (CVariable(n^(varcount()),t))
else (CVariable(n,t))
| mk_msgvars_unique' v (COperator(n,t,ms)) = (COperator(n,t, map (mk_msgvars_unique' v) ms))
| mk_msgvars_unique' v (Abstraction(m,a)) = (Abstraction(mk_msgvars_unique' v m,
mk_msgvars_unique' v a))
fun mk_vars_unique (CState (s,ms)) = (CState (s, map mk_msgvars_unique ms))
| mk_vars_unique (CIknows m) = (CIknows (mk_msgvars_unique m) )
| mk_vars_unique (CAttack m) = (CAttack (mk_msgvars_unique m))
| mk_vars_unique (CWitness ms) = (CWitness (map mk_msgvars_unique ms))
| mk_vars_unique (CRequest ms) = (CRequest (map mk_msgvars_unique ms))
| mk_vars_unique (CSecret ms) = (CSecret (map mk_msgvars_unique ms))
| mk_vars_unique (CFact (s,m)) = (CFact (s,mk_msgvars_unique m))
fun mk_vars_unique' v (CState (s,ms)) = (CState (s, map (mk_msgvars_unique' v) ms))
| mk_vars_unique' v (CIknows m) = (CIknows (mk_msgvars_unique' v m) )
| mk_vars_unique' v (CAttack m) = (CAttack (mk_msgvars_unique' v m))
| mk_vars_unique' v (CWitness ms) = (CWitness (map (mk_msgvars_unique' v) ms))
| mk_vars_unique' v (CRequest ms) = (CRequest (map (mk_msgvars_unique' v) ms))
| mk_vars_unique' v (CSecret ms) = (CSecret (map (mk_msgvars_unique' v) ms))
| mk_vars_unique' v (CFact (s,m)) = (CFact (s,mk_msgvars_unique' v m))
val facts = (((knowledge_of ofmcfp)@(fixedpoint_of ofmcfp)))
fun string_of_fp_fact ofmcfp (n,f) =
let
val _ = reset_varcount()
val cf = mk_vars_unique (deabstractFact ofmcfp f)
in
(gen_exists (collect_vars ofmcfp cf))
^ "m = "
^(string_of_cfact ofmcfp cf)
end
fun string_of_fp_fact' ofmcfp (n,f) = "m = "^(string_of_cfact ofmcfp f)
fun mk_outer_exists facts =
let
fun toSet [] = []
| toSet (x::xs) = if List.exists (fn e => x = e) xs
then toSet xs
else x::(toSet xs)
fun vars_of facts = toSet (List.concat(map (fn (n,f) => collect_vars ofmcfp f) facts))
val vars = vars_of facts
fun mk_v_unique [] (n,f) = (n,f)
| mk_v_unique (v::vs) (n,f) = let
val _ = reset_varcount()
in
mk_v_unique vs (n,mk_vars_unique' v f)
end
val ufacts = map (mk_v_unique vars) facts
val uvars = vars_of ufacts
in
(uvars, ufacts)
end
val cfacts = map (fn (n,f) => (n,deabstractFact ofmcfp f)) facts
val outer_ex = mk_outer_exists cfacts
in
if inner_quantification
then
( "constdefs"
^" "^protocolFp^"::\"Fact set\""
^"\""^protocolFp^" == {m. (\n"
^" ("^(string_of_fp_fact ofmcfp (hd facts)^")\n")
^(String.concat (map (fn f => " | ("^(string_of_fp_fact ofmcfp f)^")\n") (tl facts) ))
^")}\"\n")
else
( "constdefs"
^" "^protocolFp^"::\"Fact set\""
^"\""^protocolFp^" == {m. ( ? "^(String.concat (map (fn f => string_of_cmsg f^" ") (#1 outer_ex )))^".\n"
^" ("^(string_of_fp_fact' ofmcfp (hd (#2 outer_ex ))^")\n")
^(String.concat (map (fn f => " | ("^(string_of_fp_fact' ofmcfp f)^")\n") (tl (#2 outer_ex )) ))
^")}\"\n")
end
fun gen_no_attack ofmcfp =
let
val protocol = (protocol_of ofmcfp)
in
"lemma fp_attack_free: \"~ (Attack m : "^protocol^"_fp)\"\n"
^" by(simp only: "^protocol^"_fp_def, simp only: set2pred, simp, auto?)+\n\n"
end
fun gen_over_approx_auto ofmcfp =
let
val protocol = protocol_of ofmcfp
in
"lemma over_approx: \"t : "^protocol^" ==> (set t) <= "^protocol^"_fp\"\n"
^" apply(rule "^protocol^".induct, simp_all, safe)\n"
^" apply(propagate_fp, simp add: "^protocol^"_fp_def, simp only: set2pred, simp, auto?)+\n"
^"done\n\n"
end
fun gen_over_approx ofmcfp =
let
val protocol = protocol_of ofmcfp
val rulenames = (map (#1) (knowledge_of ofmcfp))@(map (Option.valOf o #1) (rules_of ofmcfp))
fun gen_cuts rn = " apply(propagate_fp, cut_tac "^rn^", (assumption | simp)+)\n"
in
"lemma over_approx: \"t : "^protocol^" ==> (set t) <= "^protocol^"_fp\"\n"
^" apply(rule "^protocol^".induct, simp_all)\n"
^(String.concat (map gen_cuts rulenames))
^"done\n\n"
end
fun checkfp ofmcfp =
let
val protocol = protocol_of ofmcfp
fun check_knowledge (k:(string * Fact)) =
let
val protocol = protocol_of ofmcfp
fun string_of_initrule (k:(string * Fact)) = ((#1 k)^": \""
^(string_of_cfact ofmcfp (deabstractFact ofmcfp (#2 k)))
^" : "^protocol^"_fp\"\n")
in
"lemma "^(string_of_initrule k)
^"by(simp only: "^protocol^"_fp_def, simp only: set2pred, simp, auto?)+\n\n"
end
(*
fun string_of_rule (r:Rule) =
let
val name = case (#1 r) of NONE => "" | SOME s => (s^": ")
fun to_string (CNotEqual (n,m)) = ";\n "^(string_of_cfact (CNotEqual (n,m)))
| to_string f = ";\n "^(string_of_cfact f)^" : (set t)"
in
name^" \"[| t :"^protocol
^(String.concat (map (fn k => to_string (deabstractFact ofmcfp k)) ((#2 r)) ) )
^ "|] \n ==> \n("
^(String.concat (map (fn k => "("^(string_of_cfact (deabstractFact ofmcfp k))^")\n #") ((#3 r))))
^ "t) : "^protocol^"\"\n"
end
*)
fun check_rules (r:Rule) =
let
val protocol = protocol_of ofmcfp
val name = case (#1 r) of NONE => ":" | SOME s => (s^": ")
fun to_string (CNotEqual (n,m)) = (string_of_cfact ofmcfp (CNotEqual (n,m)))
| to_string f = (string_of_cfact ofmcfp f)^" : "^protocol^"_fp"
in
"lemma "^name^" \"[| "
^(String.concat (map (fn k => "\n "^(to_string (deabstractFact ofmcfp k))) ([hd (#2 r)]) ) )
^(String.concat (map (fn k => ";\n "^(to_string (deabstractFact ofmcfp k))) (tl (#2 r)) ) )
^ "|] \n ==> "
^(String.concat (map (fn k => "\n ("^(to_string (deabstractFact ofmcfp k))^")") ([hd (#3 r)])))
^(String.concat (map (fn k => " &\n ("^(to_string (deabstractFact ofmcfp k))^")") (tl (#3 r))))
^ "\"\n"
^"by(simp only: "^protocol^"_fp_def, simp only: set2pred, simp, auto?)+\n\n"
end
in
(String.concat (map check_knowledge (knowledge_of ofmcfp)))
^(String.concat (map check_rules (rules_of ofmcfp)))
end
fun ofmc_thygen ofmcfp =
let
val protocol = protocol_of ofmcfp
val _ = print (gen_header ofmcfp)
val _ = print ("\n\nsection {* Protocol Model ("^protocol^") *}\n")
val _ = print (gen_datatype ofmcfp)
val _ = print ("\n\nsection {* Inductive Protocol Definition ("^protocol^") *}\n")
val _ = print (gen_inductive ofmcfp)
val _ = print ("\n\nsection {* Fixed-point Definition ("^protocol^") *}\n")
val _ = print (gen_fp ofmcfp)
val _ = if !noproof then ()
else (print ("\n\nsection {* Checking Fixed-point ("^protocol^") *}\n");
print (gen_no_attack ofmcfp);
print (checkfp ofmcfp);
print ("\n\nsection {* Security Proof(s) ("^protocol^") *}\n");
print (gen_over_approx ofmcfp))
(* val _ = print ("(* Alternatively, the following script provides an non-modular\n")
val _ = print (" way for proving the over-approximation direclty:\n\n")
val _ = print (gen_over_approx_auto ofmcfp)
val _ = print ("*)\n")
*)
val _ = print ("\n\nend (* theory *)\n")
in () end
val ofmc_thygenAnB = ofmc_thygen o ofmc_connector.parseAnBFile
fun print_usage name = let
val _ = print("\n")
val _ = print("usage: "^name^" [args] <anb-specification>\n")
val _ = print(name^", version "^version^"\n")
val _ = print("\n")
val _ = print(" --wauth\n")
val _ = print(" --noproofs\n")
val _ = print("\n")
in
()
end
fun main (name:string,args:(string list)) =
let
val prgName = (hd o rev) (String.fields (fn s => s = #"/" orelse s = #"\\") name)
in
(
case (prgName,args) of
(n, []) => print_usage name
| (n, "--noproof"::ar) => (noproof := true ; main(name, ar))
| (n, "--wauth"::ar) => (ofmc_connector.wauth := true ; main(name, ar))
| (n, [file]) => if String.isPrefix "-" file
then print_usage name
else ofmc_thygenAnB file
| (_,_) => print_usage name
)
end
end
val _ = ofmc_thygen.main(CommandLine.name(), CommandLine.arguments())

117
src/encoder/ofmcfp.sml Normal file
View File

@ -0,0 +1,117 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* ofmcfp.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmcfp.sml 890 2009-10-31 21:34:17Z brucker $ *)
structure OfmcFp = struct
(*
datatype Operator = Crypt | Scrypt | Cat | Inv
*)
datatype Msg = Atom of string
| Operator of string * Msg list
type MsgPat = (Msg * Msg)
type ProtocolState = MsgPat list
datatype Fact = State of string * Msg list
| FPState of string * Msg
| Iknows of Msg
| Attack of Msg
| Witness of Msg list
| Request of Msg list
| Secret of Msg list
| Fact of string * Msg
| NotEqual of (Msg * Msg)
type Rule = (string option * Fact list * Fact list)
type ofmc_fp = {
Protocol: string,
Backend: string,
Types: (string * (string list)) list,
Rules: Rule list,
Knowledge: (string * Fact) list,
FixedPoint: (string * Fact) list,
Abstractions : (Msg * Msg) list,
Source : string
}
val empty_ofmc_fp = {Backend="", Protocol="", Types = [("Number",["NI"])], Rules = [], Knowledge=[], FixedPoint=[],
Abstractions=[(Atom "ni",Atom "NI")], Source=""}:ofmc_fp
(* Abstractions=[(Atom "purpose",Atom "PURPOSE"),(Atom "ni",Atom "NI")], Source=""}:ofmc_fp *)
fun update_protocol protocol ({Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_backend backend ({Protocol=protocol, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_types types ({Backend=backend, Protocol=protocol, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_rules rules ({Backend=backend, Protocol=protocol, Types=types, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_knowledge knowledge ({Backend=backend, Protocol=protocol, Types=types, Rules=rules, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_fixedpoint fixedpoint ({Backend=backend, Protocol=protocol, Types=types, Rules=rules, Knowledge = knowledge, Abstractions=abstractions,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_abstractions abstractions ({Backend=backend, Protocol=protocol, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint,Source=source, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun update_source source ({Backend=backend, Protocol=protocol, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint,Abstractions=abstractions, ...}:ofmc_fp)
= ({Protocol=protocol, Backend=backend, Types=types, Rules=rules, Knowledge = knowledge, FixedPoint=fixedpoint, Abstractions=abstractions,Source=source}:ofmc_fp)
fun mk_unique [] = []
| mk_unique (x::xs) = if (List.exists (fn e => e = x) xs) then (mk_unique xs) else (x::(mk_unique xs))
fun backend_of (ofmcfp:ofmc_fp) = case #Backend ofmcfp of "" => "unknown" | s => s
fun protocol_of (ofmcfp:ofmc_fp) = case #Protocol ofmcfp of "" => "protocol" | s => s
fun knowledge_of (ofmcfp:ofmc_fp) = #Knowledge ofmcfp
fun rules_of (ofmcfp:ofmc_fp) = #Rules ofmcfp
fun types_of (ofmcfp:ofmc_fp) = #Types ofmcfp
fun sel_types_of t (ofmcfp:ofmc_fp) = mk_unique (List.concat (map #2 (List.filter (fn (a,b) => a = t) (#Types ofmcfp))))
fun fixedpoint_of (ofmcfp:ofmc_fp) = #FixedPoint ofmcfp
fun abstractions_of (ofmcfp:ofmc_fp) = #Abstractions ofmcfp
fun source_of (ofmcfp:ofmc_fp) = #Source ofmcfp
end

57
src/encoder/root.sml Normal file
View File

@ -0,0 +1,57 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* root.sml ---
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: root.sml 450 2009-02-02 08:59:41Z brucker $ *)
val ord = Char.ord;
val chr = Char.chr;
val print = TextIO.print ;
OS.FileSys.chDir "ml-yacc-lib";
use "root.sml";
OS.FileSys.chDir "..";
use "ofmcfp.sml";
use "ofmc-fp.grm.sig";
use "ofmc-fp.lex.sml";
use "ofmc-fp.grm.sml";
use "ofmc_connector.sml";
use "ofmc_abstraction.sml";
use "ofmc_encoder.sml";

148
src/ofmc.thy Normal file
View File

@ -0,0 +1,148 @@
(*****************************************************************************
* Isabelle-OFMC --- Connecting OFMC and Isabelle/HOL
*
* config.sml.in --- main configuration file for Isabelle-OFMC
* This file is part of Isabelle-OFMC.
*
* Copyright (c) 2009 Achim D. Brucker, Germany
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************)
(* $Id: ofmc.thy 935 2009-11-02 00:02:50Z brucker $ *)
theory
ofmc
imports
Main
(* uses
"kernel_ext/isabelle2009_kernel_patch.ML"
(* "kernel_ext/ProofObligationMgr2008.sml" *)
*)
begin
section {* Auxiliary Lemmata *}
lemma set2pred: " x \<in> {m . P(m)} \<equiv> P(x)"
by(auto)
section {* Proof Obligation Manager Configuration *}
section {* Isabelle/ofmc Specific Tactics *}
(*
setup {*
Method.add_method ("propagate_fp_cterm",
let
fun propagate_fp_tac ctxt facts =
let
val thy = ProofContext.theory_of ctxt
fun m_tac thm =
let
fun collect_facts (((Const ("op :",_))$(t)$(Const("List.set",_)$_))) = [t]
| collect_facts (t1$t2) = ((collect_facts t1)@(collect_facts t2))
| collect_facts (Abs (_,_,t)) = collect_facts t
| collect_facts _ = []
val cand = collect_facts (hd(prems_of(thm)))
fun subst v t = let
val _ = warning ("substituting "^(Syntax.string_of_term ctxt t))
in
(Thm.cterm_of thy (Var((v,0),type_of t)),
Thm.cterm_of thy t)
end
val _ = warning ("Candidates found:")
val _ = map (fn p => warning (" "^(Syntax.string_of_term ctxt p)
)) cand
fun foo [f] = (forw_terminst_tac [] [subst "c" f] (instantiate' [SOME (ctyp_of thy (type_of f))] [] (PureThy.get_thm thy "subsetD")) 1)
THEN (simp_tac HOL_ss 1)
| foo (f::facts) = foo [f] THEN (foo facts)
| foo [] = all_tac
in
(foo cand) thm
end
in
m_tac
end
in
Method.ctxt_args (fn ctxt => Method.METHOD (fn facts => propagate_fp_tac ctxt facts))
end,
"propagate fixed-point")
*})
*)
setup {*
Method.add_method("propagate_fp",
let
fun propagate_fp_tac_str ctxt facts =
let
val thy = ProofContext.theory_of ctxt
fun m_tac thm =
let
fun replace_bounded b (t1$t2) = (replace_bounded b t1)$(replace_bounded b t2)
| replace_bounded b (Bound c) = Free(List.nth (b,(List.length b) - c -1))
| replace_bounded _ t = t
fun collect_facts b (((Const ("op :",_))$(t)$(Const("List.set",_)$_))) = [replace_bounded b t]
| collect_facts b (t1$t2) = ((collect_facts b t1)@(collect_facts b t2))
| collect_facts b (Abs (n,ty,t)) = collect_facts (b@[(n,ty)]) t
| collect_facts _ _ = []
fun to_string f = (PrintMode.setmp [] Display.string_of_cterm (cterm_of thy f))
val cand = case prems_of(thm) of
[] => []
| (p::ps) => collect_facts [] p
(* val _ = warning "Candiates are"
val _ = map (fn s => warning (Syntax.string_of_term ctxt s)) cand *)
(* fun foo [f] = (forw_inst_tac ctxt [("c", to_string f )] (PureThy.get_thm thy "subsetD") 1) *)
fun foo [f] = (forw_inst_tac ctxt [(("c",0), to_string f )] (PureThy.get_thm thy "subsetD") 1)
THEN (simp_tac HOL_ss 1)
| foo (f::facts) = foo [f] THEN (foo facts)
| foo [] = all_tac
in
(foo cand) thm
end
in
m_tac
end
in
Method.ctxt_args (fn ctxt => Method.METHOD (fn facts => propagate_fp_tac_str ctxt facts))
end
,"propagate fixed-point")
*}
end