diff --git a/examples/esorics23-bluetooth/README.md b/examples/esorics23-bluetooth/README.md new file mode 100644 index 000000000..925894bb7 --- /dev/null +++ b/examples/esorics23-bluetooth/README.md @@ -0,0 +1,451 @@ +## Tamarin models of Bluetooth + +This project contains Tamarin models of the different Bluetooth technologies: BR/EDR, BLE and BM. + +The models represent the different key agreements of each Bluetooth technologies. + +All variants of key agreements are represented. + +For the analysis, the interaction of each key agreement with each other is studied. +In the models, different known cryptographic problems affecting Bluetooth have been represented. +Some proposed patches have also been modeled to test for their efficiency. + +This way, the analysis of Tamarin of those models gives an up-to-date view of the security of Bluetooth key agreements. + +## Configuration of the models + +In addition of running all key agreement interactions, it is possible to study Bluetooth key agreements in some configuration. + +A configuration is defined as a set of cryptographic problems that are represented and a set of patches that are applied. + +In BR/EDR, the following configuration macros are defined: + +- NoLowEntropyLegacy: Disables the ability for an attacker to brute-force the PIN used in Legacy PIN Pairing +- NoLowEntropySecure: Disables the ability for an attacker to brute-force the passkey used in Secure Passkey Entry +- InitECDHUnpatched: Represents the fact that the Initiator does not verify the validity of the Responder's public key +- RespECDHUnpatched: Represents the fact that the Responder does not verify the validity of the Initiator's public key + + +In BLE, the following configuration macros are defined: + +- NoLowEntropyLegacy: Disables the ability for an attacker to brute-force the passkey used in Legacy Passkey Entry +- NoLowEntropySecure: Disables the ability for an attacker to brute-force the passkey used in Secure Passkey Entry +- NoMalleableC1: Disables the malleability of the $c1$ commitment function in BLE Legacy Pairing +- InitECDHUnpatched: Represents the fact that the Initiator does not verify the validity of the Responder's public key +- RespECDHUnpatched: Represents the fact that the Responder does not verify the validity of the Initiator's public key +- LowEntropyKeysize: Enables the ability for an attacker to brute-force a key which size had been downgraded + + +In BM, the following configuration macros are defined: + +- NoLowEntropyAuthValue: Disables the ability for an attacker to brute-force AuthValue used in the Provisioning protocol +- NoMalleableCMAC: Disables the malleability of the $CMAC$ commitment function Provisioning +- ProvECDHUnpatched: Represents the fact that the Provisioner does not verify the validity of the Device's public key +- DevECDHUnpatched: Represents the fact that the Device does not verify the validity of the Provisioner's public key +- PatchProvisioning1: Represents a proposed patch of Provisioning: the Provisioner should not accept a reflected confirmation value +- PatchProvisioning2: Represents a proposed patch of Provisioning: the Device computes the commitment value using an inversion of parameters. + +## Tamarin outputs warnings + +For some models, Tamarin will output well-formedness warnings. +This is because the models heavily rely on macros, hence when generating a submodel about half of the file is not copied. + +However, restrictions are usually copied, and some may rely on action facts that are never generated by this submodel. +This only means this restriction is not used by the model, but does not alter the validity of the results. + +## Command lines + +The command lines to run all model in a default configuration are given. +Running them from the CLI will not save the output file and parse the results. +The default configuration considers that : + +- all imperfections exist +- but devices have patched ECDH implementations (this is mandated in the specification) +- 7-bytes keys cannot be brute-forced + +### Number of properties analysed + +In BR/EDR, there are 11 modeled kind of key agreements. +This makes 121 possible interactions because the interaction of each key agreement with each one is studied. +For each interaction, there are 6 properties studied (5 security properties and 1 functional property). +Therefore, running all the commands will prove 726 lemmas (including 605 security properties). + +In BLE, there are 13 modeled kind of key agreements. +This makes 169 possible interactions because the interaction of each key agreement with each one is studied. +For each interaction, there are 6 properties studied (5 security properties and 1 functional property). +Therefore, running all the commands will prove 1014 lemmas (including 845 security properties). + +In Mesh, there are 8 modeled kind of key agreements. +This makes 64 possible interactions because the interaction of each key agreement with each one is studied. +For each interaction, there are 10 properties studied (9 security properties and 1 functional property). +Therefore, running all the commands will prove 640 lemmas (including 576 security properties). + +### BR/EDR + +``` +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINi -DLegPINiLegPINi -DInputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINo -DLegPINiLegPINo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINio -DLegPINiLegPINio -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINi -DLegPINoLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINo -DLegPINoLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINio -DLegPINoLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINi -DLegPINioLegPINi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINo -DLegPINioLegPINo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINio -DLegPINioLegPINio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecJW -DSecJWSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEi -DSecJWSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEo -DSecJWSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEio -DSecJWSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecNC -DSecJWSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBi -DSecJWSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBo -DSecJWSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBio -DSecJWSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecJW -DSecPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEi -DSecPEiSecPEi -DInputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEo -DSecPEiSecPEo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEio -DSecPEiSecPEio -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecNC -DSecPEiSecNC -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecJW -DSecPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEi -DSecPEoSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEo -DSecPEoSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEio -DSecPEoSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecNC -DSecPEoSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecJW -DSecPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEi -DSecPEioSecPEi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEo -DSecPEioSecPEo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEio -DSecPEioSecPEio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecNC -DSecPEioSecNC -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecJW -DSecNCSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEi -DSecNCSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEo -DSecNCSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEio -DSecNCSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecNC -DSecNCSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBi -DSecNCSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBo -DSecNCSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBio -DSecNCSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecJW -DSecOOBiSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBiSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBiSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBiSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecNC -DSecOOBiSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBiSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBiSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBiSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecJW -DSecOOBoSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBoSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBoSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBoSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecNC -DSecOOBoSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBoSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBoSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBoSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecJW -DSecOOBioSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBioSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBioSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBioSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecNC -DSecOOBioSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBioSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBioSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBioSecOOBio --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecJW -DLegPINiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEi -DLegPINiSecPEi -DInputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEo -DLegPINiSecPEo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEio -DLegPINiSecPEio -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecNC -DLegPINiSecNC -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecJW -DLegPINoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEi -DLegPINoSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEo -DLegPINoSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEio -DLegPINoSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecNC -DLegPINoSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecJW -DLegPINioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEi -DLegPINioSecPEi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEo -DLegPINioSecPEo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEio -DLegPINioSecPEio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecNC -DLegPINioSecNC -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINi -DSecJWLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINo -DSecJWLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINio -DSecJWLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINi -DSecPEiLegPINi -DInputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINo -DSecPEiLegPINo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINio -DSecPEiLegPINio -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINi -DSecPEoLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINo -DSecPEoLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINio -DSecPEoLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINi -DSecPEioLegPINi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINo -DSecPEioLegPINo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINio -DSecPEioLegPINio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINi -DSecNCLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINo -DSecNCLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINio -DSecNCLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINi -DSecOOBiLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINo -DSecOOBiLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINio -DSecOOBiLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINi -DSecOOBoLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINo -DSecOOBoLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINio -DSecOOBoLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINi -DSecOOBioLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINo -DSecOOBioLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINio -DSecOOBioLegPINio --prove +``` + +### BLE + +``` +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegJW -DLegJWLegJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEi -DLegJWLegPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEo -DLegJWLegPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEio -DLegJWLegPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegOOB -DLegJWLegOOB --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegJW -DLegPEiLegJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEiLegPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEiLegPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEiLegPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegOOB -DLegPEiLegOOB -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegJW -DLegPEoLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEoLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEoLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEoLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegOOB -DLegPEoLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegJW -DLegPEioLegJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEioLegPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEioLegPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEioLegPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegOOB -DLegPEioLegOOB -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegJW -DLegOOBLegJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEi -DLegOOBLegPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEo -DLegOOBLegPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEio -DLegOOBLegPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegOOB -DLegOOBLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecJW -DSecJWSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEi -DSecJWSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEo -DSecJWSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEio -DSecJWSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecNC -DSecJWSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBi -DSecJWSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBo -DSecJWSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBio -DSecJWSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecJW -DSecPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEi -DSecPEiSecPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEo -DSecPEiSecPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEio -DSecPEiSecPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecNC -DSecPEiSecNC -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecJW -DSecPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEi -DSecPEoSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEo -DSecPEoSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEio -DSecPEoSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecNC -DSecPEoSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecJW -DSecPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEi -DSecPEioSecPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEo -DSecPEioSecPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEio -DSecPEioSecPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecNC -DSecPEioSecNC -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecJW -DSecNCSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEi -DSecNCSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEo -DSecNCSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEio -DSecNCSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecNC -DSecNCSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBi -DSecNCSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBo -DSecNCSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBio -DSecNCSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecJW -DSecOOBiSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBiSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBiSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBiSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecNC -DSecOOBiSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBiSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBiSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBiSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecJW -DSecOOBoSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBoSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBoSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBoSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecNC -DSecOOBoSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBoSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBoSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBoSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecJW -DSecOOBioSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBioSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBioSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBioSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecNC -DSecOOBioSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBioSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBioSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBioSecOOBio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecJW -DLegJWSecJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEi -DLegJWSecPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEo -DLegJWSecPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEio -DLegJWSecPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecNC -DLegJWSecNC --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBi -DLegJWSecOOBi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBo -DLegJWSecOOBo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBio -DLegJWSecOOBio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecJW -DLegPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEi -DLegPEiSecPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEo -DLegPEiSecPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEio -DLegPEiSecPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecNC -DLegPEiSecNC -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecJW -DLegPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEi -DLegPEoSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEo -DLegPEoSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEio -DLegPEoSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecNC -DLegPEoSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecJW -DLegPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEi -DLegPEioSecPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEo -DLegPEioSecPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEio -DLegPEioSecPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecNC -DLegPEioSecNC -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecJW -DLegOOBSecJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEi -DLegOOBSecPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEo -DLegOOBSecPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEio -DLegOOBSecPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecNC -DLegOOBSecNC --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBi -DLegOOBSecOOBi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBo -DLegOOBSecOOBo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBio -DLegOOBSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegJW -DSecJWLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEi -DSecJWLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEo -DSecJWLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEio -DSecJWLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegOOB -DSecJWLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegJW -DSecPEiLegJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEiLegPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEiLegPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEiLegPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegOOB -DSecPEiLegOOB -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegJW -DSecPEoLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEoLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEoLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEoLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegOOB -DSecPEoLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegJW -DSecPEioLegJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEioLegPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEioLegPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEioLegPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegOOB -DSecPEioLegOOB -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegJW -DSecNCLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEi -DSecNCLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEo -DSecNCLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEio -DSecNCLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegOOB -DSecNCLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegJW -DSecOOBiLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBiLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBiLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBiLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegOOB -DSecOOBiLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegJW -DSecOOBoLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBoLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBoLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBoLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegOOB -DSecOOBoLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegJW -DSecOOBioLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBioLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBioLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBioLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegOOB -DSecOOBioLegOOB --prove +``` + +### Mesh + +``` +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBnoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBnoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBnoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBnoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBiEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBiEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBiEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBiEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBsEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBsEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBsEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBsEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBnoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBnoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBnoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBnoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBiEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBiEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBiEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBiEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBsEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBsEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBsEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBsEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBnoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBnoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBnoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBnoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBiEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBiEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBiEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBiEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBsEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBsEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBsEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBsEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBnoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBnoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBnoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBnoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBiEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBiEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBiEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBiEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBsEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBsEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBsEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBsEoOOBs --prove +``` + diff --git a/examples/esorics23-bluetooth/models/ble.spthy b/examples/esorics23-bluetooth/models/ble.spthy new file mode 100644 index 000000000..a34ba7555 --- /dev/null +++ b/examples/esorics23-bluetooth/models/ble.spthy @@ -0,0 +1,14828 @@ +theory BluetoothLowEnergyPairing +begin + +builtins: diffie-hellman, symmetric-encryption + +functions: + aes_cmac/2, // Interface is aes_cmac(key, data) + f4/4, + g2/4, + f5_mackey/6, + f5_ltk/6, + f6/7, + c1/8, // Function used in Legacy Pairing + s1/3, // Function used in Legacy Pairing + split1/1, + split2/1, + recover/2, + low_entropy/1, + reduce_key/2, + e/3, + extract_e/1 + +equations: + f4(u,v,x,z) = aes_cmac(x,), // f4 according to the spec (Vol 3 Part H, 2.2.6) + g2(u,v,x,y) = aes_cmac(x,), // g2 according to the spec (Vol 3 Part H, 2.2.9, p.994 + //f5_mackey(w,n1,n2,kid,a1,a2) = aes_cmac(aes_cmac(w, 'salt'), <'0',n1, n2, kid, a1, a2>), // f5 according to the spec (Vol 3 Part H, 2.2.7) <- Tamarin doesn't like constants in equations + //f5_ltk(w, n1, n2, kid, a1, a2) = aes_cmac(aes_cmac(w, 'salt'), <'1',n1, n2, kid, a1, a2>), // f5 according to the spec (Vol 3 Part H, 2.2.7) <- Tamarin doesn't like constats in equations + f6(w, n1, n2, r, iocap, a1, a2) = aes_cmac(w, ), // f6 according to the spec (Vol 3 Part H 2.2.8) + recover(split1(x), split2(x)) = x, // Allow the attacker to reconstruct the passkey from two halves + extract_e(e(t,s,n)) = n // Representation of a public key, allows the extraction of the public component + +#ifdef NoMalleableC1 +#else +functions: + get_nonce/8 + +equations: + c1(x, get_nonce(cf, x, b, c, d, e, f, g), b, c, d, e, f, g) = cf, // A representation of Rosa's attack on Legacy Pairing malleable commitment + get_nonce(c1(x, n, b, c, d, e, f, g), x, b, c, d, e, f, g) = n // A representation of Rosa's attack on Legacy Pairing malleable commitment +#endif + +rule CreateDevice: + [] + --[]-> + [!Device(<$id,$cap,'strong'>), // Represents a device + Out(<$id,$cap,'strong'>)] // The device announces itself (sort of) + // 'strong": by default, devices want to have a strong key, i.e. 16 bytes + +/* +This represents the messages leading to Pairing (it is very simplified). +Here, the Initiator receives the responder's address and capabilities, +the Responder receives the Initiator's address and capabilities. +*/ +rule InitPreparePairing: + [ + !Device(<$idI, $capI, $keysizeI>), + In(<$idR, $capR, $keysizeR>) + ] + --[ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ]-> + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + +rule RespPreparePairing: + [ + !Device(<$idR, $capR, $keysizeR>), + In(<$idI, $capI, $keysizeI>) + ] + --[ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ]-> + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + +/* +* Select the Pairing method. Here, it is one of : +* - Legacy JustWorks (LegJW) +* - Legacy Passkey Entry (LegPE) +* - Legacy Out of Band (LegOOB) +* - Secure JustWorks (SecJW) +* - Secure Passkey Entry (SecPE) +* - Secure NumericComparison (SecNC) +* - Secure Out of Band (SecOOB) +* +* The model restricts the choice to one Pairing method per role (Initiator or Responder) +* through the restrictions InitOnlyOncePairing / RespOnlyOncePairing +* Therefore, only one session can be ran. While not ideal, this prevents a state explosion : +* Even with a much simpler model (one Pairing method), Tamarin runs out of RAM when studying +* an unbounded number of sessions +* +* Possibility: Change the model to create a bounded number of sessions +*/ + +#ifdef InitLegJW +rule InitPrepareLegJW: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoLegJW() + ]-> + [ + InitDoLegJW($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespLegJW +rule RespPrepareLegJW: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoLegJW() + ]-> + [ + RespDoLegJW($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + + +#ifdef InitLegPE +rule InitPrepareLegPE: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoLegPE() + ]-> + [ + InitChooseLegPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespLegPE +rule RespPrepareLegPE: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoLegPE() + ]-> + [ + RespChooseLegPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitLegOOB +rule InitPrepareLegOOB: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoLegOOB() + ]-> + [ + InitDoLegOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespLegOOB +rule RespPrepareLegOOB: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoLegOOB() + ]-> + [ + RespDoLegOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitSecJW +rule InitPrepareSecJW: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecJW() + ]-> + [ + InitDoSecJW($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecJW +rule RespPrepareSecJW: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecJW() + ]-> + [ + RespDoSecJW($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitSecPE +rule InitPrepareSecPE: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecPE() + ]-> + [ + InitDoSecPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitChooseSecPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecPE +rule RespPrepareSecPE: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecPE() + ]-> + [ + RespDoSecPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespChooseSecPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitSecNC +rule InitPrepareSecNC: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecNC() + ]-> + [ + InitDoSecNC($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecNC +rule RespPrepareSecNC: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecNC() + ]-> + [ + RespDoSecNC($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitSecOOB +rule InitPrepareSecOOB: + [ + InitPreparePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecOOB() + ]-> + [ + InitDoSecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitChooseOOBMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecOOB +rule RespPrepareSecOOB: + [ + RespPreparePairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecOOB() + ]-> + [ + RespDoSecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespChooseOOBMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +/* + * This dispatches the Initiator and Responder to the chosen variant + * of the PE Pairing method. + * The possibility are: + * - PEi : Passkey Entry, can take inputs from the user + * - PEo : Passkey Entry, device outputs to the user + * - PEio : Passkey Entry, device can take inputs or outputs to the user +*/ + +#ifdef InitLegPEi +rule InitDoLegPEi: + [ + InitChooseLegPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitLegPEOnlyOnce(), + InitWillDoLegPEi() + ]-> + [ + InitWaitUserInput(), + InitTriggerUserInteraction(), + InitReadyPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitLegPEo +rule InitDoLegPEo: + [ + InitChooseLegPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~passkey) + ] + --[ + InitLegPEOnlyOnce(), + InitWillDoLegPEo() + ]-> + [ + InitWaitUserConfirm(~passkey), + InitTriggerUserInteraction(), + InitReadyPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitLegPEio +rule InitDoLegPEio: + [ + InitChooseLegPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~passkey) + ] + --[ + InitLegPEOnlyOnce(), + InitWillDoLegPEio() + ]-> + [ + InitWaitUserInout(~passkey), + InitTriggerUserInteraction(), + InitReadyPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespLegPEi +rule RespDoLegPEi: + [ + RespChooseLegPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespLegPEOnlyOnce(), + RespWillDoLegPEi() + ]-> + [ + RespWaitUserInput(), + RespTriggerUserInteraction(), + RespReadyPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespLegPEo +rule RespDoLegPEo: + [ + RespChooseLegPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + Fr(~passkey) + ] + --[ + RespLegPEOnlyOnce(), + RespWillDoLegPEo() + ]-> + [ + RespWaitUserConfirm(~passkey), + RespTriggerUserInteraction(), + RespReadyPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespLegPEio +rule RespDoLegPEio: + [ + RespChooseLegPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + Fr(~passkey) + ] + --[ + RespLegPEOnlyOnce(), + RespWillDoLegPEio() + ]-> + [ + RespWaitUserInout(~passkey), + RespTriggerUserInteraction(), + RespReadyPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef InitSecPEi +rule InitChooseSecPEi: + [ + InitChooseSecPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEi() + ]-> + [ + InitWaitUserInput(), + InitDoSecPEi($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitSecPEo +rule InitChooseSecPEo: + [ + InitChooseSecPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~passkey) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEo() + ]-> + [ + InitWaitUserConfirm(~passkey), + InitDoSecPEo($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitSecPEio +rule InitChooseSecPEio: + [ + InitChooseSecPEMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~passkey) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEio() + ]-> + [ + InitWaitUserInout(~passkey), + InitDoSecPEio($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecPEi +rule RespChooseSecPEi: + [ + RespChooseSecPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEi() + ]-> + [ + RespWaitUserInput(), + RespDoSecPEi($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespSecPEo +rule RespChooseSecPEo: + [ + RespChooseSecPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + Fr(~passkey) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEo() + ]-> + [ + RespWaitUserConfirm(~passkey), + RespDoSecPEo($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespSecPEio +rule RespChooseSecPEio: + [ + RespChooseSecPEMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + Fr(~passkey) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEio() + ]-> + [ + RespWaitUserInout(~passkey), + RespDoSecPEio($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +/* + * This dispatches the Initiator and Responder to the chosen variant + * of the Secure OOB Pairing method. + * The possibility are: + * - OOBi : OOB, device expects input OOB data + * - OOBo : OOB, device outputs OOB data + * - OOBio : OOB, device expects and outputs OOB data +*/ +#ifdef InitSecOOBi +rule InitChooseSecOOBi: + [ + InitChooseOOBMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBi() + ]-> + [ + InitDoSecOOBi($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitSecOOBo +rule InitChooseSecOOBo: + [ + InitChooseOOBMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBo() + ]-> + [ + InitDoSecOOBo($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef InitSecOOBio +rule InitChooseSecOOBio: + [ + InitChooseOOBMode($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBio() + ]-> + [ + InitDoSecOOBio($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] +#endif + +#ifdef RespSecOOBi +rule RespChooseSecOOBi: + [ + RespChooseOOBMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBi() + ]-> + [ + RespDoSecOOBi($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespSecOOBo +rule RespChooseSecOOBo: + [ + RespChooseOOBMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBo() + ]-> + [ + RespDoSecOOBo($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +#ifdef RespSecOOBio +rule RespChooseSecOOBio: + [ + RespChooseOOBMode($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBio() + ]-> + [ + RespDoSecOOBio($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] +#endif + +/* Legacy Pairing +*/ +#ifdef InitLegJW +rule InitStartLegJW: + [ + InitDoLegJW($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + InitStartLegJW($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ]-> + [ + InitDoLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, 'zero') // In JW, the value 'TK' is a null bitstring + ] +#endif + +#ifdef RespLegJW +rule RespStartLegJW: + [ + RespDoLegJW($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + RespStartLegJW($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ]-> + [ + RespDoLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, 'zero') // In JW, the value 'TK' is a null bitstring + ] +#endif + +#ifdef InitLegPE +rule InitStartLegPE: + [ + InitReadyPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + InitUserProceed(passkey) + ] + --[ + InitStartLegPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, passkey), + LowEntropy(passkey) + ]-> + [ + InitDoLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, low_entropy(passkey)), // In PE, the value 'TK' is the passkey + LowEntropy(passkey) + ] +#endif + +#ifdef RespLegPE +rule RespStartLegPE: + [ + RespReadyPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + RespUserProceed(passkey) + ] + --[ + RespStartLegPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, passkey), + LowEntropy(passkey) + ]-> + [ + RespDoLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, low_entropy(passkey)), // In PE, the value 'TK' is the passkey + LowEntropy(passkey) + ] +#endif + +#ifdef InitLegOOB +rule InitStartLegOOB: + [ + InitDoLegOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~oob) + ] + --[ + InitStartLegOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, ~oob), + LegOOBChannel(~oob) + ]-> + [ + InitDoLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, ~oob), // In OOB, the value 'TK' is the OOB data + LegOOBChannel(~oob) + ] +#endif + +#ifdef RespLegOOB +rule RespStartLegOOB: + [ + RespDoLegOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + LegOOBChannel(~oob) // Assume the Initiator sent the OOB data to the responder somehow + ] + --[ + RespStartLegOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, ~oob) + ]-> + [ + RespDoLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, ~oob) // In OOB, the value 'TK' is the OOB data + ] +#endif + + +/* Start of Legacy Pairing protocol */ + +#ifdef InitLeg +rule InitPairingConfirm: + let Ci = c1(TK, ~ni, $capI, $capR, $idI, $idR, $keysizeI, $keysizeR) in + [ + InitDoLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK), + Fr(~ni) + ] + --[ + InitSentConfirm($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci) + ]-> + [ + InitSentConfirm($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci), + Out(Ci) + ] + +rule InitPairingRandom: + [ + InitSentConfirm($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci), + In(Cr) + ] + --[ + InitSentRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci, Cr) + ]-> + [ + InitSentRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci, Cr), + Out(~ni) + ] + +rule InitEndPairing: + let computed_Cr = c1(TK, nr, $capI, $capR, $idI, $idR, $keysizeI, $keysizeR) in + [ + InitSentRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, Ci, computed_Cr), // Verify equality of Cr, computed_Cr + In(nr) + ] + --[ + InitDonePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, Ci, computed_Cr) + ]-> + [ + InitDonePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, Ci, computed_Cr) + ] + +rule InitLegChooseKeysize: + [ + InitDonePairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, Ci, Cr) + ] + --[ + ]-> + [ + InitChooseKeysize($keysizeI, $keysizeR), + InitExpectKeysize($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, Ci, Cr) + ] + +rule InitDeriveSTK: + let stk = reduce_key(s1(TK, ~ni, nr), chosenKeysize) in + [ + InitExpectKeysize($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, Ci, Cr), + InitSelectKeysize(chosenKeysize) + ] + --[ + InitiatorFinishedLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, stk) + ]-> + [ + InitiatorFinishedLegPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, TK, ~ni, nr, stk), + ReduceKeysize(chosenKeysize, stk), + Out(senc('init', stk)) + ] +#endif + + +#ifdef RespLeg +rule RespPairingConfirm: + let Cr = c1(TK, ~nr, $capI, $capR, $idI, $idR, $keysizeI, $keysizeR) in + [ + RespDoLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK), + Fr(~nr), + In(Ci) + ] + --[ + RespSentConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, Cr, Ci) + ]-> + [ + RespSentConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, Cr, Ci), + Out(Cr) + ] + +rule RespPairingRandom: + let computed_Ci = c1(TK, ni, $capI, $capR, $idI, $idR, $keysizeI, $keysizeR) in + [ + RespSentConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, Cr, computed_Ci), // verify the matching between Ci and computed_Ci + In(ni) + ] + --[ + RespSentRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, ni, Cr, computed_Ci) + ]-> + [ + RespSentRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, ni, Cr, computed_Ci), + Out(~nr) + ] + +rule RespLegChooseKeysize: + [ + RespSentRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, ni, Cr, Ci) + ] + --> + [ + RespChooseKeysize($keysizeR, $keysizeI), + RespExpectKeysize($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~ni, nr, Ci, Cr) + ] + +rule RespDeriveSTK: + let stk = reduce_key(s1(TK, ni, ~nr), chosenKeysize) in + [ + RespExpectKeysize($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~ni, nr, Ci, Cr), + RespSelectKeysize(chosenKeysize) + ] + --[ + ResponderFinishedLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, ni, stk) + ]-> + [ + ResponderFinishedLegPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, TK, ~nr, ni, stk), + ReduceKeysize(chosenKeysize, stk), + Out(senc('resp', stk)) + ] +#endif + +/* +* Public key exchange, common for all Secure Pairing protocols +* The Initiator sends its public key, and receives the one from +* the Responder: +* I -> R: pkI = is * G +* R -> I: pkR = rs * G +* dh = is * rs * G = rs * pkI = is * pkR +*/ + +#ifdef InitSec +rule InitSendPublicKey: + let pkI = in + [ + InitDoECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR), + Fr(~is) + ] + --[ + InitBeginECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, ~is, pkI) + ]-> + [ + InitBeginECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, ~is, pkI), + Out(pkI) + ] + +rule InitRecvPublicKey: + [ + InitBeginECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, ~is, pkI), + In(pkR) + ] + --[ + InitComputeECDH( $idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, ~is) + ]-> + [ + InitComputeECDH( $idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, ~is) + ] + +rule InitDeriveNormalDHKey: + let + pkRx = e('C', DH_neutral, n) + dhkey = e('C', r, n^~is) // In Bluetooth, only X is taken + in + [ + InitComputeECDH( $idI, $capI, $keysizeI, $idR, $capR, $keysizeR, , , ~is), + In(r) + ] + --[ + ValidPt(pkRx,pkRy), Raised('C', DH_neutral, r, ~is), + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef InitECDHUnpatched +rule InitDeriveInvalidDHKey: + let + pkRx = e(otx,osx,orx) + pkRy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~is) // In Bluetooth, only X is taken + in + [ + InitComputeECDH( $idI, $capI, $keysizeI, $idR, $capR, $keysizeR, , , ~is), + In() + ] + --[ + InvalidPt(pkRx,pkRy), Raised(, , , ~is), + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef RespSec +rule RespSendPublicKey: + let + pkR = + in + [ + RespDoECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI), + Fr(~rs), + In(pkI) + ] + --[ + RespComputeECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, ~rs) + ]-> + [ + RespComputeECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, ~rs), + Out(pkR) + ] + +rule RespDeriveNormalDHKey: + let + pkIx = e('C', DH_neutral, n) + dhkey = e('C', r, n^~rs) // In Bluetooth, only X is taken + in + [ + RespComputeECDH( $idR, $capR, $keysizeR, $idI, $capI, $keysizeI, , , ~rs), + In(r) + ] + --[ + ValidPt(pkIx,pkIy), Raised('C', DH_neutral, r, ~rs), + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef RespECDHUnpatched +rule RespDeriveInvalidDHKey: + let + pkIx = e(otx,osx,orx) + pkIy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~rs) // In Bluetooth, only X is taken + in + [ + RespComputeECDH( $idR, $capR, $keysizeR, $idI, $capI, $keysizeI, , , ~rs), + In() + ] + --[ + InvalidPt(pkIx,pkIy), Raised(, , , ~rs), + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +/* +* For the Secure Passkey Entry which requires it, we start the user interaction here. +* That is, we trigger the role to have the Passkey Entry user interaction +*/ + +#ifdef InitSecPE +rule InitTriggerSecPE: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), // The Initiator has ended the ECDH exchange + InitDoSecPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) // The Initiator is doing a PE protocol + ] + --[]-> + [ + InitTriggerUserInteraction(), + InitReadySecPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh) + ] +#endif + +#ifdef RespSecPE +rule RespTriggerSecPE: + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), // The Initiator has ended the ECDH exchange + RespDoSecPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) // The Initiator is doing a PE protocol + ] + --[]-> + [ + RespTriggerUserInteraction(), + RespReadySecPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh) + ] +#endif + +/* +* This implements the Secure JustWorks method +* Devices using this method do not require a user interaction. +* The protocol is the following : +* R -> I: f4(pkR, pkI, nr, '0') +* I -> R: ni +* R -> I: nr +*/ + +#ifdef RespSecJW +rule RespSecJWSendConfirm: + let Cr = f4(pkR, pkI, ~nr, '0') in + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + Fr(~nr) + ] + --[ + RespSecJWSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr) + ]-> + [ + RespSecJWSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr), + Out(Cr) + ] + +rule RespSecJWSendRandom: + [ + RespSecJWSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr), + In(ni) + ] + --[ + RespSecJWSendRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespSecJWDone($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, '0', '0') + ]-> + [ + RespSecJWSendRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, '0', '0'), // Responder ended step2, ra and rb = 0 in JW mode + Out(~nr) + ] +#endif + +#ifdef InitSecJW +rule InitSecJWSendRandom: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + Fr(~ni), + In(Cr) + ] + --[ + InitSecJWSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, Cr) + ]-> + [ + InitSecJWSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, Cr), + Out(~ni) + ] + + +rule InitSecJWRecvRandom: + let computed_Cr = f4(pkR, pkI, nr, '0') in + [ + InitSecJWSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, computed_Cr), + In(nr) + ] + --[ + InitSecJWRecvRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitSecJWDone($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, '0', '0') + ]-> + [ + InitSecJWRecvRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, '0', '0') // Responder ended step2, ra and rb = 0 in JW mode + ] +#endif + +/* +* Implement the Secure Passkey Entry method +* The protocol is based on commitment rounds, using the passkey. +* The passkey is always 20 bits long (by the specification) +* notation b0(passkey) represents the first bit of the passkey, b1(passkey) is the second bit, ... +* Round 0: +* I -> R: f4(pkI, pkR, ni0, b0(passkey) +* R -> I: f4(pkR, pkI, nr0, b0(passkey) +* I -> R: ni0 +* R -> I: nr0 +* Round 1: +* I -> R: f4(pkI, pkR, ni1, b1(passkey) +* R -> I: f4(pkR, pkI, nr1, b1(passkey) +* I -> R: ni1 +* R -> I: nr1 +* ... +* +* Nonces are drawn at random for each round. +* In this model, we use a reduced version of the Passkey Entry protocol, which consists +* of only two rounds. +* The passkey is split in two using functions split1/1 and split2/1 +*/ + +#ifdef InitSecPE +rule InitSecPESendConfirm1: + let Ci = f4(pkI, pkR, ~ni, split1(passkey)) in + [ + InitReadySecPE($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), // Initiator is ready to perform PE protocol + InitUserProceed(passkey), // The passkey is provided to the Initiator + Fr(~ni) + ] + --[]-> + [ + InitSecPESendConfirm1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci), + LowEntropyf4(pkI, pkR, ~ni, split1(passkey)), + Out(Ci) + ] + +rule InitSecPESendRandom1: + [ + InitSecPESendConfirm1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci), + In(Cr) + ] + --[]-> + [ + InitSecPESendRandom1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci, Cr), + Out(~ni) + ] + +rule InitSecPERecvRandom1: + let computed_Cr = f4(pkR, pkI, nr, split1(passkey)) in + [ + InitSecPESendRandom1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci, computed_Cr), + In(nr) + ] + --[ + ]-> + [ + InitSecPEEndPart1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey) + ] + +rule InitSecPESendConfirm2: + let Ci = f4(pkI, pkR, ~ni, split2(passkey)) in + [ + InitSecPEEndPart1($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey), + Fr(~ni) + ] + --[]-> + [ + InitSecPESendConfirm2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci), + LowEntropyf4(pkI, pkR, ~ni, split2(passkey)), + Out(Ci) + ] + +rule InitSecPESendRandom2: + [ + InitSecPESendConfirm2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci), + In(Cr) + ] + --[]-> + [ + InitSecPESendRandom2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci, Cr), + Out(~ni) + ] + +rule InitSecPERecvRandom2: + let computed_Cr = f4(pkR, pkI, nr, split2(passkey)) in + [ + InitSecPESendRandom2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, passkey, ~ni, Ci, computed_Cr), + In(nr) + ] + --[ + InitSecPEDone($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, passkey), + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, passkey, passkey) + ]-> + [ + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, passkey, passkey) + ] +#endif + +#ifdef RespSecPE +rule RespSecPESendConfirm1: + let Cr = f4(pkR, pkI, ~nr, split1(passkey)) in + [ + RespReadySecPE($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), // Initiator is ready to perform PE protocol + RespUserProceed(passkey), // The passkey is provided to the Initiator + Fr(~nr), + In(Ci) + ] + --[]-> + [ + RespSecPESendConfirm1($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey, ~nr, Cr, Ci), + LowEntropyf4(pkR, pkI, ~nr, split1(passkey)), + Out(Cr) + ] + +rule RespSecPESendRandom1: + let computed_Ci = f4(pkI, pkR, ni, split1(passkey)) in + [ + RespSecPESendConfirm1($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey, ~nr, Cr, computed_Ci), + In(ni) + ] + --[ + ]-> + [ + RespSecPEEndPart1($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey), + Out(~nr) + ] + +rule RespSecPESendConfirm2: + let Cr = f4(pkR, pkI, ~nr, split2(passkey)) in + [ + RespSecPEEndPart1($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey), // Initiator is ready to perform PE protocol + Fr(~nr), + In(Ci) + ] + --[]-> + [ + RespSecPESendConfirm2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey, ~nr, Cr, Ci), + LowEntropyf4(pkR, pkI, ~nr, split2(passkey)), + Out(Cr) + ] + +rule RespSecPESendRandom2: + let computed_Ci = f4(pkI, pkR, ni, split2(passkey)) in + [ + RespSecPESendConfirm2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, passkey, ~nr, Cr, computed_Ci), + In(ni) + ] + --[ + RespSecPEDone($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, passkey), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, passkey, passkey) + ]-> + [ + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, passkey, passkey), + Out(~nr) + ] +#endif + +#ifdef NoLowEntropySecure // If flag NoLowEntropySecure is used, this rule won't be written +#else +rule Oracle_f4: + let verif_val = f4(pk1, pk2, n, s) in + [ + LowEntropyf4(pk1, pk2, n, s), + In(pk1), + In(pk2), + In(n), + In(verif_val) + ] + --[ + AttackerRecoveredPasskey(s) + ]-> + [ + Out(s) + ] +#endif + +#ifdef NoLowEntropyLegacy // If flag NoLowEntropyLegacy, this rule won't be written +#else +rule Oracle_passkey: + let C = c1(low_entropy(passkey), N, capI, capR, idI, idR, keysizeI, keysizeR) in + [ + LowEntropy(passkey), + In(C), + In(N), + In(capI), + In(capR), + In(idI), + In(idR), + In(keysizeI), + In(keysizeR) + ] + --[ + AttackerRecoveredPasskey(passkey) + ]-> + [ + Out(passkey) + ] +#endif + +#ifdef LowEntropyKeysize// If flag LowEntropyKeysize, this rule will be written +rule Oracle_key: + [ + ReduceKeysize('weak', key) + ] + --[ + AttackerRecoveredKey(key) + ]-> + [ + Out(key) + ] +#endif + +/* +* Numeric Comparison method +* This protocol is similar to the Secure JustWorks protocol, but the user is +* then presented a code to verify that the Pairing was done correctly +* R -> I: f4(pkR, pkI, nr, '0') +* I -> R: ni +* R -> I: nr +*/ + + +#ifdef RespSecNC +rule RespSecNCSendConfirm: + let Cr = f4(pkR, pkI, ~nr, '0') in + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + Fr(~nr) + ] + --[ + RespSecNCSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr) + ]-> + [ + RespSecNCSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr), + Out(Cr) + ] + +rule RespSecNCSendRandom: + let code = g2(pkI, pkR, ni, ~nr) in + [ + RespSecNCSendConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, Cr), + In(ni) + ] + --[ + RespSecNCSendRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni) + ]-> + [ + RespNCWaitConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespWaitUserConfirm(code), + RespTriggerUserInteraction(), + Out(~nr) + ] + +rule RespSecNCDone: + [ + RespNCWaitConfirm($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespUserProceed(code) + ] + --[ + RespSecNCDone($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, '0', '0') + ]-> + [ + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, '0', '0') // Initiator ended step2, ra and rb = 0 in JW mode + ] +#endif + + +#ifdef InitSecNC +rule InitSecNCSendRandom: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + Fr(~ni), + In(Cr) + ] + --[ + InitSecNCSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, Cr) + ]-> + [ + InitSecNCSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, Cr), + Out(~ni) + ] + +rule InitSecNCRecvRandom: + let + computed_Cr = f4(pkR, pkI, nr, '0') + code = g2(pkI, pkR, ~ni, nr) + in + [ + InitSecNCSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, computed_Cr), + In(nr) + ] + --[ + InitSecNCRecvRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr) + ]-> + [ + InitNCWaitConfirm($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitWaitUserConfirm(code), + InitTriggerUserInteraction() + ] + +rule InitSecNCDone: + [ + InitNCWaitConfirm($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitUserProceed(code) + ] + --[ + InitSecNCDone($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, '0', '0') + ]-> + [ + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, '0', '0') // Initiator ended step2, ra and rb = 0 in JW mode + ] +#endif + +/* +* Out of Band Pairing method. +* The exact exchange will depend on the choice done for the OOB method. +* If OOBi is used, the device expects an input message +* If OOBo is used, the device sends a message +* If OOBio is used, the device sends a message and expects an input message +* +* Once the OOB exchange is done, both device exchange a nonce, starting from the Initiator: +* I -> R: ni +* R -> I: nr +*/ + +#ifdef InitSecOOBi +rule InitDoSecOOBi: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitDoSecOOBi($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + ]-> + [ + InitWaitOOBInput(), + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh) + ] +#endif + +#ifdef InitSecOOBo +rule InitDoSecOOBo: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitDoSecOOBo($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + ]-> + [ + InitWaitOOBOutput(), + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh) + ] +#endif + +#ifdef InitSecOOBio +rule InitDoSecOOBio: + [ + InitEndECDH($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitDoSecOOBio($idI, $capI, $keysizeI, $idR, $capR, $keysizeR) + ] + --[ + ]-> + [ + InitWaitOOBInout(), + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh) + ] +#endif + +#ifdef RespSecOOBi +rule RespDoSecOOBi: + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespDoSecOOBi($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + ]-> + [ + RespWaitOOBInput(), + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh) + ] +#endif + +#ifdef RespSecOOBo +rule RespDoSecOOBo: + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespDoSecOOBo($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + ]-> + [ + RespWaitOOBOutput(), + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh) + ] +#endif + +#ifdef RespSecOOBio +rule RespDoSecOOBio: + [ + RespEndECDH($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespDoSecOOBio($idR, $capR, $keysizeR, $idI, $capI, $keysizeI) + ] + --[ + ]-> + [ + RespWaitOOBInout(), + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh) + ] +#endif + +#ifdef InitSecOOB +rule InitSecOOBOut: + let Ci = f4(pkI, pkI, ~ri, '0') in + [ + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitWaitOOBOutput(), + Fr(~ri) + ] + --[ + InitSentOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ri, Ci) + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ri, '0'), + InitOOBchannel(<$idI, ~ri, Ci>) + ] + +rule InitSecOOBin: + let computed_Cr = f4(pkR, pkR, ~rr, '0') in + [ + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitWaitOOBInput(), + RespOOBchannel(<$idR, ~rr, computed_Cr>) + ] + --[ + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, '0', ~rr) + ] + +rule InitSecOOBinout_out: + let Ci = f4(pkI, pkI, ~ri, '0') in + [ + InitReadySecOOB($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh), + InitWaitOOBInout(), + Fr(~ri) + ] + --[ + ]-> + [ + InitDoneSecOOBinout_out($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ri), + InitOOBchannel(<$idI, ~ri, Ci>) + ] + +rule InitSecOOBinout_in: + let computed_Cr = f4(pkR, pkR, ~rr, '0') in + [ + InitDoneSecOOBinout_out($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ri), + RespOOBchannel(<$idR, ~rr, computed_Cr>) + ] + --[ + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ri, ~rr) + ] + +rule InitSecOOBSendRandom: + [ + InitDoneSecOOBexchange($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ri, rr), + Fr(~ni) + ] + --[]-> + [ + InitSecOOBSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ri, rr, ~ni), + Out(~ni) + ] + +rule InitSecOOBRecvRandom: + [ + InitSecOOBSendRandom($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ri, rr, ~ni), + In(nr) + ] + --[ + InitSecOOBDone($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr), + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr) + ]-> + [ + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr) + ] +#endif + +#ifdef RespSecOOB +rule RespSecOOBOut: + let Cr = f4(pkR, pkR, ~rr, '0') in + [ + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespWaitOOBOutput(), + Fr(~rr) + ] + --[ + RespSentSecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~rr, Cr) + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~rr, '0'), + RespOOBchannel(<$idR, ~rr, Cr>) + ] + +rule RespSecOOBin: + let computed_Ci = f4(pkI, pkI, ~ri, '0') in + [ + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespWaitOOBInput(), + InitOOBchannel(<$idI, ~ri, computed_Ci>) + ] + --[ + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, '0', ~ri) + ] + +rule RespSecOOBinout_out: + let Cr = f4(pkR, pkR, ~rr, '0') in + [ + RespReadySecOOB($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh), + RespWaitOOBInout(), + Fr(~rr) + ] + --[ + ]-> + [ + RespDoneSecOOBinout_out($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~rr), + RespOOBchannel(<$idR, ~rr, Cr>) + ] + +rule RespSecOOBinout_in: + let computed_Ci = f4(pkI, pkI, ~ri, '0') in + [ + RespDoneSecOOBinout_out($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~rr), + InitOOBchannel(<$idI, ~ri, computed_Ci>) + ] + --[ + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~rr, ~ri) + ] + +rule RespSecOOBSendRandom: + [ + RespDoneSecOOBexchange($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, rr, ri), + Fr(~nr), + In(ni) + ] + --[ + RespSecOOBDone($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, rr, ri), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, rr, ri) + ]-> + [ + RespSecOOBSendRandom($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, rr, ri, ~nr, ni), + Out(~nr), + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, rr, ri) + ] +#endif + +/* +* DHKeyCheck, this is a key confirmation step +*/ + +#ifdef InitSec +rule InitDHKeyCheck: + let + //mackey = f5_mackey(dh, ~ni, nr, 'btle', $idI, $idR) + ei = f6(dh, ~ni, nr, rr, $capI, $idI, $idR) // Compute DHKeyCheck confirmation value + in + [ + InitEndedStep2($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr) // Initiator needs to be done with step2 + ] + --[ InitDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr, ei) ]-> // Intermediate fact + [ + InitSendDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr, ei), // Initiator has sent its dhkey check + Out(ei) // Send the DHKey Check on the channel + ] + +rule InitDoneDHKeyCheck: + let + //mackey = f5_mackey(dh, ~ni, nr, 'btle', $idI, $idR) + computed_er = f6(dh, nr, ~ni, ri, $capR, $idR, $idI) + in + [ + InitSendDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr, ei), + In(computed_er) + ] + --[ + InitDoneDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr, ri, rr, ei, computed_er) + ]-> + [ + InitEndedDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr) + ] +#endif + +#ifdef RespSec +rule RespDHKeyCheck: + let + //mackey = f5_mackey(dh, ni, ~nr, 'btle', $idI, $idR) + er = f6(dh, ~nr, ni, ri, $capR, $idR, $idI) + computed_ei = f6(dh, ni, ~nr, rr, $capI, $idI, $idR) + in + [ + RespEndedStep2($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, rr, ri), + In(computed_ei) + ] + --[ + RespDoneDHKeyCheck($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni, rr, ri, er, computed_ei) + ]-> + [ + RespEndedDHKeyCheck($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + Out(er) + ] +#endif + + +/* +Technically, ni should be the nonce sent by the central and nr should be the nonce sent by the peripheral +idI should be the address of the central and idR the address of the peripheral. + +Here, we assume Initiator == Central and Responder == Peripheral but that may not be always true + +Also, the session key derivation and authentication is not performed here. +*/ + +#ifdef InitSec +rule InitSecChooseKeysize: + [ + InitEndedDHKeyCheck($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr) + ] + --> + [ + InitChooseKeysize($keysizeI, $keysizeR), + InitSecExpectKeysize($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr) + ] + +rule InitSecSendmsg: + let ltk = reduce_key(f5_ltk(dh, ~ni, nr, 'btle', $idI, $idR), chosenKeysize) in + [ + InitSecExpectKeysize($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ~ni, nr), + InitSelectKeysize(chosenKeysize) + ] + --[ + InitiatorFinishedSecPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ltk), + InitiatorSecSentMessage(ltk, 'init') + ]-> + [ + InitiatorFinishedSecPairing($idI, $capI, $keysizeI, $idR, $capR, $keysizeR, pkI, pkR, dh, ltk), + ReduceKeysize(chosenKeysize, ltk), + Out(senc('init',ltk)) + ] +#endif + +#ifdef RespSec +rule RespSecChooseKeysize: + [ + RespEndedDHKeyCheck($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni) + ] + --> + [ + RespChooseKeysize($keysizeR, $keysizeI), + RespSecExpectKeysize($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni) + ] + + +rule RespSecSendmsg: + let ltk = reduce_key(f5_ltk(dh, ni, ~nr, 'btle', $idI, $idR), chosenKeysize) in + [ + RespSecExpectKeysize($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ~nr, ni), + RespSelectKeysize(chosenKeysize), + In(senc('init', ltk)) + ] + --[ + ResponderFinishedSecPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ltk), + ResponderSentMessage(ltk, 'resp') + ]-> + [ + ResponderFinishedSecPairing($idR, $capR, $keysizeR, $idI, $capI, $keysizeI, pkR, pkI, dh, ltk), + ReduceKeysize(chosenKeysize, ltk), + Out(senc('resp',ltk)) + ] +#endif + +/* User interactions */ +/* This is used to represent user interactions in Bluetooth +Devices can have an output, input or input/output capability. +There are four facts that are used to represent interactions: +- InitUserWaitInput(): Initiator waits passkey input from user +- RespUserWaitInput(): Responder waits passkey input from user +- InitUserWaitConfirm(passkey): Initiator waits continuation of the protocol, it chooses passkey +- RespUserWaitConfirm(passkey): Responder waits continuation of the protocol, it chooses passkey +- InitUserWaitInout(passkey): Initiator waits continuation of the protocol +- RespUserWaitInout(passkey): Responder waits the continuation of the protocol + +We note that not both devices choose the passkey, in practice only one does. +However, the choice depends on the capabilities of the other device. +This is why when two devices have triggered UserWaitInout(passkey), only one passkey is propagated in the following +rules, to model the choice that was done at the beginning of the protocol. + +The possible combinations are: +InitUserWaitInput - RespUserWaitInput -> Valid interaction in PE, user selects a passkey and inputs it in both +InitUserWaitInput - RespUserWaitConfirm -> Valid interaction in PE, user copies the responder's passkey into initiator +InitUserWaitConfirm - RespUserWaitInput -> Valid interaction in PE, user copies the initiator's passkey into responder +InitUserWaitConfirm - RespUserWaitConfirm -> Valid interaction in NC, user verifies that both code match + -> May also occur in PEo/PEio - PEo/PEio, in which case it is valid +*/ + +#ifdef InputInput +rule UserInputInitInputResp: + [Fr(~passkey), + InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(~passkey),RespUserProceed(~passkey)] +#endif + +#ifdef InputOutput +rule UserInputInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserConfirm(passkey)] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef InputInout +rule UserInputInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserInout(passkey)] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef OutputInput +rule UserConfirmInitInputResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(passkey), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef OutputInout +rule UserConfirmInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(passkeyi), + RespTriggerUserInteraction(),RespWaitUserInout(passkeyr)] + --[]-> + [InitUserProceed(passkeyi),RespUserProceed(passkeyi)] +#endif + +#ifdef InoutInput +rule UserInoutInitInputResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkey), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef InoutOutput +rule UserInoutInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkeyi), + RespTriggerUserInteraction(),RespWaitUserConfirm(passkeyr)] + --[]-> + [InitUserProceed(passkeyr),RespUserProceed(passkeyr)] +#endif + +#ifdef InoutInout +rule UserInoutInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkeyi), + RespTriggerUserInteraction(),RespWaitUserInout(passkeyr)] + --[]-> + [InitUserProceed(passkeyi),RespUserProceed(passkeyi)] +#endif + +#ifdef OutputOutput +// This represents Numeric Comparison protocol +rule UserConfirmInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(vi), + RespTriggerUserInteraction(),RespWaitUserConfirm(vi)] + --[]-> + [InitUserProceed(vi),RespUserProceed(vi)] +#endif + +/* Keysize selection, used for all protocols. The lower keysize is chosen. +Although the keysize is a byte with values 7-16 in BLE specifications, +in this model we use weak/strong keysize. Hence, there are 4 possible combinations. */ + +rule RespSelectKeysizeSS: + [RespChooseKeysize('strong', 'strong')] --> [RespSelectKeysize('strong')] + +rule RespSelectKeysizeSW: + [RespChooseKeysize('strong', 'weak')] --> [RespSelectKeysize('weak')] + +rule RespSelectKeysizeWS: + [RespChooseKeysize('weak', 'strong')] --> [RespSelectKeysize('weak')] + +rule RespSelectKeysizeWW: + [RespChooseKeysize('weak', 'weak')] --> [RespSelectKeysize('weak')] + +rule InitSelectKeysizeSS: + [InitChooseKeysize('strong', 'strong')] --> [InitSelectKeysize('strong')] + +rule InitSelectKeysizeSW: + [InitChooseKeysize('strong', 'weak')] --> [InitSelectKeysize('weak')] + +rule InitSelectKeysizeWS: + [InitChooseKeysize('weak', 'strong')] --> [InitSelectKeysize('weak')] + +rule InitSelectKeysizeWW: + [InitChooseKeysize('weak', 'weak')] --> [InitSelectKeysize('weak')] + + + +/* Those two restrictions limit to one honest initiator and one +honest responder. This helps having a finished analysis */ +restriction InitOnlyOncePairing: +"All #i #j. InitOnlyOncePairing() @i & InitOnlyOncePairing() @j ==> #i = #j" + +restriction RespOnlyOncePairing: +"All #i #j. RespOnlyOncePairing() @i & RespOnlyOncePairing() @j ==> #i = #j" + +#ifdef InitLegPE +restriction InitLegPEOnlyOnce: +"All #i #j . InitLegPEOnlyOnce() @i & InitLegPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespLegPE +restriction RespLegPEOnlyOnce: +"All #i #j . RespLegPEOnlyOnce() @i & RespLegPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef InitSecPE +restriction InitSecPEOnlyOnce: +"All #i #j. InitSecPEOnlyOnce() @i & InitSecPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespSecPE +restriction RespSecPEOnlyOnce: +"All #i #j. RespSecPEOnlyOnce() @i & RespSecPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef InitSecOOB +restriction InitSecOOBOnlyOnce: +"All #i #j. InitSecOOBOnlyOnce() @i & InitSecOOBOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespSecOOB +restriction RespSecOOBOnlyOnce: +"All #i #j. RespSecOOBOnlyOnce() @i & RespSecOOBOnlyOnce() @j ==> #i = #j" +#endif + +// For ECDH model +restriction DHConsistency: + "All t s r1 r2 y #i #j . + Raised(t,s,r1,y) @ i & Raised(t,s,r2,y) @j + ==> r1 = r2" + +restriction DHIdentity: + "All t r y #i . + Raised(t,DH_neutral,r,y) @ i ==> r = DH_neutral" + +restriction ValidPt: + "∀ x y #i. + (ValidPt(x,y) @ #i) ⇒ (x = y)" + +restriction InvalidPt: + "∀ x #i. + (InvalidPt(x,x) @ #i) ⇒ F" + +/*************************************/ +/* Lemmas about LegJW-LegJW exchange */ +/*************************************/ + +#ifdef LegJWLegJW +lemma legJW_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legJW_legJW_auth_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legJW_legJW_auth_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legJW_legJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about LegJW-LegJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about LegJW-LegPEi exchange */ +/**************************************/ + +#ifdef LegJWLegPEi +lemma legJW_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legJW_legPEi_auth_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legJW_legPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legJW_legPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegJW-LegPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about LegJW-LegPEo exchange */ +/**************************************/ + +#ifdef LegJWLegPEo +lemma legJW_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legJW_legPEo_auth_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legJW_legPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legJW_legPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegJW-LegPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegJW-LegPEio exchange */ +/***************************************/ + +#ifdef LegJWLegPEio +lemma legJW_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legJW_legPEio_auth_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legJW_legPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legJW_legPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegJW-LegPEio exchange */ +/*******************************************/ + +/**************************************/ +/* Lemmas about LegJW-LegOOB exchange */ +/**************************************/ + +#ifdef LegJWLegOOB +lemma legJW_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legJW_legOOB_auth_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legJW_legOOB_auth_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legJW_legOOB_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legOOB_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legJW_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegJW-LegOOB exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about LegPEi-LegJW exchange */ +/**************************************/ + +#ifdef LegPEiLegJW +lemma legPEi_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEi_legJW_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEi_legJW_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEi_legJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEi-LegJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegPEi-LegPEi exchange */ +/***************************************/ + +#ifdef LegPEiLegPEi +lemma legPEi_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEi_legPEi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEi_legPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEi_legPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEi-LegPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegPEi-LegPEo exchange */ +/***************************************/ + +#ifdef LegPEiLegPEo +lemma legPEi_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEi_legPEo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEi_legPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEi_legPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEi-LegPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEi-LegPEio exchange */ +/****************************************/ + +#ifdef LegPEiLegPEio +lemma legPEi_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEi_legPEio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEi_legPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEi_legPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEi-LegPEio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about LegPEi-LegOOB exchange */ +/***************************************/ + +#ifdef LegPEiLegOOB +lemma legPEi_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEi_legOOB_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEi_legOOB_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEi_legOOB_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legOOB_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEi_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEi-LegOOB exchange */ +/*******************************************/ + +/**************************************/ +/* Lemmas about LegPEo-LegJW exchange */ +/**************************************/ + +#ifdef LegPEoLegJW +lemma legPEo_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEo_legJW_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEo_legJW_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEo_legJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEo-LegJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegPEo-LegPEi exchange */ +/***************************************/ + +#ifdef LegPEoLegPEi +lemma legPEo_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEo_legPEi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEo_legPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEo_legPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEo-LegPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegPEo-LegPEo exchange */ +/***************************************/ + +#ifdef LegPEoLegPEo +lemma legPEo_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEo_legPEo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEo_legPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEo_legPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEo-LegPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEo-LegPEio exchange */ +/****************************************/ + +#ifdef LegPEoLegPEio +lemma legPEo_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEo_legPEio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEo_legPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEo_legPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEo-LegPEio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about LegPEo-LegOOB exchange */ +/***************************************/ + +#ifdef LegPEoLegOOB +lemma legPEo_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEo_legOOB_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEo_legOOB_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEo_legOOB_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legOOB_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEo_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEo-LegOOB exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegPEio-LegJW exchange */ +/***************************************/ + +#ifdef LegPEioLegJW +lemma legPEio_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEio_legJW_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEio_legJW_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEio_legJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEio-LegJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEio-LegPEi exchange */ +/****************************************/ + +#ifdef LegPEioLegPEi +lemma legPEio_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEio_legPEi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEio_legPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEio_legPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEio-LegPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPEio-LegPEo exchange */ +/****************************************/ + +#ifdef LegPEioLegPEo +lemma legPEio_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEio_legPEo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEio_legPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEio_legPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEio-LegPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPEio-LegPEio exchange */ +/*****************************************/ + +#ifdef LegPEioLegPEio +lemma legPEio_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEio_legPEio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEio_legPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEio_legPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEio-LegPEio exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about LegPEio-LegOOB exchange */ +/****************************************/ + +#ifdef LegPEioLegOOB +lemma legPEio_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legPEio_legOOB_auth_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legPEio_legOOB_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legPEio_legOOB_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legOOB_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legPEio_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEio-LegOOB exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about LegOOB-LegJW exchange */ +/**************************************/ + +#ifdef LegOOBLegJW +lemma legOOB_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legOOB_legJW_auth_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legOOB_legJW_auth_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legOOB_legJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegOOB-LegJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegOOB-LegPEi exchange */ +/***************************************/ + +#ifdef LegOOBLegPEi +lemma legOOB_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legOOB_legPEi_auth_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legOOB_legPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legOOB_legPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegOOB-LegPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegOOB-LegPEo exchange */ +/***************************************/ + +#ifdef LegOOBLegPEo +lemma legOOB_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legOOB_legPEo_auth_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legOOB_legPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legOOB_legPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegOOB-LegPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegOOB-LegPEio exchange */ +/****************************************/ + +#ifdef LegOOBLegPEio +lemma legOOB_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legOOB_legPEio_auth_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legOOB_legPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legOOB_legPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegOOB-LegPEio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about LegOOB-LegOOB exchange */ +/***************************************/ + +#ifdef LegOOBLegOOB +lemma legOOB_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 + ) +" + +lemma legOOB_legOOB_auth_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + (Ex ci cr #k2 . + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k2 + ) + ) +" + +lemma legOOB_legOOB_auth_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + (Ex ci cr #k2 . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k2 + ) + ) +" + +lemma legOOB_legOOB_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legOOB_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI idR capI capR ksI ksR tk ni nr stk #k1 . + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @k1 ==> + not (Ex #k2 . K(stk) @k2 ) + ) +" + +lemma legOOB_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 tk1 ni1 nr1 stk1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk2 ni2 nr2 stk2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk1, ni1, nr1, stk1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk2, nr2, ni2, stk2) @j2 ==> + not (Ex #k1 #k2 . + K(stk1) @k1 & K(stk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegOOB-LegOOB exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about SecJW-SecJW exchange */ +/*************************************/ + +#ifdef SecJWSecJW +lemma secJW_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecJW-SecJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecJW-SecPEi exchange */ +/**************************************/ + +#ifdef SecJWSecPEi +lemma secJW_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-SecPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecJW-SecPEo exchange */ +/**************************************/ + +#ifdef SecJWSecPEo +lemma secJW_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-SecPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecPEio exchange */ +/***************************************/ + +#ifdef SecJWSecPEio +lemma secJW_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecPEio exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about SecJW-SecNC exchange */ +/*************************************/ + +#ifdef SecJWSecNC +lemma secJW_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecJW-SecNC exchange */ +/*****************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecOOBi exchange */ +/***************************************/ + +#ifdef SecJWSecOOBi +lemma secJW_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecOOBo exchange */ +/***************************************/ + +#ifdef SecJWSecOOBo +lemma secJW_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecOOBo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecJW-SecOOBio exchange */ +/****************************************/ + +#ifdef SecJWSecOOBio +lemma secJW_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecJW-SecOOBio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEi-SecJW exchange */ +/**************************************/ + +#ifdef SecPEiSecJW +lemma secPEi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEi-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-SecPEi exchange */ +/***************************************/ + +#ifdef SecPEiSecPEi +lemma secPEi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-SecPEo exchange */ +/***************************************/ + +#ifdef SecPEiSecPEo +lemma secPEi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecPEio exchange */ +/****************************************/ + +#ifdef SecPEiSecPEio +lemma secPEi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEi-SecNC exchange */ +/**************************************/ + +#ifdef SecPEiSecNC +lemma secPEi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEi-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecOOBi exchange */ +/****************************************/ + +#ifdef SecPEiSecOOBi +lemma secPEi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecOOBo exchange */ +/****************************************/ + +#ifdef SecPEiSecOOBo +lemma secPEi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEi-SecOOBio exchange */ +/*****************************************/ + +#ifdef SecPEiSecOOBio +lemma secPEi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEi-SecOOBio exchange */ +/*********************************************/ + +/**************************************/ +/* Lemmas about SecPEo-SecJW exchange */ +/**************************************/ + +#ifdef SecPEoSecJW +lemma secPEo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEo-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-SecPEi exchange */ +/***************************************/ + +#ifdef SecPEoSecPEi +lemma secPEo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-SecPEo exchange */ +/***************************************/ + +#ifdef SecPEoSecPEo +lemma secPEo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecPEio exchange */ +/****************************************/ + +#ifdef SecPEoSecPEio +lemma secPEo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEo-SecNC exchange */ +/**************************************/ + +#ifdef SecPEoSecNC +lemma secPEo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEo-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecOOBi exchange */ +/****************************************/ + +#ifdef SecPEoSecOOBi +lemma secPEo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecOOBo exchange */ +/****************************************/ + +#ifdef SecPEoSecOOBo +lemma secPEo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEo-SecOOBio exchange */ +/*****************************************/ + +#ifdef SecPEoSecOOBio +lemma secPEo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEo-SecOOBio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecPEio-SecJW exchange */ +/***************************************/ + +#ifdef SecPEioSecJW +lemma secPEio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEio-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEio-SecPEi exchange */ +/****************************************/ + +#ifdef SecPEioSecPEi +lemma secPEio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEio-SecPEo exchange */ +/****************************************/ + +#ifdef SecPEioSecPEo +lemma secPEio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecPEio exchange */ +/*****************************************/ + +#ifdef SecPEioSecPEio +lemma secPEio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecPEio-SecNC exchange */ +/***************************************/ + +#ifdef SecPEioSecNC +lemma secPEio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEio-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecPEioSecOOBi +lemma secPEio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecPEioSecOOBo +lemma secPEio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecPEio-SecOOBio exchange */ +/******************************************/ + +#ifdef SecPEioSecOOBio +lemma secPEio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecPEio-SecOOBio exchange */ +/**********************************************/ + +/*************************************/ +/* Lemmas about SecNC-SecJW exchange */ +/*************************************/ + +#ifdef SecNCSecJW +lemma secNC_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecNC-SecJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecNC-SecPEi exchange */ +/**************************************/ + +#ifdef SecNCSecPEi +lemma secNC_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-SecPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecNC-SecPEo exchange */ +/**************************************/ + +#ifdef SecNCSecPEo +lemma secNC_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-SecPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecPEio exchange */ +/***************************************/ + +#ifdef SecNCSecPEio +lemma secNC_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecPEio exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about SecNC-SecNC exchange */ +/*************************************/ + +#ifdef SecNCSecNC +lemma secNC_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecNC-SecNC exchange */ +/*****************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecOOBi exchange */ +/***************************************/ + +#ifdef SecNCSecOOBi +lemma secNC_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecOOBo exchange */ +/***************************************/ + +#ifdef SecNCSecOOBo +lemma secNC_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecOOBo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecNC-SecOOBio exchange */ +/****************************************/ + +#ifdef SecNCSecOOBio +lemma secNC_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecNC-SecOOBio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about SecOOBi-SecJW exchange */ +/***************************************/ + +#ifdef SecOOBiSecJW +lemma secOOBi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBi-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-SecPEi exchange */ +/****************************************/ + +#ifdef SecOOBiSecPEi +lemma secOOBi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-SecPEo exchange */ +/****************************************/ + +#ifdef SecOOBiSecPEo +lemma secOOBi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecPEio exchange */ +/*****************************************/ + +#ifdef SecOOBiSecPEio +lemma secOOBi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecOOBi-SecNC exchange */ +/***************************************/ + +#ifdef SecOOBiSecNC +lemma secOOBi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBi-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecOOBiSecOOBi +lemma secOOBi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecOOBiSecOOBo +lemma secOOBi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBi-SecOOBio exchange */ +/******************************************/ + +#ifdef SecOOBiSecOOBio +lemma secOOBi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBi-SecOOBio exchange */ +/**********************************************/ + +/***************************************/ +/* Lemmas about SecOOBo-SecJW exchange */ +/***************************************/ + +#ifdef SecOOBoSecJW +lemma secOOBo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBo-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-SecPEi exchange */ +/****************************************/ + +#ifdef SecOOBoSecPEi +lemma secOOBo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-SecPEo exchange */ +/****************************************/ + +#ifdef SecOOBoSecPEo +lemma secOOBo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecPEio exchange */ +/*****************************************/ + +#ifdef SecOOBoSecPEio +lemma secOOBo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecOOBo-SecNC exchange */ +/***************************************/ + +#ifdef SecOOBoSecNC +lemma secOOBo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBo-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecOOBoSecOOBi +lemma secOOBo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecOOBoSecOOBo +lemma secOOBo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBo-SecOOBio exchange */ +/******************************************/ + +#ifdef SecOOBoSecOOBio +lemma secOOBo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBo-SecOOBio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about SecOOBio-SecJW exchange */ +/****************************************/ + +#ifdef SecOOBioSecJW +lemma secOOBio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBio-SecJW exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-SecPEi exchange */ +/*****************************************/ + +#ifdef SecOOBioSecPEi +lemma secOOBio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-SecPEi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-SecPEo exchange */ +/*****************************************/ + +#ifdef SecOOBioSecPEo +lemma secOOBio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-SecPEo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecPEio exchange */ +/******************************************/ + +#ifdef SecOOBioSecPEio +lemma secOOBio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecPEio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about SecOOBio-SecNC exchange */ +/****************************************/ + +#ifdef SecOOBioSecNC +lemma secOOBio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBio-SecNC exchange */ +/********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecOOBi exchange */ +/******************************************/ + +#ifdef SecOOBioSecOOBi +lemma secOOBio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecOOBi exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecOOBo exchange */ +/******************************************/ + +#ifdef SecOOBioSecOOBo +lemma secOOBio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecOOBo exchange */ +/**********************************************/ + +/*******************************************/ +/* Lemmas about SecOOBio-SecOOBio exchange */ +/*******************************************/ + +#ifdef SecOOBioSecOOBio +lemma secOOBio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksI2, idI2, capI2, ksR2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR ksI ksR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 ksI2 ksR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/***********************************************/ +/* End lemmas about SecOOBio-SecOOBio exchange */ +/***********************************************/ + +/*************************************/ +/* Lemmas about LegJW-SecJW exchange */ +/*************************************/ + +#ifdef LegJWSecJW +lemma legJW_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secJW_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secJW_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secJW_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about LegJW-SecJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about LegJW-SecPEi exchange */ +/**************************************/ + +#ifdef LegJWSecPEi +lemma legJW_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secPEi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secPEi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegJW-SecPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about LegJW-SecPEo exchange */ +/**************************************/ + +#ifdef LegJWSecPEo +lemma legJW_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secPEo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secPEo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegJW-SecPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegJW-SecPEio exchange */ +/***************************************/ + +#ifdef LegJWSecPEio +lemma legJW_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secPEio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secPEio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegJW-SecPEio exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about LegJW-SecNC exchange */ +/*************************************/ + +#ifdef LegJWSecNC +lemma legJW_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secNC_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secNC_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secNC_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secNC_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about LegJW-SecNC exchange */ +/*****************************************/ + +/***************************************/ +/* Lemmas about LegJW-SecOOBi exchange */ +/***************************************/ + +#ifdef LegJWSecOOBi +lemma legJW_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secOOBi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secOOBi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secOOBi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secOOBi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegJW-SecOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegJW-SecOOBo exchange */ +/***************************************/ + +#ifdef LegJWSecOOBo +lemma legJW_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secOOBo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secOOBo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secOOBo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secOOBo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegJW-SecOOBo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegJW-SecOOBio exchange */ +/****************************************/ + +#ifdef LegJWSecOOBio +lemma legJW_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legJW_secOOBio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legJW_secOOBio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legJW_secOOBio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legJW_secOOBio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legJW_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegJW-SecOOBio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about LegPEi-SecJW exchange */ +/**************************************/ + +#ifdef LegPEiSecJW +lemma legPEi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secJW_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secJW_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secJW_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEi-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegPEi-SecPEi exchange */ +/***************************************/ + +#ifdef LegPEiSecPEi +lemma legPEi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secPEi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secPEi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEi-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegPEi-SecPEo exchange */ +/***************************************/ + +#ifdef LegPEiSecPEo +lemma legPEi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secPEo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secPEo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEi-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEi-SecPEio exchange */ +/****************************************/ + +#ifdef LegPEiSecPEio +lemma legPEi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secPEio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secPEio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEi-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about LegPEi-SecNC exchange */ +/**************************************/ + +#ifdef LegPEiSecNC +lemma legPEi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secNC_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secNC_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secNC_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secNC_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEi-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about LegPEi-SecOOBi exchange */ +/****************************************/ + +#ifdef LegPEiSecOOBi +lemma legPEi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secOOBi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secOOBi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secOOBi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secOOBi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEi-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPEi-SecOOBo exchange */ +/****************************************/ + +#ifdef LegPEiSecOOBo +lemma legPEi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secOOBo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secOOBo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secOOBo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secOOBo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEi-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPEi-SecOOBio exchange */ +/*****************************************/ + +#ifdef LegPEiSecOOBio +lemma legPEi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEi_secOOBio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEi_secOOBio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEi_secOOBio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEi_secOOBio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEi-SecOOBio exchange */ +/*********************************************/ + +/**************************************/ +/* Lemmas about LegPEo-SecJW exchange */ +/**************************************/ + +#ifdef LegPEoSecJW +lemma legPEo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secJW_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secJW_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secJW_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEo-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegPEo-SecPEi exchange */ +/***************************************/ + +#ifdef LegPEoSecPEi +lemma legPEo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secPEi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secPEi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEo-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegPEo-SecPEo exchange */ +/***************************************/ + +#ifdef LegPEoSecPEo +lemma legPEo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secPEo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secPEo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEo-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEo-SecPEio exchange */ +/****************************************/ + +#ifdef LegPEoSecPEio +lemma legPEo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secPEio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secPEio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEo-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about LegPEo-SecNC exchange */ +/**************************************/ + +#ifdef LegPEoSecNC +lemma legPEo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secNC_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secNC_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secNC_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secNC_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegPEo-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about LegPEo-SecOOBi exchange */ +/****************************************/ + +#ifdef LegPEoSecOOBi +lemma legPEo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secOOBi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secOOBi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secOOBi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secOOBi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEo-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPEo-SecOOBo exchange */ +/****************************************/ + +#ifdef LegPEoSecOOBo +lemma legPEo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secOOBo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secOOBo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secOOBo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secOOBo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEo-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPEo-SecOOBio exchange */ +/*****************************************/ + +#ifdef LegPEoSecOOBio +lemma legPEo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEo_secOOBio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEo_secOOBio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEo_secOOBio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEo_secOOBio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEo-SecOOBio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about LegPEio-SecJW exchange */ +/***************************************/ + +#ifdef LegPEioSecJW +lemma legPEio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secJW_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secJW_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secJW_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEio-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPEio-SecPEi exchange */ +/****************************************/ + +#ifdef LegPEioSecPEi +lemma legPEio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secPEi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secPEi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEio-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPEio-SecPEo exchange */ +/****************************************/ + +#ifdef LegPEioSecPEo +lemma legPEio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secPEo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secPEo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPEio-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPEio-SecPEio exchange */ +/*****************************************/ + +#ifdef LegPEioSecPEio +lemma legPEio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secPEio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secPEio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEio-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about LegPEio-SecNC exchange */ +/***************************************/ + +#ifdef LegPEioSecNC +lemma legPEio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secNC_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secNC_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secNC_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secNC_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPEio-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about LegPEio-SecOOBi exchange */ +/*****************************************/ + +#ifdef LegPEioSecOOBi +lemma legPEio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secOOBi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secOOBi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secOOBi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secOOBi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEio-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPEio-SecOOBo exchange */ +/*****************************************/ + +#ifdef LegPEioSecOOBo +lemma legPEio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secOOBo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secOOBo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secOOBo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secOOBo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPEio-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPEio-SecOOBio exchange */ +/******************************************/ + +#ifdef LegPEioSecOOBio +lemma legPEio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPEio_secOOBio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPEio_secOOBio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legPEio_secOOBio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legPEio_secOOBio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPEio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPEio-SecOOBio exchange */ +/**********************************************/ + +/**************************************/ +/* Lemmas about LegOOB-SecJW exchange */ +/**************************************/ + +#ifdef LegOOBSecJW +lemma legOOB_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secJW_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secJW_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secJW_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegOOB-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about LegOOB-SecPEi exchange */ +/***************************************/ + +#ifdef LegOOBSecPEi +lemma legOOB_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secPEi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secPEi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegOOB-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about LegOOB-SecPEo exchange */ +/***************************************/ + +#ifdef LegOOBSecPEo +lemma legOOB_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secPEo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secPEo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegOOB-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegOOB-SecPEio exchange */ +/****************************************/ + +#ifdef LegOOBSecPEio +lemma legOOB_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secPEio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secPEio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegOOB-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about LegOOB-SecNC exchange */ +/**************************************/ + +#ifdef LegOOBSecNC +lemma legOOB_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secNC_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secNC_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secNC_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secNC_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about LegOOB-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about LegOOB-SecOOBi exchange */ +/****************************************/ + +#ifdef LegOOBSecOOBi +lemma legOOB_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secOOBi_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secOOBi_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secOOBi_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secOOBi_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegOOB-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegOOB-SecOOBo exchange */ +/****************************************/ + +#ifdef LegOOBSecOOBo +lemma legOOB_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secOOBo_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secOOBo_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secOOBo_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secOOBo_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegOOB-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegOOB-SecOOBio exchange */ +/*****************************************/ + +#ifdef LegOOBSecOOBio +lemma legOOB_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legOOB_secOOBio_auth_init: +" + All idI idR capI capR ksI ksR tk nli nlr stk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, nli, nlr, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, ksR, idI, capI, ksI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legOOB_secOOBio_auth_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni ci cr #k . + InitSentRandom(idI, capI, ksI, idR, capR, ksR, tk, ni, ci, cr) @k + ) +" + +lemma legOOB_secOOBio_weaksecret_init: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, ksI, idR, capR, ksR, tk, ni, nr, stk) @j ==> + not (Ex #k . K(stk) @k ) +" + +lemma legOOB_secOOBio_weaksecret_resp: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, ksR, idI, capI, ksI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legOOB_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegOOB()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, tk, ni, nr, stk) @j1 & + ResponderFinishedSecPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(stk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegOOB-SecOOBio exchange */ +/*********************************************/ + +/*************************************/ +/* Lemmas about SecJW-LegJW exchange */ +/*************************************/ + +#ifdef SecJWLegJW +lemma secJW_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secJW_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secJW_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secJW_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecJW-LegJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecJW-LegPEi exchange */ +/**************************************/ + +#ifdef SecJWLegPEi +lemma secJW_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secJW_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secJW_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secJW_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-LegPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecJW-LegPEo exchange */ +/**************************************/ + +#ifdef SecJWLegPEo +lemma secJW_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secJW_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secJW_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secJW_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-LegPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecJW-LegPEio exchange */ +/***************************************/ + +#ifdef SecJWLegPEio +lemma secJW_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secJW_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secJW_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secJW_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-LegPEio exchange */ +/*******************************************/ + +/**************************************/ +/* Lemmas about SecJW-LegOOB exchange */ +/**************************************/ + +#ifdef SecJWLegOOB +lemma secJW_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secJW_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secJW_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secJW_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-LegOOB exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecPEi-LegJW exchange */ +/**************************************/ + +#ifdef SecPEiLegJW +lemma secPEi_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEi_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEi_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEi_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEi-LegJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-LegPEi exchange */ +/***************************************/ + +#ifdef SecPEiLegPEi +lemma secPEi_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEi_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEi_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEi_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-LegPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-LegPEo exchange */ +/***************************************/ + +#ifdef SecPEiLegPEo +lemma secPEi_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEi_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEi_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEi_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-LegPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEi-LegPEio exchange */ +/****************************************/ + +#ifdef SecPEiLegPEio +lemma secPEi_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEi_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEi_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEi_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-LegPEio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about SecPEi-LegOOB exchange */ +/***************************************/ + +#ifdef SecPEiLegOOB +lemma secPEi_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEi_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEi_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEi_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-LegOOB exchange */ +/*******************************************/ + +/**************************************/ +/* Lemmas about SecPEo-LegJW exchange */ +/**************************************/ + +#ifdef SecPEoLegJW +lemma secPEo_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEo_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEo_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEo_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEo-LegJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-LegPEi exchange */ +/***************************************/ + +#ifdef SecPEoLegPEi +lemma secPEo_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEo_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEo_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEo_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-LegPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-LegPEo exchange */ +/***************************************/ + +#ifdef SecPEoLegPEo +lemma secPEo_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEo_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEo_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEo_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-LegPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEo-LegPEio exchange */ +/****************************************/ + +#ifdef SecPEoLegPEio +lemma secPEo_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEo_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEo_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEo_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-LegPEio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about SecPEo-LegOOB exchange */ +/***************************************/ + +#ifdef SecPEoLegOOB +lemma secPEo_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEo_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEo_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEo_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-LegOOB exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEio-LegJW exchange */ +/***************************************/ + +#ifdef SecPEioLegJW +lemma secPEio_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEio_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEio_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEio_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEio-LegJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEio-LegPEi exchange */ +/****************************************/ + +#ifdef SecPEioLegPEi +lemma secPEio_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEio_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEio_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEio_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-LegPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEio-LegPEo exchange */ +/****************************************/ + +#ifdef SecPEioLegPEo +lemma secPEio_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEio_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEio_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEio_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-LegPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-LegPEio exchange */ +/*****************************************/ + +#ifdef SecPEioLegPEio +lemma secPEio_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEio_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEio_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEio_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-LegPEio exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about SecPEio-LegOOB exchange */ +/****************************************/ + +#ifdef SecPEioLegOOB +lemma secPEio_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secPEio_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secPEio_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secPEio_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-LegOOB exchange */ +/********************************************/ + +/*************************************/ +/* Lemmas about SecNC-LegJW exchange */ +/*************************************/ + +#ifdef SecNCLegJW +lemma secNC_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secNC_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secNC_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secNC_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecNC-LegJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecNC-LegPEi exchange */ +/**************************************/ + +#ifdef SecNCLegPEi +lemma secNC_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secNC_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secNC_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secNC_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-LegPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecNC-LegPEo exchange */ +/**************************************/ + +#ifdef SecNCLegPEo +lemma secNC_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secNC_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secNC_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secNC_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-LegPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecNC-LegPEio exchange */ +/***************************************/ + +#ifdef SecNCLegPEio +lemma secNC_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secNC_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secNC_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secNC_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-LegPEio exchange */ +/*******************************************/ + +/**************************************/ +/* Lemmas about SecNC-LegOOB exchange */ +/**************************************/ + +#ifdef SecNCLegOOB +lemma secNC_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secNC_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secNC_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secNC_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-LegOOB exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecOOBi-LegJW exchange */ +/***************************************/ + +#ifdef SecOOBiLegJW +lemma secOOBi_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBi_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBi_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBi_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBi-LegJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-LegPEi exchange */ +/****************************************/ + +#ifdef SecOOBiLegPEi +lemma secOOBi_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBi_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBi_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBi_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-LegPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-LegPEo exchange */ +/****************************************/ + +#ifdef SecOOBiLegPEo +lemma secOOBi_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBi_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBi_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBi_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-LegPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-LegPEio exchange */ +/*****************************************/ + +#ifdef SecOOBiLegPEio +lemma secOOBi_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBi_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBi_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBi_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-LegPEio exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-LegOOB exchange */ +/****************************************/ + +#ifdef SecOOBiLegOOB +lemma secOOBi_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBi_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBi_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBi_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-LegOOB exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about SecOOBo-LegJW exchange */ +/***************************************/ + +#ifdef SecOOBoLegJW +lemma secOOBo_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBo_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBo_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBo_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBo-LegJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-LegPEi exchange */ +/****************************************/ + +#ifdef SecOOBoLegPEi +lemma secOOBo_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBo_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBo_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBo_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-LegPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-LegPEo exchange */ +/****************************************/ + +#ifdef SecOOBoLegPEo +lemma secOOBo_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBo_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBo_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBo_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-LegPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-LegPEio exchange */ +/*****************************************/ + +#ifdef SecOOBoLegPEio +lemma secOOBo_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBo_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBo_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBo_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-LegPEio exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-LegOOB exchange */ +/****************************************/ + +#ifdef SecOOBoLegOOB +lemma secOOBo_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBo_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBo_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBo_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-LegOOB exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBio-LegJW exchange */ +/****************************************/ + +#ifdef SecOOBioLegJW +lemma secOOBio_legJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBio_legJW_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBio_legJW_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legJW_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legJW_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBio_legJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBio-LegJW exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-LegPEi exchange */ +/*****************************************/ + +#ifdef SecOOBioLegPEi +lemma secOOBio_legPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBio_legPEi_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBio_legPEi_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPEi_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPEi_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBio_legPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-LegPEi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-LegPEo exchange */ +/*****************************************/ + +#ifdef SecOOBioLegPEo +lemma secOOBio_legPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBio_legPEo_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBio_legPEo_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPEo_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPEo_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBio_legPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-LegPEo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-LegPEio exchange */ +/******************************************/ + +#ifdef SecOOBioLegPEio +lemma secOOBio_legPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBio_legPEio_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBio_legPEio_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPEio_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPEio_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBio_legPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-LegPEio exchange */ +/**********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-LegOOB exchange */ +/*****************************************/ + +#ifdef SecOOBioLegOOB +lemma secOOBio_legOOB_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 + ) +" + +lemma secOOBio_legOOB_auth_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + (Ex tk ni nr ci cr #k. + RespSentRandom(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, cr, ci) @k + ) +" + +lemma secOOBio_legOOB_auth_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legOOB_weaksecret_init: +" + All idI idR capI capR ksI ksR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, ksI, idR, capR, ksR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legOOB_weaksecret_resp: +" + All idI idR capI capR ksI ksR tk ni nr stk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, ksR, idI, capI, ksI, tk, nr, ni, stk) @j ==> + not (Ex #k. K(stk) @k ) +" + +lemma secOOBio_legOOB_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegOOB()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 ksI1 ksR1 idI2 idR2 capI2 capR2 ksI2 ksR2 tk ni nr stk pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, ksI1, idR1, capR1, ksR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, ksR2, idI2, capI2, ksI2, tk, nr, ni, stk) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(stk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-LegOOB exchange */ +/*********************************************/ + +/* +* Command-line to generate a Tamarin file with the entire model without all preprocessor macros: +* tamarin-prover ble.spthy -DSecNCSecNC -DLegPEiSecPEo -DSecPEiLegOOB -DSecOOBiLegPEi -DRespLegPE -DLegPEiSecNC -DInitLegPE -DSecJWLegOOB -DLegJWSecJW -DLegPEiLegPEi -DLegPEiLegPEo -DLegJWSecPEo -DRespSecPEo -DSecOOBioSecNC -DLegJWLegPEio -DSecJWSecPEi -DLegPEiLegJW -DRespSec -DSecOOBiSecPEio -DSecPEiSecPEi -DSecPEoLegPEio -DSecOOBioLegOOB -DLegJWLegJW -DLegPEioLegOOB -DLegJWSecNC -DSecNCSecJW -DLegOOBSecPEi -DSecOOBioSecOOBio -DLegPEoLegPEio -DLegPEoSecPEio -DSecNCSecOOBo -DSecPEioSecJW -DInitSecOOBo -DLegOOBSecJW -DLegPEiSecJW -DLegOOBSecOOBi -DSecOOBiLegJW -DSecPEioSecOOBio -DInitSecJW -DLegJWSecOOBio -DRespSecJW -DSecJWLegPEo -DInoutInput -DLegPEioLegJW -DSecPEiSecOOBo -DSecOOBiSecJW -DLegPEoLegJW -DSecOOBoSecPEio -DSecPEioSecPEi -DLegPEiSecOOBo -DInitSecPEio -DLegPEiSecOOBi -DInitSecOOBi -DSecPEoSecJW -DInitLeg -DSecPEiLegPEo -DSecOOBoSecPEi -DRespSecOOBi -DLegOOBLegJW -DSecPEoLegJW -DLegPEioSecOOBi -DInitSecOOBio -DSecPEioSecPEo -DLegPEiSecPEi -DSecOOBoLegPEio -DSecPEoSecPEi -DSecPEiSecPEo -DSecPEiSecOOBi -DRespSecOOBo -DInitLegOOB -DSecPEoSecPEo -DLegJWLegPEi -DSecJWSecJW -DSecPEiLegPEi -DSecOOBoLegOOB -DRespLegPEi -DSecOOBiLegPEio -DSecJWSecNC -DInitLegJW -DSecJWSecOOBio -DRespLegOOB -DSecNCSecOOBi -DRespLeg -DLegPEioLegPEo -DSecNCLegPEo -DLegPEoLegPEi -DSecPEioSecOOBo -DInitSecPEo -DLegPEioSecOOBo -DLegOOBSecPEo -DSecPEoLegPEi -DSecJWSecOOBi -DRespSecPEi -DSecOOBioSecPEio -DSecNCLegJW -DRespSecOOBio -DInitSec -DSecPEoSecOOBi -DSecPEioSecNC -DSecPEiSecOOBio -DInputInput -DSecOOBioSecOOBo -DLegPEioSecNC -DRespLegPEo -DSecNCSecPEio -DSecOOBioSecOOBi -DOutputOutput -DLegJWLegPEo -DLegOOBSecPEio -DSecOOBiSecOOBi -DSecPEioSecPEio -DSecOOBoSecOOBi -DInitLegPEo -DLegJWSecPEi -DSecPEiSecNC -DLegJWSecOOBi -DLegPEiSecOOBio -DSecPEoLegOOB -DRespSecPE -DSecOOBoSecPEo -DSecPEioLegPEo -DLegPEoSecJW -DInitSecNC -DLegPEoSecOOBio -DInputOutput -DLegOOBSecOOBio -DSecOOBoLegPEi -DInoutOutput -DSecOOBioSecPEi -DSecPEiLegJW -DSecOOBiLegPEo -DSecOOBioSecPEo -DLegOOBLegPEio -DLegOOBSecNC -DSecOOBoSecOOBio -DLegPEoSecPEi -DSecOOBioLegPEio -DSecOOBiSecPEo -DSecOOBoSecOOBo -DSecNCLegPEi -DSecJWSecOOBo -DSecPEoSecOOBo -DSecOOBioSecJW -DSecJWLegJW -DLegPEioSecPEi -DSecPEiSecPEio -DSecPEoSecOOBio -DLegOOBLegOOB -DSecOOBiSecOOBio -DInitSecPE -DRespSecNC -DSecOOBioLegPEi -DLegJWSecOOBo -DSecNCLegOOB -DLegPEoLegPEo -DInitSecOOB -DSecOOBoLegJW -DLegPEioSecPEio -DLegPEoSecOOBi -DLegOOBLegPEo -DLegPEioSecPEo -DSecOOBiLegOOB -DLegPEoLegOOB -DSecNCLegPEio -DSecPEiSecJW -DRespSecPEio -DSecNCSecPEi -DOutputInput -DLegPEoSecPEo -DLegPEioSecJW -DSecOOBoSecJW -DInitLegPEio -DOutputInout -DSecPEiLegPEio -DSecPEioLegJW -DSecOOBoLegPEo -DInoutInout -DLegPEoSecOOBo -DRespLegJW -DLegOOBSecOOBo -DSecOOBoSecNC -DLegPEioLegPEi -DLegJWLegOOB -DLegPEoSecNC -DSecPEoLegPEo -DLegPEioSecOOBio -DRespSecOOB -DInitLegPEi -DSecJWLegPEi -DLegPEiLegOOB -DSecNCSecOOBio -DRespLegPEio -DSecPEioLegPEio -DInputInout -DSecNCSecPEo -DSecOOBiSecNC -DSecOOBiSecPEi -DSecOOBioLegPEo -DSecJWSecPEio -DSecOOBioLegJW -DSecOOBiSecOOBo -DSecJWLegPEio -DSecPEioLegPEi -DLegOOBLegPEi -DLegJWSecPEio -DLegPEiSecPEio -DInitSecPEi -DSecJWSecPEo -DLegPEiLegPEio -DSecPEioLegOOB -DSecPEoSecPEio -DSecPEoSecNC -DLegPEioLegPEio -DSecPEioSecOOBi +*/ + +/* Command lines to prove individual cases: +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegJW -DLegJWLegJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEi -DLegJWLegPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEo -DLegJWLegPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegPE -DRespLegPEio -DLegJWLegPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespLeg -DRespLegOOB -DLegJWLegOOB --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegJW -DLegPEiLegJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEiLegPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEiLegPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEiLegPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespLeg -DRespLegOOB -DLegPEiLegOOB -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegJW -DLegPEoLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEoLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEoLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEoLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespLeg -DRespLegOOB -DLegPEoLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegJW -DLegPEioLegJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEi -DLegPEioLegPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEo -DLegPEioLegPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegPE -DRespLegPEio -DLegPEioLegPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespLeg -DRespLegOOB -DLegPEioLegOOB -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegJW -DLegOOBLegJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEi -DLegOOBLegPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEo -DLegOOBLegPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegPE -DRespLegPEio -DLegOOBLegPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespLeg -DRespLegOOB -DLegOOBLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecJW -DSecJWSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEi -DSecJWSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEo -DSecJWSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEio -DSecJWSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecNC -DSecJWSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBi -DSecJWSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBo -DSecJWSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBio -DSecJWSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecJW -DSecPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEi -DSecPEiSecPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEo -DSecPEiSecPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEio -DSecPEiSecPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecNC -DSecPEiSecNC -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecJW -DSecPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEi -DSecPEoSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEo -DSecPEoSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEio -DSecPEoSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecNC -DSecPEoSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecJW -DSecPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEi -DSecPEioSecPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEo -DSecPEioSecPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEio -DSecPEioSecPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecNC -DSecPEioSecNC -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecJW -DSecNCSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEi -DSecNCSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEo -DSecNCSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEio -DSecNCSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecNC -DSecNCSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBi -DSecNCSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBo -DSecNCSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBio -DSecNCSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecJW -DSecOOBiSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBiSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBiSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBiSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecNC -DSecOOBiSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBiSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBiSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBiSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecJW -DSecOOBoSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBoSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBoSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBoSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecNC -DSecOOBoSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBoSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBoSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBoSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecJW -DSecOOBioSecJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBioSecPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBioSecPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBioSecPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecNC -DSecOOBioSecNC --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBioSecOOBi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBioSecOOBo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBioSecOOBio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecJW -DLegJWSecJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEi -DLegJWSecPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEo -DLegJWSecPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecPE -DRespSecPEio -DLegJWSecPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecNC -DLegJWSecNC --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBi -DLegJWSecOOBi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBo -DLegJWSecOOBo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegJW -DRespSec -DRespSecOOB -DRespSecOOBio -DLegJWSecOOBio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecJW -DLegPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEi -DLegPEiSecPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEo -DLegPEiSecPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecPE -DRespSecPEio -DLegPEiSecPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecNC -DLegPEiSecNC -DInputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecJW -DLegPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEi -DLegPEoSecPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEo -DLegPEoSecPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecPE -DRespSecPEio -DLegPEoSecPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecNC -DLegPEoSecNC -DOutputOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecJW -DLegPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEi -DLegPEioSecPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEo -DLegPEioSecPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecPE -DRespSecPEio -DLegPEioSecPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecNC -DLegPEioSecNC -DInoutOutput --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegPE -DInitLegPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecJW -DLegOOBSecJW --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEi -DLegOOBSecPEi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEo -DLegOOBSecPEo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecPE -DRespSecPEio -DLegOOBSecPEio --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecNC -DLegOOBSecNC --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBi -DLegOOBSecOOBi --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBo -DLegOOBSecOOBo --prove +tamarin-prover ble.spthy -DInitLeg -DInitLegOOB -DRespSec -DRespSecOOB -DRespSecOOBio -DLegOOBSecOOBio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegJW -DSecJWLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEi -DSecJWLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEo -DSecJWLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPE -DRespLegPEio -DSecJWLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegOOB -DSecJWLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegJW -DSecPEiLegJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEiLegPEi -DInputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEiLegPEo -DInputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEiLegPEio -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegOOB -DSecPEiLegOOB -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegJW -DSecPEoLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEoLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEoLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEoLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegOOB -DSecPEoLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegJW -DSecPEioLegJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEi -DSecPEioLegPEi -DInoutInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEo -DSecPEioLegPEo -DInoutOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPE -DRespLegPEio -DSecPEioLegPEio -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegOOB -DSecPEioLegOOB -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegJW -DSecNCLegJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEi -DSecNCLegPEi -DOutputInput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEo -DSecNCLegPEo -DOutputOutput --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPE -DRespLegPEio -DSecNCLegPEio -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegOOB -DSecNCLegOOB -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegJW -DSecOOBiLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBiLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBiLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBiLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegOOB -DSecOOBiLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegJW -DSecOOBoLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBoLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBoLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBoLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegOOB -DSecOOBoLegOOB --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegJW -DSecOOBioLegJW --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEi -DSecOOBioLegPEi --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEo -DSecOOBioLegPEo --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPE -DRespLegPEio -DSecOOBioLegPEio --prove +tamarin-prover ble.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegOOB -DSecOOBioLegOOB --prove + + +JSON configuration file: +{ +"LegJWLegJW": ["InitLeg","InitLegJW","RespLeg","RespLegJW","LegJWLegJW"], +"LegJWLegPEi": ["InitLeg","InitLegJW","RespLeg","RespLegPE","RespLegPEi","LegJWLegPEi"], +"LegJWLegPEo": ["InitLeg","InitLegJW","RespLeg","RespLegPE","RespLegPEo","LegJWLegPEo"], +"LegJWLegPEio": ["InitLeg","InitLegJW","RespLeg","RespLegPE","RespLegPEio","LegJWLegPEio"], +"LegJWLegOOB": ["InitLeg","InitLegJW","RespLeg","RespLegOOB","LegJWLegOOB"], +"LegPEiLegJW": ["InitLeg","InitLegPE","InitLegPEi","RespLeg","RespLegJW","LegPEiLegJW","InputInput","InputOutput","InputInout"], +"LegPEiLegPEi": ["InitLeg","InitLegPE","InitLegPEi","RespLeg","RespLegPE","RespLegPEi","LegPEiLegPEi","InputInput"], +"LegPEiLegPEo": ["InitLeg","InitLegPE","InitLegPEi","RespLeg","RespLegPE","RespLegPEo","LegPEiLegPEo","InputOutput"], +"LegPEiLegPEio": ["InitLeg","InitLegPE","InitLegPEi","RespLeg","RespLegPE","RespLegPEio","LegPEiLegPEio","InputInout"], +"LegPEiLegOOB": ["InitLeg","InitLegPE","InitLegPEi","RespLeg","RespLegOOB","LegPEiLegOOB","InputInput","InputOutput","InputInout"], +"LegPEoLegJW": ["InitLeg","InitLegPE","InitLegPEo","RespLeg","RespLegJW","LegPEoLegJW","OutputInput","OutputOutput","OutputInout"], +"LegPEoLegPEi": ["InitLeg","InitLegPE","InitLegPEo","RespLeg","RespLegPE","RespLegPEi","LegPEoLegPEi","OutputInput"], +"LegPEoLegPEo": ["InitLeg","InitLegPE","InitLegPEo","RespLeg","RespLegPE","RespLegPEo","LegPEoLegPEo","OutputOutput"], +"LegPEoLegPEio": ["InitLeg","InitLegPE","InitLegPEo","RespLeg","RespLegPE","RespLegPEio","LegPEoLegPEio","OutputInout"], +"LegPEoLegOOB": ["InitLeg","InitLegPE","InitLegPEo","RespLeg","RespLegOOB","LegPEoLegOOB","OutputInput","OutputOutput","OutputInout"], +"LegPEioLegJW": ["InitLeg","InitLegPE","InitLegPEio","RespLeg","RespLegJW","LegPEioLegJW","InoutInput","InoutOutput","InoutInout"], +"LegPEioLegPEi": ["InitLeg","InitLegPE","InitLegPEio","RespLeg","RespLegPE","RespLegPEi","LegPEioLegPEi","InoutInput"], +"LegPEioLegPEo": ["InitLeg","InitLegPE","InitLegPEio","RespLeg","RespLegPE","RespLegPEo","LegPEioLegPEo","InoutOutput"], +"LegPEioLegPEio": ["InitLeg","InitLegPE","InitLegPEio","RespLeg","RespLegPE","RespLegPEio","LegPEioLegPEio","InoutInout"], +"LegPEioLegOOB": ["InitLeg","InitLegPE","InitLegPEio","RespLeg","RespLegOOB","LegPEioLegOOB","InoutInput","InoutOutput","InoutInout"], +"LegOOBLegJW": ["InitLeg","InitLegOOB","RespLeg","RespLegJW","LegOOBLegJW"], +"LegOOBLegPEi": ["InitLeg","InitLegOOB","RespLeg","RespLegPE","RespLegPEi","LegOOBLegPEi"], +"LegOOBLegPEo": ["InitLeg","InitLegOOB","RespLeg","RespLegPE","RespLegPEo","LegOOBLegPEo"], +"LegOOBLegPEio": ["InitLeg","InitLegOOB","RespLeg","RespLegPE","RespLegPEio","LegOOBLegPEio"], +"LegOOBLegOOB": ["InitLeg","InitLegOOB","RespLeg","RespLegOOB","LegOOBLegOOB"], +"SecJWSecJW": ["InitSec","InitSecJW","RespSec","RespSecJW","SecJWSecJW"], +"SecJWSecPEi": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEi","SecJWSecPEi"], +"SecJWSecPEo": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEo","SecJWSecPEo"], +"SecJWSecPEio": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEio","SecJWSecPEio"], +"SecJWSecNC": ["InitSec","InitSecJW","RespSec","RespSecNC","SecJWSecNC"], +"SecJWSecOOBi": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBi","SecJWSecOOBi"], +"SecJWSecOOBo": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBo","SecJWSecOOBo"], +"SecJWSecOOBio": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBio","SecJWSecOOBio"], +"SecPEiSecJW": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecJW","SecPEiSecJW","InputInput","InputOutput","InputInout"], +"SecPEiSecPEi": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEi","SecPEiSecPEi","InputInput"], +"SecPEiSecPEo": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEo","SecPEiSecPEo","InputOutput"], +"SecPEiSecPEio": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEio","SecPEiSecPEio","InputInout"], +"SecPEiSecNC": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecNC","SecPEiSecNC","InputOutput"], +"SecPEiSecOOBi": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBi","SecPEiSecOOBi","InputInput","InputOutput","InputInout"], +"SecPEiSecOOBo": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBo","SecPEiSecOOBo","InputInput","InputOutput","InputInout"], +"SecPEiSecOOBio": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBio","SecPEiSecOOBio","InputInput","InputOutput","InputInout"], +"SecPEoSecJW": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecJW","SecPEoSecJW","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecPEi": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEi","SecPEoSecPEi","OutputInput"], +"SecPEoSecPEo": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEo","SecPEoSecPEo","OutputOutput"], +"SecPEoSecPEio": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEio","SecPEoSecPEio","OutputInout"], +"SecPEoSecNC": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecNC","SecPEoSecNC","OutputOutput"], +"SecPEoSecOOBi": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBi","SecPEoSecOOBi","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecOOBo": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBo","SecPEoSecOOBo","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecOOBio": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBio","SecPEoSecOOBio","OutputInput","OutputOutput","OutputInout"], +"SecPEioSecJW": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecJW","SecPEioSecJW","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecPEi": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEi","SecPEioSecPEi","InoutInput"], +"SecPEioSecPEo": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEo","SecPEioSecPEo","InoutOutput"], +"SecPEioSecPEio": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEio","SecPEioSecPEio","InoutInout"], +"SecPEioSecNC": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecNC","SecPEioSecNC","InoutOutput"], +"SecPEioSecOOBi": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBi","SecPEioSecOOBi","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecOOBo": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBo","SecPEioSecOOBo","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecOOBio": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBio","SecPEioSecOOBio","InoutInput","InoutOutput","InoutInout"], +"SecNCSecJW": ["InitSec","InitSecNC","RespSec","RespSecJW","SecNCSecJW","OutputInput","OutputOutput","OutputInout"], +"SecNCSecPEi": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEi","SecNCSecPEi","OutputInput"], +"SecNCSecPEo": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEo","SecNCSecPEo","OutputOutput"], +"SecNCSecPEio": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEio","SecNCSecPEio","OutputInout"], +"SecNCSecNC": ["InitSec","InitSecNC","RespSec","RespSecNC","SecNCSecNC","OutputOutput"], +"SecNCSecOOBi": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBi","SecNCSecOOBi","OutputInput","OutputOutput","OutputInout"], +"SecNCSecOOBo": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBo","SecNCSecOOBo","OutputInput","OutputOutput","OutputInout"], +"SecNCSecOOBio": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBio","SecNCSecOOBio","OutputInput","OutputOutput","OutputInout"], +"SecOOBiSecJW": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecJW","SecOOBiSecJW"], +"SecOOBiSecPEi": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEi","SecOOBiSecPEi"], +"SecOOBiSecPEo": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEo","SecOOBiSecPEo"], +"SecOOBiSecPEio": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEio","SecOOBiSecPEio"], +"SecOOBiSecNC": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecNC","SecOOBiSecNC"], +"SecOOBiSecOOBi": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBi","SecOOBiSecOOBi"], +"SecOOBiSecOOBo": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBo","SecOOBiSecOOBo"], +"SecOOBiSecOOBio": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBio","SecOOBiSecOOBio"], +"SecOOBoSecJW": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecJW","SecOOBoSecJW"], +"SecOOBoSecPEi": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEi","SecOOBoSecPEi"], +"SecOOBoSecPEo": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEo","SecOOBoSecPEo"], +"SecOOBoSecPEio": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEio","SecOOBoSecPEio"], +"SecOOBoSecNC": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecNC","SecOOBoSecNC"], +"SecOOBoSecOOBi": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBi","SecOOBoSecOOBi"], +"SecOOBoSecOOBo": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBo","SecOOBoSecOOBo"], +"SecOOBoSecOOBio": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBio","SecOOBoSecOOBio"], +"SecOOBioSecJW": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecJW","SecOOBioSecJW"], +"SecOOBioSecPEi": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEi","SecOOBioSecPEi"], +"SecOOBioSecPEo": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEo","SecOOBioSecPEo"], +"SecOOBioSecPEio": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEio","SecOOBioSecPEio"], +"SecOOBioSecNC": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecNC","SecOOBioSecNC"], +"SecOOBioSecOOBi": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBi","SecOOBioSecOOBi"], +"SecOOBioSecOOBo": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBo","SecOOBioSecOOBo"], +"SecOOBioSecOOBio": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBio","SecOOBioSecOOBio"], +"LegJWSecJW": ["InitLeg","InitLegJW","RespSec","RespSecJW","LegJWSecJW"], +"LegJWSecPEi": ["InitLeg","InitLegJW","RespSec","RespSecPE","RespSecPEi","LegJWSecPEi"], +"LegJWSecPEo": ["InitLeg","InitLegJW","RespSec","RespSecPE","RespSecPEo","LegJWSecPEo"], +"LegJWSecPEio": ["InitLeg","InitLegJW","RespSec","RespSecPE","RespSecPEio","LegJWSecPEio"], +"LegJWSecNC": ["InitLeg","InitLegJW","RespSec","RespSecNC","LegJWSecNC"], +"LegJWSecOOBi": ["InitLeg","InitLegJW","RespSec","RespSecOOB","RespSecOOBi","LegJWSecOOBi"], +"LegJWSecOOBo": ["InitLeg","InitLegJW","RespSec","RespSecOOB","RespSecOOBo","LegJWSecOOBo"], +"LegJWSecOOBio": ["InitLeg","InitLegJW","RespSec","RespSecOOB","RespSecOOBio","LegJWSecOOBio"], +"LegPEiSecJW": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecJW","LegPEiSecJW","InputInput","InputOutput","InputInout"], +"LegPEiSecPEi": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecPE","RespSecPEi","LegPEiSecPEi","InputInput"], +"LegPEiSecPEo": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecPE","RespSecPEo","LegPEiSecPEo","InputOutput"], +"LegPEiSecPEio": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecPE","RespSecPEio","LegPEiSecPEio","InputInout"], +"LegPEiSecNC": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecNC","LegPEiSecNC","InputOutput"], +"LegPEiSecOOBi": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecOOB","RespSecOOBi","LegPEiSecOOBi","InputInput","InputOutput","InputInout"], +"LegPEiSecOOBo": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecOOB","RespSecOOBo","LegPEiSecOOBo","InputInput","InputOutput","InputInout"], +"LegPEiSecOOBio": ["InitLeg","InitLegPE","InitLegPEi","RespSec","RespSecOOB","RespSecOOBio","LegPEiSecOOBio","InputInput","InputOutput","InputInout"], +"LegPEoSecJW": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecJW","LegPEoSecJW","OutputInput","OutputOutput","OutputInout"], +"LegPEoSecPEi": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecPE","RespSecPEi","LegPEoSecPEi","OutputInput"], +"LegPEoSecPEo": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecPE","RespSecPEo","LegPEoSecPEo","OutputOutput"], +"LegPEoSecPEio": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecPE","RespSecPEio","LegPEoSecPEio","OutputInout"], +"LegPEoSecNC": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecNC","LegPEoSecNC","OutputOutput"], +"LegPEoSecOOBi": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecOOB","RespSecOOBi","LegPEoSecOOBi","OutputInput","OutputOutput","OutputInout"], +"LegPEoSecOOBo": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecOOB","RespSecOOBo","LegPEoSecOOBo","OutputInput","OutputOutput","OutputInout"], +"LegPEoSecOOBio": ["InitLeg","InitLegPE","InitLegPEo","RespSec","RespSecOOB","RespSecOOBio","LegPEoSecOOBio","OutputInput","OutputOutput","OutputInout"], +"LegPEioSecJW": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecJW","LegPEioSecJW","InoutInput","InoutOutput","InoutInout"], +"LegPEioSecPEi": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecPE","RespSecPEi","LegPEioSecPEi","InoutInput"], +"LegPEioSecPEo": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecPE","RespSecPEo","LegPEioSecPEo","InoutOutput"], +"LegPEioSecPEio": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecPE","RespSecPEio","LegPEioSecPEio","InoutInout"], +"LegPEioSecNC": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecNC","LegPEioSecNC","InoutOutput"], +"LegPEioSecOOBi": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecOOB","RespSecOOBi","LegPEioSecOOBi","InoutInput","InoutOutput","InoutInout"], +"LegPEioSecOOBo": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecOOB","RespSecOOBo","LegPEioSecOOBo","InoutInput","InoutOutput","InoutInout"], +"LegPEioSecOOBio": ["InitLeg","InitLegPE","InitLegPEio","RespSec","RespSecOOB","RespSecOOBio","LegPEioSecOOBio","InoutInput","InoutOutput","InoutInout"], +"LegOOBSecJW": ["InitLeg","InitLegOOB","RespSec","RespSecJW","LegOOBSecJW"], +"LegOOBSecPEi": ["InitLeg","InitLegOOB","RespSec","RespSecPE","RespSecPEi","LegOOBSecPEi"], +"LegOOBSecPEo": ["InitLeg","InitLegOOB","RespSec","RespSecPE","RespSecPEo","LegOOBSecPEo"], +"LegOOBSecPEio": ["InitLeg","InitLegOOB","RespSec","RespSecPE","RespSecPEio","LegOOBSecPEio"], +"LegOOBSecNC": ["InitLeg","InitLegOOB","RespSec","RespSecNC","LegOOBSecNC"], +"LegOOBSecOOBi": ["InitLeg","InitLegOOB","RespSec","RespSecOOB","RespSecOOBi","LegOOBSecOOBi"], +"LegOOBSecOOBo": ["InitLeg","InitLegOOB","RespSec","RespSecOOB","RespSecOOBo","LegOOBSecOOBo"], +"LegOOBSecOOBio": ["InitLeg","InitLegOOB","RespSec","RespSecOOB","RespSecOOBio","LegOOBSecOOBio"], +"SecJWLegJW": ["InitSec","InitSecJW","RespLeg","RespLegJW","SecJWLegJW"], +"SecJWLegPEi": ["InitSec","InitSecJW","RespLeg","RespLegPE","RespLegPEi","SecJWLegPEi"], +"SecJWLegPEo": ["InitSec","InitSecJW","RespLeg","RespLegPE","RespLegPEo","SecJWLegPEo"], +"SecJWLegPEio": ["InitSec","InitSecJW","RespLeg","RespLegPE","RespLegPEio","SecJWLegPEio"], +"SecJWLegOOB": ["InitSec","InitSecJW","RespLeg","RespLegOOB","SecJWLegOOB"], +"SecPEiLegJW": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegJW","SecPEiLegJW","InputInput","InputOutput","InputInout"], +"SecPEiLegPEi": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPE","RespLegPEi","SecPEiLegPEi","InputInput"], +"SecPEiLegPEo": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPE","RespLegPEo","SecPEiLegPEo","InputOutput"], +"SecPEiLegPEio": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPE","RespLegPEio","SecPEiLegPEio","InputInout"], +"SecPEiLegOOB": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegOOB","SecPEiLegOOB","InputInput","InputOutput","InputInout"], +"SecPEoLegJW": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegJW","SecPEoLegJW","OutputInput","OutputOutput","OutputInout"], +"SecPEoLegPEi": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPE","RespLegPEi","SecPEoLegPEi","OutputInput"], +"SecPEoLegPEo": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPE","RespLegPEo","SecPEoLegPEo","OutputOutput"], +"SecPEoLegPEio": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPE","RespLegPEio","SecPEoLegPEio","OutputInout"], +"SecPEoLegOOB": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegOOB","SecPEoLegOOB","OutputInput","OutputOutput","OutputInout"], +"SecPEioLegJW": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegJW","SecPEioLegJW","InoutInput","InoutOutput","InoutInout"], +"SecPEioLegPEi": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPE","RespLegPEi","SecPEioLegPEi","InoutInput"], +"SecPEioLegPEo": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPE","RespLegPEo","SecPEioLegPEo","InoutOutput"], +"SecPEioLegPEio": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPE","RespLegPEio","SecPEioLegPEio","InoutInout"], +"SecPEioLegOOB": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegOOB","SecPEioLegOOB","InoutInput","InoutOutput","InoutInout"], +"SecNCLegJW": ["InitSec","InitSecNC","RespLeg","RespLegJW","SecNCLegJW","OutputInput","OutputOutput","OutputInout"], +"SecNCLegPEi": ["InitSec","InitSecNC","RespLeg","RespLegPE","RespLegPEi","SecNCLegPEi","OutputInput"], +"SecNCLegPEo": ["InitSec","InitSecNC","RespLeg","RespLegPE","RespLegPEo","SecNCLegPEo","OutputOutput"], +"SecNCLegPEio": ["InitSec","InitSecNC","RespLeg","RespLegPE","RespLegPEio","SecNCLegPEio","OutputInout"], +"SecNCLegOOB": ["InitSec","InitSecNC","RespLeg","RespLegOOB","SecNCLegOOB","OutputInput","OutputOutput","OutputInout"], +"SecOOBiLegJW": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegJW","SecOOBiLegJW"], +"SecOOBiLegPEi": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPE","RespLegPEi","SecOOBiLegPEi"], +"SecOOBiLegPEo": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPE","RespLegPEo","SecOOBiLegPEo"], +"SecOOBiLegPEio": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPE","RespLegPEio","SecOOBiLegPEio"], +"SecOOBiLegOOB": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegOOB","SecOOBiLegOOB"], +"SecOOBoLegJW": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegJW","SecOOBoLegJW"], +"SecOOBoLegPEi": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPE","RespLegPEi","SecOOBoLegPEi"], +"SecOOBoLegPEo": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPE","RespLegPEo","SecOOBoLegPEo"], +"SecOOBoLegPEio": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPE","RespLegPEio","SecOOBoLegPEio"], +"SecOOBoLegOOB": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegOOB","SecOOBoLegOOB"], +"SecOOBioLegJW": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegJW","SecOOBioLegJW"], +"SecOOBioLegPEi": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPE","RespLegPEi","SecOOBioLegPEi"], +"SecOOBioLegPEo": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPE","RespLegPEo","SecOOBioLegPEo"], +"SecOOBioLegPEio": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPE","RespLegPEio","SecOOBioLegPEio"], +"SecOOBioLegOOB": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegOOB","SecOOBioLegOOB"], +} +*/ + +end diff --git a/examples/esorics23-bluetooth/models/bredr.spthy b/examples/esorics23-bluetooth/models/bredr.spthy new file mode 100644 index 000000000..2bee73297 --- /dev/null +++ b/examples/esorics23-bluetooth/models/bredr.spthy @@ -0,0 +1,11315 @@ +theory BluetoothClassicPairing +begin + +builtins: diffie-hellman, symmetric-encryption, xor + +functions: + hmac_sha256/2, // Interface is hmac_sha256(key, data) + sha256/1, // sha256(data) + f1/4, // Commitment computation function + g/4, // Numeric code computation + f2/6, // Key derivation, get LK + f3/7, //Generation of dhkeycheck + e22/2, // Key generation, generation of Kinit + e21/2, // Key generation, generation of LK + e1_sres/3, // Authentication function in Legacy Pairing + e1_aco/3, // Authentication function in Legacy Pairing + e0/3, // Encryption, not precise + split1/1, + split2/1, + recover/2, + e/3, + extract_e/1 +equations: + f1(u,v,x,z) = hmac_sha256(x,), // f1 according to the spec (Vol 2 Part H, 7.7.1) + g(u,v,x,y) = sha256(), // g according to the spec (Vol 2 Part H, 7.7.2) + f2(w, n1, n2, kid, a1, a2) = hmac_sha256(w, ), // f2 according to the spec (Vol 2 Part H 7.7.3) + f3(w, n1, n2, r, iocap, a1, a2) = hmac_sha256(w, ), // f3 according to the spec (Vol 2 Part H 7.7.4) + recover(split1(x), split2(x)) = x, // Allow the attacker to reconstruct the passkey from two halves + extract_e(e(t,s,n)) = n + +rule CreateDevice: + [] + --[]-> + [!Device(<$id,$cap>), // Represents a device + Out(<$id,$cap>)] // The device announces itself (sort of) + +/* +This represents the messages leading to Pairing (it is very simplified). +Here, the Initiator receives the responder's address and capabilities, +the Responder receives the Initiator's address and capabilities. +*/ +rule InitPreparePairing: + [ + !Device(<$idI, $capI>), + In(<$idR, $capR>) + ] + --[ + InitPreparePairing($idI, $capI, $idR, $capR) + ]-> + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + +rule RespPreparePairing: + [ + !Device(<$idR, $capR>), + In(<$idI, $capI>) + ] + --[ + RespPreparePairing($idR, $capR, $idI, $capI) + ]-> + [ + RespPreparePairing($idR, $capR, $idI, $capI) + ] + +/* +* Select the Pairing method. Here, it is one of : +* - Legacy PIN Pairing +* - Secure JustWorks (SecJW) +* - Secure Passkey Entry (SecPE) +* - Secure NumericComparison (SecNC) +* - Secure Out of Band (SecOOB) +* +* The model restricts the choice to one Pairing method per role (Initiator or Responder) +* through the restrictions InitOnlyOncePairing / RespOnlyOncePairing +* Therefore, only one session can be ran. While not ideal, this prevents a state explosion : +* Even with a much simpler model (one Pairing method), Tamarin runs out of RAM when studying +* an unbounded number of sessions +* +* Possibility: Change the model to create a bounded number of sessions +*/ + +/* +The variables for BR/EDR PIN Pairing: +The PIN can be either: fixed or variable +The device can have input, output, inputoutput capabilities +*/ +#ifdef InitLeg +rule InitPrepareLegPIN: + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoLegPIN() + ]-> + [ + InitDoLegPIN($idI, $capI, $idR, $capR), + InitChooseLegPINMode($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespLeg +rule RespPrepareLegPIN: + [ + RespPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + RespOnlyOncePairing(), + RespWillDoLegPIN() + ]-> + [ + RespDoLegPIN($idI, $capI, $idR, $capR), + RespChooseLegPINMode($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitSecJW +rule InitPrepareSecJW: + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecJW() + ]-> + [ + InitDoSecJW($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecJW +rule RespPrepareSecJW: + [ + RespPreparePairing($idR, $capR, $idI, $capI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecJW() + ]-> + [ + RespDoSecJW($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef InitSecPE +rule InitPrepareSecPE: + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecPE() + ]-> + [ + InitDoSecPE($idI, $capI, $idR, $capR), + InitChooseSecPEMode($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecPE +rule RespPrepareSecPE: + [ + RespPreparePairing($idR, $capR, $idI, $capI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecPE() + ]-> + [ + RespDoSecPE($idR, $capR, $idI, $capI), + RespChooseSecPEMode($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef InitSecNC +rule InitPrepareSecNC: + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecNC() + ]-> + [ + InitDoSecNC($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecNC +rule RespPrepareSecNC: + [ + RespPreparePairing($idR, $capR, $idI, $capI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecNC() + ]-> + [ + RespDoSecNC($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef InitSecOOB +rule InitPrepareSecOOB: + [ + InitPreparePairing($idI, $capI, $idR, $capR) + ] + --[ + InitOnlyOncePairing(), + InitWillDoSecOOB() + ]-> + [ + InitDoSecOOB($idI, $capI, $idR, $capR), + InitChooseOOBMode($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecOOB +rule RespPrepareSecOOB: + [ + RespPreparePairing($idR, $capR, $idI, $capI) + ] + --[ + RespOnlyOncePairing(), + RespWillDoSecOOB() + ]-> + [ + RespDoSecOOB($idR, $capR, $idI, $capI), + RespChooseOOBMode($idR, $capR, $idI, $capI) + ] +#endif + +/* + * This dispatches the Initiator and Responder to the chosen variant + * of the PE Pairing method. + * The possibility are: + * - PEi : Passkey Entry, can take inputs from the user + * - PEo : Passkey Entry, device outputs to the user + * - PEio : Passkey Entry, device can take inputs or outputs to the user +*/ + + +/* TODO: To delete, only for example +#ifdef RespLegPEio +rule RespDoLegPEio: + [ + RespChooseLegPEMode($idR, $capR, $idI, $capI), + Fr(~passkey) + ] + --[ + RespLegPEOnlyOnce(), + RespWillDoLegPEio() + ]-> + [ + RespWaitUserInout(~passkey), + RespTriggerUserInteraction(), + RespReadyPE($idR, $capR, $idI, $capI) + ] +#endif +*/ + +#ifdef InitLegPINi +rule InitDoLegPINi: + [ + InitChooseLegPINMode($idI, $capI, $idR, $capR) + ] + --[ + InitLegPINOnlyOnce(), + InitWillDoLegPINi() + ]-> + [ + InitWaitUserInput(), + InitTriggerUserInteraction(), + InitReadyPIN($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitLegPINo +rule InitDoLegPINo: + [ + InitChooseLegPINMode($idI, $capI, $idR, $capR), + Fr(~pin) + ] + --[ + InitLegPINOnlyOnce(), + InitWillDoLegPINo() + ]-> + [ + InitWaitUserConfirm(~pin), + InitTriggerUserInteraction(), + InitReadyPIN($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitLegPINio +rule InitDoLegPINio: + [ + InitChooseLegPINMode($idI, $capI, $idR, $capR), + Fr(~pin) + ] + --[ + InitLegPINOnlyOnce(), + InitWillDoLegPINio() + ]-> + [ + InitWaitUserInout(~pin), + InitTriggerUserInteraction(), + InitReadyPIN($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespLegPINi +rule RespDoLegPINi: + [ + RespChooseLegPINMode($idR, $capR, $idI, $capI) + ] + --[ + RespLegPINOnlyOnce(), + RespWillDoLegPINi() + ]-> + [ + RespWaitUserInput(), + RespTriggerUserInteraction(), + RespReadyPIN($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespLegPINo +rule RespDoLegPINo: + [ + RespChooseLegPINMode($idR, $capR, $idI, $capI), + Fr(~pin) + ] + --[ + RespLegPINOnlyOnce(), + RespWillDoLegPINo() + ]-> + [ + RespWaitUserConfirm(~pin), + RespTriggerUserInteraction(), + RespReadyPIN($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespLegPINio +rule RespDoLegPINio: + [ + RespChooseLegPINMode($idR, $capR, $idI, $capI), + Fr(~pin) + ] + --[ + RespLegPINOnlyOnce(), + RespWillDoLegPINio() + ]-> + [ + RespWaitUserInout(~pin), + RespTriggerUserInteraction(), + RespReadyPIN($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef InitSecPEi +rule InitChooseSecPEi: + [ + InitChooseSecPEMode($idI, $capI, $idR, $capR) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEi() + ]-> + [ + InitWaitUserInput(), + InitDoSecPEi($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitSecPEo +rule InitChooseSecPEo: + [ + InitChooseSecPEMode($idI, $capI, $idR, $capR), + Fr(~passkey) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEo() + ]-> + [ + InitWaitUserConfirm(~passkey), + InitDoSecPEo($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitSecPEio +rule InitChooseSecPEio: + [ + InitChooseSecPEMode($idI, $capI, $idR, $capR), + Fr(~passkey) + ] + --[ + InitSecPEOnlyOnce(), + InitWillDoSecPEio() + ]-> + [ + InitWaitUserInout(~passkey), + InitDoSecPEio($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecPEi +rule RespChooseSecPEi: + [ + RespChooseSecPEMode($idR, $capR, $idI, $capI) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEi() + ]-> + [ + RespWaitUserInput(), + RespDoSecPEi($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespSecPEo +rule RespChooseSecPEo: + [ + RespChooseSecPEMode($idR, $capR, $idI, $capI), + Fr(~passkey) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEo() + ]-> + [ + RespWaitUserConfirm(~passkey), + RespDoSecPEo($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespSecPEio +rule RespChooseSecPEio: + [ + RespChooseSecPEMode($idR, $capR, $idI, $capI), + Fr(~passkey) + ] + --[ + RespSecPEOnlyOnce(), + RespWillDoSecPEio() + ]-> + [ + RespWaitUserInout(~passkey), + RespDoSecPEio($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +/* + * This dispatches the Initiator and Responder to the chosen variant + * of the Secure OOB Pairing method. + * The possibility are: + * - OOBi : OOB, device expects input OOB data + * - OOBo : OOB, device outputs OOB data + * - OOBio : OOB, device expects and outputs OOB data +*/ +#ifdef InitSecOOBi +rule InitChooseSecOOBi: + [ + InitChooseOOBMode($idI, $capI, $idR, $capR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBi() + ]-> + [ + InitDoSecOOBi($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitSecOOBo +rule InitChooseSecOOBo: + [ + InitChooseOOBMode($idI, $capI, $idR, $capR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBo() + ]-> + [ + InitDoSecOOBo($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef InitSecOOBio +rule InitChooseSecOOBio: + [ + InitChooseOOBMode($idI, $capI, $idR, $capR) + ] + --[ + InitSecOOBOnlyOnce(), + InitWillDoSecOOBio() + ]-> + [ + InitDoSecOOBio($idI, $capI, $idR, $capR), + InitDoECDH($idI, $capI, $idR, $capR) + ] +#endif + +#ifdef RespSecOOBi +rule RespChooseSecOOBi: + [ + RespChooseOOBMode($idR, $capR, $idI, $capI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBi() + ]-> + [ + RespDoSecOOBi($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespSecOOBo +rule RespChooseSecOOBo: + [ + RespChooseOOBMode($idR, $capR, $idI, $capI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBo() + ]-> + [ + RespDoSecOOBo($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +#ifdef RespSecOOBio +rule RespChooseSecOOBio: + [ + RespChooseOOBMode($idR, $capR, $idI, $capI) + ] + --[ + RespSecOOBOnlyOnce(), + RespWillDoSecOOBio() + ]-> + [ + RespDoSecOOBio($idR, $capR, $idI, $capI), + RespDoECDH($idR, $capR, $idI, $capI) + ] +#endif + +// Legacy PIN Pairing +#ifdef InitLeg +rule InitLegSendInRand: + let Kinit = e22(pin, ~in_rand) in + [ + InitReadyPIN($idI, $capI, $idR, $capR), + InitUserProceed(pin), + Fr(~in_rand) + ] + --[ + InitStartLegPIN($idI, $capI, $idR, $capR, pin, Kinit), + LowEntropy(pin) + ]-> + [ + InitDoLegPairing($idI, $capI, $idR, $capR, Kinit), + LowEntropy(pin), + Out(~in_rand) + ] +#endif + +#ifdef RespLeg +rule RespLegSendInRand: + let Kinit = e22(pin, in_rand) in + [ + RespReadyPIN($idR, $capR, $idI, $capI), + RespUserProceed(pin), + In(in_rand) + ] + --[ + RespStartLegPIN($idR, $capR, $idI, $capI, pin, Kinit), + LowEntropy(pin) + ]-> + [ + RespDoLegPairing($idI, $capI, $idR, $capR, Kinit), + LowEntropy(pin) + ] +#endif + +#ifdef InitLeg +rule InitSendCompRand: + let masked_rand_i = Kinit XOR ~rand_i in + [ + InitDoLegPairing($idI, $capI, $idR, $capR, Kinit), + Fr(~rand_i) + ] + --[ + ]-> + [ + InitSendCompRand($idI, $capI, $idR, $capR, Kinit, ~rand_i), + Out(masked_rand_i) + ] +#endif + +#ifdef RespLeg +rule RespSendCompRand: + let + masked_rand_r = Kinit XOR ~rand_r + rand_i = Kinit XOR recvd_rand_i + in + [ + RespDoLegPairing($idR, $capR, $idI, $capI, Kinit), + Fr(~rand_r), + In(recvd_rand_i) + ] + --[ + ]-> + [ + RespSendCompRand($idR, $capR, $idI, $capI, Kinit, ~rand_r, rand_i), + Out(masked_rand_r) + ] +#endif + +#ifdef InitLeg +rule InitDeriveLK: + let + rand_r = Kinit XOR recv_rand_r + LK = e21(~rand_i, $idI) XOR e21(rand_r, $idR) + in + [ + InitSendCompRand($idI, $capI, $idR, $capR, Kinit, ~rand_i), + In(recv_rand_r) + ] + --[ + InitFinishedKeyDerivation($idI, $capI, $idR, $capR, LK) + ]-> + [ + InitFinishedKeyDerivation($idI, $capI, $idR, $capR, LK) + ] +#endif + +#ifdef RespLeg +rule RespDeriveLK: + let + LK = e21(rand_i, $idI) XOR e21(~rand_r, $idR) + in + [ + RespSendCompRand($idR, $capR, $idI, $capI, Kinit, ~rand_r, rand_i) + ] + --[ + RespFinishedKeyDerivation($idR, $capR, $idI, $capI, LK) + ]-> + [ + RespFinishedKeyDerivation($idR, $capR, $idI, $capI, LK) + ] +#endif + +/* +In the spec +Vol 2 Part C, $4.2.2.4: When the new link key has been created mutual authentication shall be +performed to confirm that the same link key has been created in both devices. +*/ + +#ifdef InitLeg +rule InitBeginAuthVerifier1: + [ + InitFinishedKeyDerivation($idI, $capI, $idR, $capR, LK), + Fr(~au_rand_1) + ] + --[ + AuthOnlyOneBegin(), + InitBeginAuth($idI, $capI, $idR, $capR, LK, ~au_rand_1) + ]-> + [ + InitBeginAuth($idI, $capI, $idR, $capR, LK, ~au_rand_1), + Out(~au_rand_1) + ] +#endif + +#ifdef RespLeg +rule RespClaimantAuth1: + let + sres = e1_sres(LK, $idR, au_rand_1) + aco = e1_aco(LK, $idR, au_rand_1) + in + [ + RespFinishedKeyDerivation($idR, $capR, $idI, $capI, LK), + In(au_rand_1) + ] + --[ + RespClaimantAuth1($idR, $capR, $idI, $capI, LK, sres, aco) + ]-> + [ + RespClaimantAuth1($idR, $capR, $idI, $capI, LK, sres, aco), + OracleLK(au_rand_1, sres), + Out(sres) + ] +#endif + +#ifdef InitLeg +rule InitVerifierRecvAuth1: + let + sres = e1_sres(LK, $idR, ~au_rand_1) + aco = e1_aco(LK, $idR, ~au_rand_1) + in + [ + InitBeginAuth($idI, $capI, $idR, $capR, LK, ~au_rand_1), + In(e1_sres(LK, $idR, ~au_rand_1)) + ] + --[ ]-> + [ + InitVerifierAuth1($idI, $capI, $idR, $capR, LK, aco) + ] +#endif + +#ifdef RespLeg +rule RespVerifierSendAuth2: + [ + RespClaimantAuth1($idR, $capR, $idI, $capI, LK, sres, aco), + Fr(~au_rand_2) + ] + --[ + RespVerifierSendAuth2($idR, $capR, $idI, $capI, LK, ~au_rand_2) + ]-> + [ + RespVerifierSendAuth2($idR, $capR, $idI, $capI, LK, ~au_rand_2), + Out(~au_rand_2) + ] +#endif + +#ifdef InitLeg +rule InitClaimantAuth2: + let + sres = e1_sres(LK, $idI, au_rand_2) + aco = e1_aco(LK, $idI, au_rand_2) + in + [ + InitVerifierAuth1($idI, $capI, $idR, $capR, LK, old_aco), + In(au_rand_2) + ] + --[ + InitClaimantAuth2($idI, $capI, $idR, $capR, LK, aco) + ]-> + [ + InitClaimantAuth2($idI, $capI, $idR, $capR, LK, aco), + OracleLK(au_rand_2, sres), + Out(sres) + ] +#endif + +#ifdef RespLeg +rule RespVerifierRecvAuth2: + let aco = e1_aco(LK, $idI, ~au_rand_2) in + [ + RespVerifierSendAuth2($idR, $capR, $idI, $capI, LK, ~au_rand_2), + In(e1_sres(LK, $idI, ~au_rand_2)) + ] + --[ + ResponderFinishedLegPairing($idR, $capR, $idI, $capI, LK, aco) + ]-> + [ + ResponderFinishedLegPairing($idR, $capR, $idI, $capI, LK, aco) + ] +#endif + +#ifdef InitLeg +rule InitLegFinishPairing: + [ + InitClaimantAuth2($idI, $capI, $idR, $capR, LK, aco) + ] + --[ + InitiatorFinishedLegPairing($idI, $capI, $idR, $capR, LK, aco) + ]-> + [ + InitiatorFinishedLegPairing($idI, $capI, $idR, $capR, LK, aco) + ] +#endif + +#ifdef RespLeg +rule RespBeginAuthVerifier1: + [ + RespFinishedKeyDerivation($idR, $capR, $idI, $capI, LK), + Fr(~au_rand_1) + ] + --[ + AuthOnlyOneBegin(), + RespBeginAuth($idR, $capR, $idI, $capI, LK, ~au_rand_1) + ]-> + [ + RespBeginAuth($idR, $capR, $idI, $capI, LK, ~au_rand_1), + Out(~au_rand_1) + ] +#endif + +#ifdef InitLeg +rule InitClaimantAuth1: + let + sres = e1_sres(LK, $idI, au_rand_1) + aco = e1_aco(LK, $idI, au_rand_1) + in + [ + InitFinishedKeyDerivation($idI, $capI, $idR, $capR, LK), + In(au_rand_1) + ] + --[ + InitClaimantAuth1($idI, $capI, $idR, $capR, LK, aco) + ]-> + [ + InitClaimantAuth1($idI, $capI, $idR, $capR, LK, aco), + OracleLK(au_rand_1, sres), + Out(sres) + ] +#endif + +#ifdef RespLeg +rule RespVerifierRecvAuth1: + let aco = e1_aco(LK, $idI, ~au_rand_1) in + [ + RespBeginAuth($idR, $capR, $idI, $capI, LK, ~au_rand_1), + In(e1_sres(LK, $idI, ~au_rand_1)) + ] + --[ + RespVerifierRecvAuth1($idR, $capR, $idI, $capI, LK, aco) + ]-> + [ + RespVerifierRecvAuth1($idR, $capR, $idI, $capI, LK, aco) + ] +#endif + +#ifdef InitLeg +rule InitVerifierSendAuth2: + [ + InitClaimantAuth1($idI, $capI, $idR, $capR, LK, old_aco), + Fr(~au_rand_2) + ] + --[ + InitVerifierSendAuth2($idI, $capI, $idR, $capR, LK, ~au_rand_2) + ]-> + [ + InitVerifierSendAuth2($idI, $capI, $idR, $capR, LK, ~au_rand_2), + Out(~au_rand_2) + ] +#endif + +#ifdef RespLeg +rule RespClaimantAuth2: + let + sres = e1_sres(LK, $idR, au_rand_2) + aco = e1_aco(LK, $idR, au_rand_2) + in + [ + RespVerifierRecvAuth1($idR, $capR, $idI, $capI, LK, old_aco), + In(au_rand_2) + ] + --[ + RespClaimantAuth2($idR, $capR, $idI, $capI, LK, aco) + ]-> + [ + RespClaimantAuth2($idR, $capR, $idI, $capI, LK, aco), + OracleLK(au_rand_2, sres), + Out(sres) + ] +#endif + +#ifdef InitLeg +rule InitVerifierRecvAuth2: + let + aco = e1_aco(LK, $idR, ~au_rand_2) + in + [ + InitVerifierSendAuth2($idI, $capI, $idR, $capR, LK, ~au_rand_2), + In(e1_sres(LK, $idR, ~au_rand_2)) + ] + --[ + InitiatorFinishedLegPairing($idI, $capI, $idR, $capR, LK, aco) + ]-> + [ + InitiatorFinishedLegPairing($idI, $capI, $idR, $capR, LK, aco) + ] +#endif + +#ifdef RespLeg +rule RespFinishedPairing: + [ + RespClaimantAuth2($idR, $capR, $idI, $capI, LK, aco) + ] + --[ + ResponderFinishedLegPairing($idR, $capR, $idI, $capI, LK, aco) + ]-> + [ + ResponderFinishedLegPairing($idR, $capR, $idI, $capI, LK, aco) + ] +#endif + +/* Easy encryption, decryption, to be able to make lemmas which will encompass both authentication paths */ + +#ifdef InitLeg +rule InitLegSendMsg: + [ + InitiatorFinishedLegPairing($idI, $capI, $idR, $capR, LK, aco) + ] + --[ + InitSendMsg($idI, $capI, $idR, $capR, LK, aco, 'init') + ]-> + [ + InitLegSentMsg($idI, $capI, $idR, $capR, LK, aco, 'init'), + Out(e0(LK, aco, 'init')) + ] +#endif + +#ifdef RespLeg +rule RespLegRecvMsg: + [ + ResponderFinishedLegPairing($idR, $capR, $idI, $capI, LK, aco), + In(e0(LK, aco, 'init')) + ] + --[ + RespRecvSendMsg($idR, $capR, $idI, $capI, LK, aco, 'resp') + ]-> + [ + RespLegSentMsg($idR, $capR, $idI, $capI, LK, aco, 'resp'), + Out(e0(LK, aco, 'resp')) + ] +#endif + +#ifdef InitLeg +rule InitLegRecvMsg: + [ + InitLegSentMsg($idI, $capI, $idR, $capR, LK, aco, m), + In(e0(LK, aco, 'resp')) + ] + --[ + InitRecvMsg($idI, $capI, $idR, $capR, LK, aco, 'resp') + ]-> + [ + InitLegRecvMsg($idI, $capI, $idR, $capR, LK, aco, 'resp') + ] +#endif + +/* +* Public key exchange, common for all Secure Pairing protocols +* The Initiator sends its public key, and receives the one from +* the Responder: +* I -> R: pkI = is * G +* R -> I: pkR = rs * G +* dh = is * rs * G = rs * pkI = is * pkR +*/ + +#ifdef InitSec +rule InitSendPublicKey: + let pkI = in + [ + InitDoECDH($idI, $capI, $idR, $capR), + Fr(~is) + ] + --[ + InitBeginECDH($idI, $capI, $idR, $capR, ~is, pkI) + ]-> + [ + InitBeginECDH($idI, $capI, $idR, $capR, ~is, pkI), + Out(pkI) + ] + +rule InitRecvPublicKey: + [ + InitBeginECDH($idI, $capI, $idR, $capR, ~is, pkI), + In(pkR) + ] + --[ + InitComputeECDH( $idI, $capI, $idR, $capR, pkI, pkR, ~is) + ]-> + [ + InitComputeECDH( $idI, $capI, $idR, $capR, pkI, pkR, ~is) + ] + +rule InitDeriveNormalDHKey: + let + pkRx = e('C', DH_neutral, n) + dhkey = e('C', r, n^~is) // In Bluetooth, only X is taken + in + [ + InitComputeECDH( $idI, $capI, $idR, $capR, , , ~is), + In(r) + ] + --[ + ValidPt(pkRx,pkRy), Raised('C', DH_neutral, r, ~is), + InitEndECDH($idI, $capI, $idR, $capR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + InitEndECDH($idI, $capI, $idR, $capR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef InitECDHUnpatched +rule InitDeriveInvalidDHKey: + let + pkRx = e(otx,osx,orx) + pkRy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~is) // In Bluetooth, only X is taken + in + [ + InitComputeECDH( $idI, $capI, $idR, $capR, , , ~is), + In() + ] + --[ + InvalidPt(pkRx,pkRy), Raised(, , , ~is), + InitEndECDH($idI, $capI, $idR, $capR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + InitEndECDH($idI, $capI, $idR, $capR, pkIx, pkRx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef RespSec +rule RespSendPublicKey: + let + pkR = + in + [ + RespDoECDH($idR, $capR, $idI, $capI), + Fr(~rs), + In(pkI) + ] + --[ + RespComputeECDH($idR, $capR, $idI, $capI, pkR, pkI, ~rs) + ]-> + [ + RespComputeECDH($idR, $capR, $idI, $capI, pkR, pkI, ~rs), + Out(pkR) + ] + +rule RespDeriveNormalDHKey: + let + pkIx = e('C', DH_neutral, n) + dhkey = e('C', r, n^~rs) // In Bluetooth, only X is taken + in + [ + RespComputeECDH( $idR, $capR, $idI, $capI, , , ~rs), + In(r) + ] + --[ + ValidPt(pkIx,pkIy), Raised('C', DH_neutral, r, ~rs), + RespEndECDH($idR, $capR, $idI, $capI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + RespEndECDH($idR, $capR, $idI, $capI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +#ifdef RespECDHUnpatched +rule RespDeriveInvalidDHKey: + let + pkIx = e(otx,osx,orx) + pkIy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~rs) // In Bluetooth, only X is taken + in + [ + RespComputeECDH( $idR, $capR, $idI, $capI, , , ~rs), + In() + ] + --[ + InvalidPt(pkIx,pkIy), Raised(, , , ~rs), + RespEndECDH($idR, $capR, $idI, $capI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ]-> + [ + RespEndECDH($idR, $capR, $idI, $capI, pkRx, pkIx, dhkey) // Once DHKey is computed, only x-coordinate is used in the rest of the protocol + ] +#endif + +/* +* For the Secure Passkey Entry which requires it, we start the user interaction here. +* That is, we trigger the role to have the Passkey Entry user interaction +*/ + +#ifdef InitSecPE +rule InitTriggerSecPE: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), // The Initiator has ended the ECDH exchange + InitDoSecPE($idI, $capI, $idR, $capR) // The Initiator is doing a PE protocol + ] + --[]-> + [ + InitTriggerUserInteraction(), + InitReadySecPE($idI, $capI, $idR, $capR, pkI, pkR, dh) + ] +#endif + +#ifdef RespSecPE +rule RespTriggerSecPE: + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), // The Initiator has ended the ECDH exchange + RespDoSecPE($idR, $capR, $idI, $capI) // The Initiator is doing a PE protocol + ] + --[]-> + [ + RespTriggerUserInteraction(), + RespReadySecPE($idR, $capR, $idI, $capI, pkR, pkI, dh) + ] +#endif + +/* +* This implements the Secure JustWorks method +* Devices using this method do not require a user interaction. +* The protocol is the following : +* R -> I: f1(pkR, pkI, nr, '0') +* I -> R: ni +* R -> I: nr +*/ + +#ifdef RespSecJW +rule RespSecJWSendConfirm: + let Cr = f1(pkR, pkI, ~nr, '0') in + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), + Fr(~nr) + ] + --[ + RespSecJWSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr) + ]-> + [ + RespSecJWSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr), + Out(Cr) + ] + +rule RespSecJWSendRandom: + [ + RespSecJWSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr), + In(ni) + ] + --[ + RespSecJWSendRandom($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespSecJWDone($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, '0', '0') + ]-> + [ + RespSecJWSendRandom($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, '0', '0'), // Responder ended step2, ra and rb = 0 in JW mode + Out(~nr) + ] +#endif + +#ifdef InitSecJW +rule InitSecJWSendRandom: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), + Fr(~ni), + In(Cr) + ] + --[ + InitSecJWSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, Cr) + ]-> + [ + InitSecJWSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, Cr), + Out(~ni) + ] + + +rule InitSecJWRecvRandom: + let computed_Cr = f1(pkR, pkI, nr, '0') in + [ + InitSecJWSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, computed_Cr), + In(nr) + ] + --[ + InitSecJWRecvRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitSecJWDone($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, '0', '0') + ]-> + [ + InitSecJWRecvRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, '0', '0') // Responder ended step2, ra and rb = 0 in JW mode + ] +#endif + +/* +* Implement the Secure Passkey Entry method +* The protocol is based on commitment rounds, using the passkey. +* The passkey is always 20 bits long (by the specification) +* notation b0(passkey) represents the first bit of the passkey, b1(passkey) is the second bit, ... +* Round 0: +* I -> R: f1(pkI, pkR, ni0, b0(passkey) +* R -> I: f1(pkR, pkI, nr0, b0(passkey) +* I -> R: ni0 +* R -> I: nr0 +* Round 1: +* I -> R: f1(pkI, pkR, ni1, b1(passkey) +* R -> I: f1(pkR, pkI, nr1, b1(passkey) +* I -> R: ni1 +* R -> I: nr1 +* ... +* +* Nonces are drawn at random for each round. +* In this model, we use a reduced version of the Passkey Entry protocol, which consists +* of only two rounds. +* The passkey is split in two using functions split1/1 and split2/1 +*/ + +#ifdef InitSecPE +rule InitSecPESendConfirm1: + let Ci = f1(pkI, pkR, ~ni, split1(passkey)) in + [ + InitReadySecPE($idI, $capI, $idR, $capR, pkI, pkR, dh), // Initiator is ready to perform PE protocol + InitUserProceed(passkey), // The passkey is provided to the Initiator + Fr(~ni) + ] + --[]-> + [ + InitSecPESendConfirm1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci), + LowEntropyf1(pkI, pkR, ~ni, split1(passkey)), + Out(Ci) + ] + +rule InitSecPESendRandom1: + [ + InitSecPESendConfirm1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci), + In(Cr) + ] + --[]-> + [ + InitSecPESendRandom1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci, Cr), + Out(~ni) + ] + +rule InitSecPERecvRandom1: + let computed_Cr = f1(pkR, pkI, nr, split1(passkey)) in + [ + InitSecPESendRandom1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci, computed_Cr), + In(nr) + ] + --[ + ]-> + [ + InitSecPEEndPart1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey) + ] + +rule InitSecPESendConfirm2: + let Ci = f1(pkI, pkR, ~ni, split2(passkey)) in + [ + InitSecPEEndPart1($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey), + Fr(~ni) + ] + --[]-> + [ + InitSecPESendConfirm2($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci), + LowEntropyf1(pkI, pkR, ~ni, split2(passkey)), + Out(Ci) + ] + +rule InitSecPESendRandom2: + [ + InitSecPESendConfirm2($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci), + In(Cr) + ] + --[]-> + [ + InitSecPESendRandom2($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci, Cr), + Out(~ni) + ] + +rule InitSecPERecvRandom2: + let computed_Cr = f1(pkR, pkI, nr, split2(passkey)) in + [ + InitSecPESendRandom2($idI, $capI, $idR, $capR, pkI, pkR, dh, passkey, ~ni, Ci, computed_Cr), + In(nr) + ] + --[ + InitSecPEDone($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, passkey), + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, passkey, passkey) + ]-> + [ + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, passkey, passkey) + ] +#endif + +#ifdef RespSecPE +rule RespSecPESendConfirm1: + let Cr = f1(pkR, pkI, ~nr, split1(passkey)) in + [ + RespReadySecPE($idR, $capR, $idI, $capI, pkR, pkI, dh), // Initiator is ready to perform PE protocol + RespUserProceed(passkey), // The passkey is provided to the Initiator + Fr(~nr), + In(Ci) + ] + --[]-> + [ + RespSecPESendConfirm1($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey, ~nr, Cr, Ci), + LowEntropyf1(pkR, pkI, ~nr, split1(passkey)), + Out(Cr) + ] + +rule RespSecPESendRandom1: + let computed_Ci = f1(pkI, pkR, ni, split1(passkey)) in + [ + RespSecPESendConfirm1($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey, ~nr, Cr, computed_Ci), + In(ni) + ] + --[ + ]-> + [ + RespSecPEEndPart1($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey), + Out(~nr) + ] + +rule RespSecPESendConfirm2: + let Cr = f1(pkR, pkI, ~nr, split2(passkey)) in + [ + RespSecPEEndPart1($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey), // Initiator is ready to perform PE protocol + Fr(~nr), + In(Ci) + ] + --[]-> + [ + RespSecPESendConfirm2($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey, ~nr, Cr, Ci), + LowEntropyf1(pkR, pkI, ~nr, split2(passkey)), + Out(Cr) + ] + +rule RespSecPESendRandom2: + let computed_Ci = f1(pkI, pkR, ni, split2(passkey)) in + [ + RespSecPESendConfirm2($idR, $capR, $idI, $capI, pkR, pkI, dh, passkey, ~nr, Cr, computed_Ci), + In(ni) + ] + --[ + RespSecPEDone($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, passkey), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, passkey, passkey) + ]-> + [ + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, passkey, passkey), + Out(~nr) + ] +#endif + +#ifdef NoLowEntropySecure +#else +rule Oracle_f1: + let verif_val = f1(pk1, pk2, n, s) in + [ + LowEntropyf1(pk1, pk2, n, s), + In(pk1), + In(pk2), + In(n), + In(verif_val) + ] + --[ + AttackerRecoveredPasskey(s) + ]-> + [ + Out(s) + ] +#endif + +#ifdef NoLowEntropyLegacy +#else +rule Oracle_pin: + let + Kinit = e22(pin, in_rand) + rand_i = Kinit XOR masked_rand_i + rand_r = Kinit XOR masked_rand_r + LK = e21(rand_i, idI) XOR e21(rand_r, idR) + sres = e1_sres(LK, id_sres, au_rand) + in + [ + LowEntropy(pin), + OracleLK(au_rand, sres), + In(in_rand), + In(masked_rand_i), + In(masked_rand_r), + In(au_rand), + In(id_sres), + In(idI), + In(idR), + In(sres) + ] + --[ + AttackerRecoveredPIN(pin) + ]-> + [ + Out(pin) + ] +#endif + +/* +* Numeric Comparison method +* This protocol is similar to the Secure JustWorks protocol, but the user is +* then presented a code to verify that the Pairing was done correctly +* R -> I: f1(pkR, pkI, nr, '0') +* I -> R: ni +* R -> I: nr +*/ + + +#ifdef RespSecNC +rule RespSecNCSendConfirm: + let Cr = f1(pkR, pkI, ~nr, '0') in + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), + Fr(~nr) + ] + --[ + RespSecNCSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr) + ]-> + [ + RespSecNCSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr), + Out(Cr) + ] + +rule RespSecNCSendRandom: + let code = g(pkI, pkR, ni, ~nr) in + [ + RespSecNCSendConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, Cr), + In(ni) + ] + --[ + RespSecNCSendRandom($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni) + ]-> + [ + RespNCWaitConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespWaitUserConfirm(code), + RespTriggerUserInteraction(), + Out(~nr) + ] + +rule RespSecNCDone: + [ + RespNCWaitConfirm($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespUserProceed(code) + ] + --[ + RespSecNCDone($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, '0', '0') + ]-> + [ + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, '0', '0') // Initiator ended step2, ra and rb = 0 in JW mode + ] +#endif + + +#ifdef InitSecNC +rule InitSecNCSendRandom: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), + Fr(~ni), + In(Cr) + ] + --[ + InitSecNCSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, Cr) + ]-> + [ + InitSecNCSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, Cr), + Out(~ni) + ] + +rule InitSecNCRecvRandom: + let + computed_Cr = f1(pkR, pkI, nr, '0') + code = g(pkI, pkR, ~ni, nr) + in + [ + InitSecNCSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, computed_Cr), + In(nr) + ] + --[ + InitSecNCRecvRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr) + ]-> + [ + InitNCWaitConfirm($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitWaitUserConfirm(code), + InitTriggerUserInteraction() + ] + +rule InitSecNCDone: + [ + InitNCWaitConfirm($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitUserProceed(code) + ] + --[ + InitSecNCDone($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr), + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, '0', '0') + ]-> + [ + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, '0', '0') // Initiator ended step2, ra and rb = 0 in JW mode + ] +#endif + +/* +* Out of Band Pairing method. +* The exact exchange will depend on the choice done for the OOB method. +* If OOBi is used, the device expects an input message +* If OOBo is used, the device sends a message +* If OOBio is used, the device sends a message and expects an input message +* +* Once the OOB exchange is done, both device exchange a nonce, starting from the Initiator: +* I -> R: ni +* R -> I: nr +*/ + +#ifdef InitSecOOBi +rule InitDoSecOOBi: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitDoSecOOBi($idI, $capI, $idR, $capR) + ] + --[ + ]-> + [ + InitWaitOOBInput(), + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh) + ] +#endif + +#ifdef InitSecOOBo +rule InitDoSecOOBo: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitDoSecOOBo($idI, $capI, $idR, $capR) + ] + --[ + ]-> + [ + InitWaitOOBOutput(), + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh) + ] +#endif + +#ifdef InitSecOOBio +rule InitDoSecOOBio: + [ + InitEndECDH($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitDoSecOOBio($idI, $capI, $idR, $capR) + ] + --[ + ]-> + [ + InitWaitOOBInout(), + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh) + ] +#endif + +#ifdef RespSecOOBi +rule RespDoSecOOBi: + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespDoSecOOBi($idR, $capR, $idI, $capI) + ] + --[ + ]-> + [ + RespWaitOOBInput(), + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh) + ] +#endif + +#ifdef RespSecOOBo +rule RespDoSecOOBo: + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespDoSecOOBo($idR, $capR, $idI, $capI) + ] + --[ + ]-> + [ + RespWaitOOBOutput(), + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh) + ] +#endif + +#ifdef RespSecOOBio +rule RespDoSecOOBio: + [ + RespEndECDH($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespDoSecOOBio($idR, $capR, $idI, $capI) + ] + --[ + ]-> + [ + RespWaitOOBInout(), + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh) + ] +#endif + +#ifdef InitSecOOB +rule InitSecOOBOut: + let Ci = f1(pkI, pkI, ~ri, '0') in + [ + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitWaitOOBOutput(), + Fr(~ri) + ] + --[ + InitSentOOB($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ri, Ci) + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ri, '0'), + InitOOBchannel(<$idI, ~ri, Ci>) + ] + +rule InitSecOOBin: + let computed_Cr = f1(pkR, pkR, ~rr, '0') in + [ + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitWaitOOBInput(), + RespOOBchannel(<$idR, ~rr, computed_Cr>) + ] + --[ + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $idR, $capR, pkI, pkR, dh, '0', ~rr) + ] + +rule InitSecOOBinout_out: + let Ci = f1(pkI, pkI, ~ri, '0') in + [ + InitReadySecOOB($idI, $capI, $idR, $capR, pkI, pkR, dh), + InitWaitOOBInout(), + Fr(~ri) + ] + --[ + ]-> + [ + InitDoneSecOOBinout_out($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ri), + InitOOBchannel(<$idI, ~ri, Ci>) + ] + +rule InitSecOOBinout_in: + let computed_Cr = f1(pkR, pkR, ~rr, '0') in + [ + InitDoneSecOOBinout_out($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ri), + RespOOBchannel(<$idR, ~rr, computed_Cr>) + ] + --[ + ]-> + [ + InitDoneSecOOBexchange($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ri, ~rr) + ] + +rule InitSecOOBSendRandom: + [ + InitDoneSecOOBexchange($idI, $capI, $idR, $capR, pkI, pkR, dh, ri, rr), + Fr(~ni) + ] + --[]-> + [ + InitSecOOBSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ri, rr, ~ni), + Out(~ni) + ] + +rule InitSecOOBRecvRandom: + [ + InitSecOOBSendRandom($idI, $capI, $idR, $capR, pkI, pkR, dh, ri, rr, ~ni), + In(nr) + ] + --[ + InitSecOOBDone($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr), + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr) + ]-> + [ + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr) + ] +#endif + +#ifdef RespSecOOB +rule RespSecOOBOut: + let Cr = f1(pkR, pkR, ~rr, '0') in + [ + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespWaitOOBOutput(), + Fr(~rr) + ] + --[ + RespSentSecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh, ~rr, Cr) + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $idI, $capI, pkR, pkI, dh, ~rr, '0'), + RespOOBchannel(<$idR, ~rr, Cr>) + ] + +rule RespSecOOBin: + let computed_Ci = f1(pkI, pkI, ~ri, '0') in + [ + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespWaitOOBInput(), + InitOOBchannel(<$idI, ~ri, computed_Ci>) + ] + --[ + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $idI, $capI, pkR, pkI, dh, '0', ~ri) + ] + +rule RespSecOOBinout_out: + let Cr = f1(pkR, pkR, ~rr, '0') in + [ + RespReadySecOOB($idR, $capR, $idI, $capI, pkR, pkI, dh), + RespWaitOOBInout(), + Fr(~rr) + ] + --[ + ]-> + [ + RespDoneSecOOBinout_out($idR, $capR, $idI, $capI, pkR, pkI, dh, ~rr), + RespOOBchannel(<$idR, ~rr, Cr>) + ] + +rule RespSecOOBinout_in: + let computed_Ci = f1(pkI, pkI, ~ri, '0') in + [ + RespDoneSecOOBinout_out($idR, $capR, $idI, $capI, pkR, pkI, dh, ~rr), + InitOOBchannel(<$idI, ~ri, computed_Ci>) + ] + --[ + ]-> + [ + RespDoneSecOOBexchange($idR, $capR, $idI, $capI, pkR, pkI, dh, ~rr, ~ri) + ] + +rule RespSecOOBSendRandom: + [ + RespDoneSecOOBexchange($idR, $capR, $idI, $capI, pkR, pkI, dh, rr, ri), + Fr(~nr), + In(ni) + ] + --[ + RespSecOOBDone($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, rr, ri), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, rr, ri) + ]-> + [ + RespSecOOBSendRandom($idR, $capR, $idI, $capI, pkR, pkI, dh, rr, ri, ~nr, ni), + Out(~nr), + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, rr, ri) + ] +#endif + +/* +* DHKeyCheck, this is a key confirmation step +*/ + +#ifdef InitSec +rule InitDHKeyCheck: + let + //mackey = f5_mackey(dh, ~ni, nr, 'btle', $idI, $idR) + ei = f3(dh, ~ni, nr, rr, $capI, $idI, $idR) // Compute DHKeyCheck confirmation value + in + [ + InitEndedStep2($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr) // Initiator needs to be done with step2 + ] + --[ InitDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr, ei) ]-> // Intermediate fact + [ + InitSendDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr, ei), // Initiator has sent its dhkey check + Out(ei) // Send the DHKey Check on the channel + ] + +rule InitDoneDHKeyCheck: + let + //mackey = f5_mackey(dh, ~ni, nr, 'btle', $idI, $idR) + computed_er = f3(dh, nr, ~ni, ri, $capR, $idR, $idI) + in + [ + InitSendDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr, ei), + In(computed_er) + ] + --[ + InitDoneDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr, ri, rr, ei, computed_er) + ]-> + [ + InitEndedDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr) + ] +#endif + +#ifdef RespSec +rule RespDHKeyCheck: + let + //mackey = f5_mackey(dh, ni, ~nr, 'btle', $idI, $idR) + er = f3(dh, ~nr, ni, ri, $capR, $idR, $idI) + computed_ei = f3(dh, ni, ~nr, rr, $capI, $idI, $idR) + in + [ + RespEndedStep2($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, rr, ri), + In(computed_ei) + ] + --[ + RespDoneDHKeyCheck($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni, rr, ri, er, computed_ei) + ]-> + [ + RespEndedDHKeyCheck($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + Out(er) + ] +#endif + + +/* +Technically, ni should be the nonce sent by the central and nr should be the nonce sent by the peripheral +idI should be the address of the central and idR the address of the peripheral. + +Here, we assume Initiator == Central and Responder == Peripheral but that may not be always true + +Also, the session key derivation and authentication is not performed here. +*/ + +#ifdef InitSec +rule InitSecSendmsg: + let ltk = f2(dh, ~ni, nr, 'bredr', $idI, $idR) in + [ + InitEndedDHKeyCheck($idI, $capI, $idR, $capR, pkI, pkR, dh, ~ni, nr) + ] + --[ + InitiatorFinishedSecPairing($idI, $capI, $idR, $capR, pkI, pkR, dh, ltk), + InitiatorSecSentMessage(ltk, 'init') + ]-> + [ + InitiatorFinishedSecPairing($idI, $capI, $idR, $capR, pkI, pkR, dh, ltk), + Out(senc('init',ltk)) + ] +#endif + +#ifdef RespSec +rule RespSecSendmsg: + let ltk = f2(dh, ni, ~nr, 'bredr', $idI, $idR) in + [ + RespEndedDHKeyCheck($idR, $capR, $idI, $capI, pkR, pkI, dh, ~nr, ni), + In(senc('init', ltk)) + ] + --[ + ResponderFinishedSecPairing($idR, $capR, $idI, $capI, pkR, pkI, dh, ltk), + ResponderSentMessage(ltk, 'resp') + ]-> + [ + ResponderFinishedSecPairing($idR, $capR, $idI, $capI, pkR, pkI, dh, ltk), + Out(senc('resp',ltk)) + ] +#endif + +/* User interactions */ +/* This is used to represent user interactions in Bluetooth +Devices can have an output, input or input/output capability. +There are four facts that are used to represent interactions: +- InitUserWaitInput(): Initiator waits passkey input from user +- RespUserWaitInput(): Responder waits passkey input from user +- InitUserWaitConfirm(passkey): Initiator waits continuation of the protocol, it chooses passkey +- RespUserWaitConfirm(passkey): Responder waits continuation of the protocol, it chooses passkey +- InitUserWaitInout(passkey): Initiator waits continuation of the protocol +- RespUserWaitInout(passkey): Responder waits the continuation of the protocol + +We note that not both devices choose the passkey, in practice only one does. +However, the choice depends on the capabilities of the other device. +This is why when two devices have triggered UserWaitInout(passkey), only one passkey is propagated in the following +rules, to model the choice that was done at the beginning of the protocol. + +The possible combinations are: +InitUserWaitInput - RespUserWaitInput -> Valid interaction in PE, user selects a passkey and inputs it in both +InitUserWaitInput - RespUserWaitConfirm -> Valid interaction in PE, user copies the responder's passkey into initiator +InitUserWaitConfirm - RespUserWaitInput -> Valid interaction in PE, user copies the initiator's passkey into responder +InitUserWaitConfirm - RespUserWaitConfirm -> Valid interaction in NC, user verifies that both code match + -> May also occur in PEo/PEio - PEo/PEio, in which case it is valid +*/ + +#ifdef InputInput +rule UserInputInitInputResp: + [Fr(~passkey), + InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(~passkey),RespUserProceed(~passkey)] +#endif + +#ifdef InputOutput +rule UserInputInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserConfirm(passkey)] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef InputInout +rule UserInputInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserInput(), + RespTriggerUserInteraction(),RespWaitUserInout(passkey)] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef OutputInput +rule UserConfirmInitInputResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(passkey), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef OutputInout +rule UserConfirmInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(passkeyi), + RespTriggerUserInteraction(),RespWaitUserInout(passkeyr)] + --[]-> + [InitUserProceed(passkeyi),RespUserProceed(passkeyi)] +#endif + +#ifdef InoutInput +rule UserInoutInitInputResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkey), + RespTriggerUserInteraction(),RespWaitUserInput()] + --[]-> + [InitUserProceed(passkey),RespUserProceed(passkey)] +#endif + +#ifdef InoutOutput +rule UserInoutInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkeyi), + RespTriggerUserInteraction(),RespWaitUserConfirm(passkeyr)] + --[]-> + [InitUserProceed(passkeyr),RespUserProceed(passkeyr)] +#endif + +#ifdef InoutInout +rule UserInoutInitInoutResp: + [InitTriggerUserInteraction(),InitWaitUserInout(passkeyi), + RespTriggerUserInteraction(),RespWaitUserInout(passkeyr)] + --[]-> + [InitUserProceed(passkeyi),RespUserProceed(passkeyi)] +#endif + +#ifdef OutputOutput +// This represents Numeric Comparison protocol +rule UserConfirmInitConfirmResp: + [InitTriggerUserInteraction(),InitWaitUserConfirm(vi), + RespTriggerUserInteraction(),RespWaitUserConfirm(vi)] + --[]-> + [InitUserProceed(vi),RespUserProceed(vi)] +#endif + + +/* Those two restrictions limit to one honest initiator and one +honest responder. This helps having a finished analysis */ +restriction InitOnlyOncePairing: +"All #i #j. InitOnlyOncePairing() @i & InitOnlyOncePairing() @j ==> #i = #j" + +restriction RespOnlyOncePairing: +"All #i #j. RespOnlyOncePairing() @i & RespOnlyOncePairing() @j ==> #i = #j" + +restriction OnlyOneAuthPath: +"All #i #j. AuthOnlyOneBegin() @i & AuthOnlyOneBegin() @j ==> #i = #j" + +#ifdef InitLeg +restriction InitLegPINOnlyOnce: +"All #i #j. InitLegPINOnlyOnce() @i & InitLegPINOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespLeg +restriction RespLegPINOnlyOnce: +"All #i #j. RespLegPINOnlyOnce() @i & RespLegPINOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef InitSecPE +restriction InitSecPEOnlyOnce: +"All #i #j. InitSecPEOnlyOnce() @i & InitSecPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespSecPE +restriction RespSecPEOnlyOnce: +"All #i #j. RespSecPEOnlyOnce() @i & RespSecPEOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef InitSecOOB +restriction InitSecOOBOnlyOnce: +"All #i #j. InitSecOOBOnlyOnce() @i & InitSecOOBOnlyOnce() @j ==> #i = #j" +#endif + +#ifdef RespSecOOB +restriction RespSecOOBOnlyOnce: +"All #i #j. RespSecOOBOnlyOnce() @i & RespSecOOBOnlyOnce() @j ==> #i = #j" +#endif + +// For ECDH model +restriction DHConsistency: + "All t s r1 r2 y #i #j . + Raised(t,s,r1,y) @ i & Raised(t,s,r2,y) @j + ==> r1 = r2" + +restriction DHIdentity: + "All t r y #i . + Raised(t,DH_neutral,r,y) @ i ==> r = DH_neutral" + +restriction ValidPt: + "∀ x y #i. + (ValidPt(x,y) @ #i) ⇒ (x = y)" + +restriction InvalidPt: + "∀ x #i. + (InvalidPt(x,x) @ #i) ⇒ F" + + +/*****************************************/ +/* Lemmas about LegPINi-LegPINi exchange */ +/*****************************************/ + +#ifdef LegPINiLegPINi +lemma legPINi_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINi_legPINi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINi-LegPINi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPINi-LegPINo exchange */ +/*****************************************/ + +#ifdef LegPINiLegPINo +lemma legPINi_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINi_legPINo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINi-LegPINo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPINi-LegPINio exchange */ +/******************************************/ + +#ifdef LegPINiLegPINio +lemma legPINi_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINi_legPINio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINi_legPINio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINi_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINi-LegPINio exchange */ +/**********************************************/ + +/*****************************************/ +/* Lemmas about LegPINo-LegPINi exchange */ +/*****************************************/ + +#ifdef LegPINoLegPINi +lemma legPINo_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINo_legPINi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINo-LegPINi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPINo-LegPINo exchange */ +/*****************************************/ + +#ifdef LegPINoLegPINo +lemma legPINo_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINo_legPINo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINo-LegPINo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPINo-LegPINio exchange */ +/******************************************/ + +#ifdef LegPINoLegPINio +lemma legPINo_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINo_legPINio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINo_legPINio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINo_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINo-LegPINio exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about LegPINio-LegPINi exchange */ +/******************************************/ + +#ifdef LegPINioLegPINi +lemma legPINio_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINio_legPINi_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINi_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINio-LegPINi exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about LegPINio-LegPINo exchange */ +/******************************************/ + +#ifdef LegPINioLegPINo +lemma legPINio_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINio_legPINo_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINo_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINio-LegPINo exchange */ +/**********************************************/ + +/*******************************************/ +/* Lemmas about LegPINio-LegPINio exchange */ +/*******************************************/ + +#ifdef LegPINioLegPINio +lemma legPINio_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 + ) +" + +lemma legPINio_legPINio_auth_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + InitRecvMsg(idI, capI1, idR, capR1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINio_auth_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI1 capR1 lk aco m #k1 . + RespRecvSendMsg(idR, capR1, idI, capI1, lk, aco, m) @k1 ==> + (Ex capI2 capR2 #k2 . + InitiatorFinishedLegPairing(idI, capI2, idR, capR2, lk, aco) @k2 + ) + ) +" + +lemma legPINio_legPINio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI idR capI capR lk aco #k1 . + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @k1 ==> + not (Ex #k2 . K(lk) @k2 ) + ) +" + +lemma legPINio_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk1 lk2 aco1 aco2 #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk1, aco1) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk2, aco2) @j2 ==> + not (Ex #k1 #k2 . + K(lk1) @k1 & K(lk2) @k2 + ) + ) +" + +#endif + +/***********************************************/ +/* End lemmas about LegPINio-LegPINio exchange */ +/***********************************************/ + +/*************************************/ +/* Lemmas about SecJW-SecJW exchange */ +/*************************************/ + +#ifdef SecJWSecJW +lemma secJW_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecJW-SecJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecJW-SecPEi exchange */ +/**************************************/ + +#ifdef SecJWSecPEi +lemma secJW_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-SecPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecJW-SecPEo exchange */ +/**************************************/ + +#ifdef SecJWSecPEo +lemma secJW_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecJW-SecPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecPEio exchange */ +/***************************************/ + +#ifdef SecJWSecPEio +lemma secJW_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecPEio exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about SecJW-SecNC exchange */ +/*************************************/ + +#ifdef SecJWSecNC +lemma secJW_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecJW-SecNC exchange */ +/*****************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecOOBi exchange */ +/***************************************/ + +#ifdef SecJWSecOOBi +lemma secJW_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecJW-SecOOBo exchange */ +/***************************************/ + +#ifdef SecJWSecOOBo +lemma secJW_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-SecOOBo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecJW-SecOOBio exchange */ +/****************************************/ + +#ifdef SecJWSecOOBio +lemma secJW_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secJW_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secJW_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secJW_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secJW_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecJW-SecOOBio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEi-SecJW exchange */ +/**************************************/ + +#ifdef SecPEiSecJW +lemma secPEi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEi-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-SecPEi exchange */ +/***************************************/ + +#ifdef SecPEiSecPEi +lemma secPEi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEi-SecPEo exchange */ +/***************************************/ + +#ifdef SecPEiSecPEo +lemma secPEi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEi-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecPEio exchange */ +/****************************************/ + +#ifdef SecPEiSecPEio +lemma secPEi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEi-SecNC exchange */ +/**************************************/ + +#ifdef SecPEiSecNC +lemma secPEi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEi-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecOOBi exchange */ +/****************************************/ + +#ifdef SecPEiSecOOBi +lemma secPEi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEi-SecOOBo exchange */ +/****************************************/ + +#ifdef SecPEiSecOOBo +lemma secPEi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEi-SecOOBio exchange */ +/*****************************************/ + +#ifdef SecPEiSecOOBio +lemma secPEi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEi_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEi_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEi_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEi-SecOOBio exchange */ +/*********************************************/ + +/**************************************/ +/* Lemmas about SecPEo-SecJW exchange */ +/**************************************/ + +#ifdef SecPEoSecJW +lemma secPEo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEo-SecJW exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-SecPEi exchange */ +/***************************************/ + +#ifdef SecPEoSecPEi +lemma secPEo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-SecPEi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecPEo-SecPEo exchange */ +/***************************************/ + +#ifdef SecPEoSecPEo +lemma secPEo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEo-SecPEo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecPEio exchange */ +/****************************************/ + +#ifdef SecPEoSecPEio +lemma secPEo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecPEio exchange */ +/********************************************/ + +/**************************************/ +/* Lemmas about SecPEo-SecNC exchange */ +/**************************************/ + +#ifdef SecPEoSecNC +lemma secPEo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecPEo-SecNC exchange */ +/******************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecOOBi exchange */ +/****************************************/ + +#ifdef SecPEoSecOOBi +lemma secPEo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEo-SecOOBo exchange */ +/****************************************/ + +#ifdef SecPEoSecOOBo +lemma secPEo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-SecOOBo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEo-SecOOBio exchange */ +/*****************************************/ + +#ifdef SecPEoSecOOBio +lemma secPEo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEo_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEo_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEo_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEo-SecOOBio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecPEio-SecJW exchange */ +/***************************************/ + +#ifdef SecPEioSecJW +lemma secPEio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEio-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecPEio-SecPEi exchange */ +/****************************************/ + +#ifdef SecPEioSecPEi +lemma secPEio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEio-SecPEo exchange */ +/****************************************/ + +#ifdef SecPEioSecPEo +lemma secPEio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEio-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecPEio exchange */ +/*****************************************/ + +#ifdef SecPEioSecPEio +lemma secPEio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecPEio-SecNC exchange */ +/***************************************/ + +#ifdef SecPEioSecNC +lemma secPEio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecPEio-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecPEioSecOOBi +lemma secPEio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecPEioSecOOBo +lemma secPEio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecPEio-SecOOBio exchange */ +/******************************************/ + +#ifdef SecPEioSecOOBio +lemma secPEio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secPEio_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secPEio_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secPEio_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secPEio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecPEio-SecOOBio exchange */ +/**********************************************/ + +/*************************************/ +/* Lemmas about SecNC-SecJW exchange */ +/*************************************/ + +#ifdef SecNCSecJW +lemma secNC_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecNC-SecJW exchange */ +/*****************************************/ + +/**************************************/ +/* Lemmas about SecNC-SecPEi exchange */ +/**************************************/ + +#ifdef SecNCSecPEi +lemma secNC_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-SecPEi exchange */ +/******************************************/ + +/**************************************/ +/* Lemmas about SecNC-SecPEo exchange */ +/**************************************/ + +#ifdef SecNCSecPEo +lemma secNC_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/******************************************/ +/* End lemmas about SecNC-SecPEo exchange */ +/******************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecPEio exchange */ +/***************************************/ + +#ifdef SecNCSecPEio +lemma secNC_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecPEio exchange */ +/*******************************************/ + +/*************************************/ +/* Lemmas about SecNC-SecNC exchange */ +/*************************************/ + +#ifdef SecNCSecNC +lemma secNC_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*****************************************/ +/* End lemmas about SecNC-SecNC exchange */ +/*****************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecOOBi exchange */ +/***************************************/ + +#ifdef SecNCSecOOBi +lemma secNC_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecNC-SecOOBo exchange */ +/***************************************/ + +#ifdef SecNCSecOOBo +lemma secNC_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-SecOOBo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecNC-SecOOBio exchange */ +/****************************************/ + +#ifdef SecNCSecOOBio +lemma secNC_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secNC_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secNC_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secNC_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secNC_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecNC-SecOOBio exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about SecOOBi-SecJW exchange */ +/***************************************/ + +#ifdef SecOOBiSecJW +lemma secOOBi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBi-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-SecPEi exchange */ +/****************************************/ + +#ifdef SecOOBiSecPEi +lemma secOOBi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBi-SecPEo exchange */ +/****************************************/ + +#ifdef SecOOBiSecPEo +lemma secOOBi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBi-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecPEio exchange */ +/*****************************************/ + +#ifdef SecOOBiSecPEio +lemma secOOBi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecOOBi-SecNC exchange */ +/***************************************/ + +#ifdef SecOOBiSecNC +lemma secOOBi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBi-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecOOBiSecOOBi +lemma secOOBi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecOOBiSecOOBo +lemma secOOBi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBi-SecOOBio exchange */ +/******************************************/ + +#ifdef SecOOBiSecOOBio +lemma secOOBi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBi_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBi_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBi_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBi-SecOOBio exchange */ +/**********************************************/ + +/***************************************/ +/* Lemmas about SecOOBo-SecJW exchange */ +/***************************************/ + +#ifdef SecOOBoSecJW +lemma secOOBo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBo-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-SecPEi exchange */ +/****************************************/ + +#ifdef SecOOBoSecPEi +lemma secOOBo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecOOBo-SecPEo exchange */ +/****************************************/ + +#ifdef SecOOBoSecPEo +lemma secOOBo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBo-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecPEio exchange */ +/*****************************************/ + +#ifdef SecOOBoSecPEio +lemma secOOBo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about SecOOBo-SecNC exchange */ +/***************************************/ + +#ifdef SecOOBoSecNC +lemma secOOBo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecOOBo-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecOOBi exchange */ +/*****************************************/ + +#ifdef SecOOBoSecOOBi +lemma secOOBo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-SecOOBo exchange */ +/*****************************************/ + +#ifdef SecOOBoSecOOBo +lemma secOOBo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBo-SecOOBio exchange */ +/******************************************/ + +#ifdef SecOOBoSecOOBio +lemma secOOBo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBo_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBo_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBo_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBo-SecOOBio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about SecOOBio-SecJW exchange */ +/****************************************/ + +#ifdef SecOOBioSecJW +lemma secOOBio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secJW_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secJW_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secJW_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secJW_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBio-SecJW exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-SecPEi exchange */ +/*****************************************/ + +#ifdef SecOOBioSecPEi +lemma secOOBio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-SecPEi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBio-SecPEo exchange */ +/*****************************************/ + +#ifdef SecOOBioSecPEo +lemma secOOBio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBio-SecPEo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecPEio exchange */ +/******************************************/ + +#ifdef SecOOBioSecPEio +lemma secOOBio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secPEio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secPEio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secPEio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecPEio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about SecOOBio-SecNC exchange */ +/****************************************/ + +#ifdef SecOOBioSecNC +lemma secOOBio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secNC_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secNC_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secNC_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secNC_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecOOBio-SecNC exchange */ +/********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecOOBi exchange */ +/******************************************/ + +#ifdef SecOOBioSecOOBi +lemma secOOBio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBi_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBi_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBi_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBi_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecOOBi exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-SecOOBo exchange */ +/******************************************/ + +#ifdef SecOOBioSecOOBo +lemma secOOBio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBo_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBo_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBo_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBo_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-SecOOBo exchange */ +/**********************************************/ + +/*******************************************/ +/* Lemmas about SecOOBio-SecOOBio exchange */ +/*******************************************/ + +#ifdef SecOOBioSecOOBio +lemma secOOBio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 + ) +" + +lemma secOOBio_secOOBio_auth_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + (Ex ni nr ri rr ei er #k2 . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nr, ni, rr, ri, er, ei) @k2 + ) + ) +" + +lemma secOOBio_secOOBio_auth_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + (Ex #k2 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k2 + ) + ) +" + +lemma secOOBio_secOOBio_weaksecret_init: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBio_weaksecret_resp: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI idR capI capR pkI pkR dh ltk #k1 . + ResponderFinishedSecPairing(idR, capR, idI, capI, pkR, pkI, dh, ltk) @k1 ==> + not (Ex #k2 . K(ltk) @k2) + ) +" + +lemma secOOBio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 pkI1 pkR1 dh1 ltk1 idI2 idR2 capI2 capR2 pkI2 pkR2 dh2 ltk2 #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI1, pkR1, dh1, ltk1) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR2, pkI2, dh2, ltk2) @j2 ==> + not (Ex #k1 #k2 . + K(ltk1) @k1 & K(ltk2) @k2 + ) + ) +" + +#endif + +/***********************************************/ +/* End lemmas about SecOOBio-SecOOBio exchange */ +/***********************************************/ + +/***************************************/ +/* Lemmas about LegPINi-SecJW exchange */ +/***************************************/ + +#ifdef LegPINiSecJW +lemma legPINi_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secJW_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secJW_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secJW_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secJW_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPINi-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPINi-SecPEi exchange */ +/****************************************/ + +#ifdef LegPINiSecPEi +lemma legPINi_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secPEi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secPEi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secPEi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secPEi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINi-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPINi-SecPEo exchange */ +/****************************************/ + +#ifdef LegPINiSecPEo +lemma legPINi_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secPEo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secPEo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secPEo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secPEo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINi-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPINi-SecPEio exchange */ +/*****************************************/ + +#ifdef LegPINiSecPEio +lemma legPINi_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secPEio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secPEio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secPEio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secPEio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINi-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about LegPINi-SecNC exchange */ +/***************************************/ + +#ifdef LegPINiSecNC +lemma legPINi_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secNC_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secNC_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secNC_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secNC_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPINi-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about LegPINi-SecOOBi exchange */ +/*****************************************/ + +#ifdef LegPINiSecOOBi +lemma legPINi_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secOOBi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secOOBi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secOOBi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secOOBi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINi-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPINi-SecOOBo exchange */ +/*****************************************/ + +#ifdef LegPINiSecOOBo +lemma legPINi_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secOOBo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secOOBo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secOOBo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secOOBo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINi-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPINi-SecOOBio exchange */ +/******************************************/ + +#ifdef LegPINiSecOOBio +lemma legPINi_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINi_secOOBio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINi_secOOBio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINi_secOOBio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINi_secOOBio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINi_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINi()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINi-SecOOBio exchange */ +/**********************************************/ + +/***************************************/ +/* Lemmas about LegPINo-SecJW exchange */ +/***************************************/ + +#ifdef LegPINoSecJW +lemma legPINo_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secJW_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secJW_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secJW_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secJW_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPINo-SecJW exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about LegPINo-SecPEi exchange */ +/****************************************/ + +#ifdef LegPINoSecPEi +lemma legPINo_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secPEi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secPEi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secPEi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secPEi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINo-SecPEi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about LegPINo-SecPEo exchange */ +/****************************************/ + +#ifdef LegPINoSecPEo +lemma legPINo_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secPEo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secPEo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secPEo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secPEo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINo-SecPEo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPINo-SecPEio exchange */ +/*****************************************/ + +#ifdef LegPINoSecPEio +lemma legPINo_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secPEio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secPEio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secPEio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secPEio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINo-SecPEio exchange */ +/*********************************************/ + +/***************************************/ +/* Lemmas about LegPINo-SecNC exchange */ +/***************************************/ + +#ifdef LegPINoSecNC +lemma legPINo_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secNC_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secNC_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secNC_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secNC_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about LegPINo-SecNC exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about LegPINo-SecOOBi exchange */ +/*****************************************/ + +#ifdef LegPINoSecOOBi +lemma legPINo_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secOOBi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secOOBi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secOOBi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secOOBi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINo-SecOOBi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPINo-SecOOBo exchange */ +/*****************************************/ + +#ifdef LegPINoSecOOBo +lemma legPINo_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secOOBo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secOOBo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secOOBo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secOOBo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINo-SecOOBo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPINo-SecOOBio exchange */ +/******************************************/ + +#ifdef LegPINoSecOOBio +lemma legPINo_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINo_secOOBio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINo_secOOBio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINo_secOOBio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINo_secOOBio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINo_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINo()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINo-SecOOBio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about LegPINio-SecJW exchange */ +/****************************************/ + +#ifdef LegPINioSecJW +lemma legPINio_secJW_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secJW_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secJW_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secJW_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secJW_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secJW_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecJW()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINio-SecJW exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about LegPINio-SecPEi exchange */ +/*****************************************/ + +#ifdef LegPINioSecPEi +lemma legPINio_secPEi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secPEi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secPEi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secPEi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secPEi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secPEi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINio-SecPEi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about LegPINio-SecPEo exchange */ +/*****************************************/ + +#ifdef LegPINioSecPEo +lemma legPINio_secPEo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secPEo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secPEo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secPEo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secPEo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secPEo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about LegPINio-SecPEo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about LegPINio-SecPEio exchange */ +/******************************************/ + +#ifdef LegPINioSecPEio +lemma legPINio_secPEio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secPEio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secPEio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secPEio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secPEio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secPEio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecPEio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINio-SecPEio exchange */ +/**********************************************/ + +/****************************************/ +/* Lemmas about LegPINio-SecNC exchange */ +/****************************************/ + +#ifdef LegPINioSecNC +lemma legPINio_secNC_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secNC_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secNC_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secNC_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secNC_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secNC_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecNC()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about LegPINio-SecNC exchange */ +/********************************************/ + +/******************************************/ +/* Lemmas about LegPINio-SecOOBi exchange */ +/******************************************/ + +#ifdef LegPINioSecOOBi +lemma legPINio_secOOBi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secOOBi_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secOOBi_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secOOBi_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secOOBi_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secOOBi_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINio-SecOOBi exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about LegPINio-SecOOBo exchange */ +/******************************************/ + +#ifdef LegPINioSecOOBo +lemma legPINio_secOOBo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secOOBo_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secOOBo_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secOOBo_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secOOBo_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secOOBo_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about LegPINio-SecOOBo exchange */ +/**********************************************/ + +/*******************************************/ +/* Lemmas about LegPINio-SecOOBio exchange */ +/*******************************************/ + +#ifdef LegPINioSecOOBio +lemma legPINio_secOOBio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 + ) +" + +lemma legPINio_secOOBio_auth_init: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + (Ex pkI pkR dh nsi nsr ri rr ei er #k . + RespDoneDHKeyCheck(idR, capR, idI, capI, pkR, pkI, dh, nsr, nsi, rr, ri, er, ei) @k + ) +" + +lemma legPINio_secOOBio_auth_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + (Ex lk aco #k . + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @k + ) +" + +lemma legPINio_secOOBio_weaksecret_init: +" + All idI idR capI capR lk aco #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + InitiatorFinishedLegPairing(idI, capI, idR, capR, lk, aco) @j ==> + not (Ex #k . K(lk) @k ) +" + +lemma legPINio_secOOBio_weaksecret_resp: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j. + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 & + ResponderFinishedSecPairing(idR, capR, idI, capI, pkI, pkR, dh, ltk) @j ==> + not (Ex #k . K(ltk) @k ) +" + +lemma legPINio_secOOBio_double_impersonation: +" + All #i1 #i2 . + InitWillDoLegPINio()[+] @i1 & RespWillDoSecOOBio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedLegPairing(idI1, capI1, idR1, capR1, lk, aco) @j1 & + ResponderFinishedSecPairing(idR2, capR2, idI2, capI2, pkR, pkI, dh, ltk) @j2 ==> + not (Ex #k1 #k2 . + K(lk) @k1 & K(ltk) @k2 + ) + ) +" + +#endif + +/***********************************************/ +/* End lemmas about LegPINio-SecOOBio exchange */ +/***********************************************/ + +/***************************************/ +/* Lemmas about SecJW-LegPINi exchange */ +/***************************************/ + +#ifdef SecJWLegPINi +lemma secJW_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secJW_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secJW_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secJW_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-LegPINi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecJW-LegPINo exchange */ +/***************************************/ + +#ifdef SecJWLegPINo +lemma secJW_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secJW_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secJW_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secJW_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecJW-LegPINo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecJW-LegPINio exchange */ +/****************************************/ + +#ifdef SecJWLegPINio +lemma secJW_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secJW_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secJW_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secJW_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secJW_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secJW_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecJW()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecJW-LegPINio exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEi-LegPINi exchange */ +/****************************************/ + +#ifdef SecPEiLegPINi +lemma secPEi_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEi_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEi_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEi_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-LegPINi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEi-LegPINo exchange */ +/****************************************/ + +#ifdef SecPEiLegPINo +lemma secPEi_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEi_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEi_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEi_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEi-LegPINo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEi-LegPINio exchange */ +/*****************************************/ + +#ifdef SecPEiLegPINio +lemma secPEi_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEi_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEi_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEi_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEi_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEi_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEi-LegPINio exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about SecPEo-LegPINi exchange */ +/****************************************/ + +#ifdef SecPEoLegPINi +lemma secPEo_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEo_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEo_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEo_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-LegPINi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about SecPEo-LegPINo exchange */ +/****************************************/ + +#ifdef SecPEoLegPINo +lemma secPEo_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEo_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEo_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEo_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecPEo-LegPINo exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecPEo-LegPINio exchange */ +/*****************************************/ + +#ifdef SecPEoLegPINio +lemma secPEo_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEo_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEo_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEo_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEo_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEo_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEo-LegPINio exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-LegPINi exchange */ +/*****************************************/ + +#ifdef SecPEioLegPINi +lemma secPEio_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEio_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEio_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEio_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-LegPINi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecPEio-LegPINo exchange */ +/*****************************************/ + +#ifdef SecPEioLegPINo +lemma secPEio_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEio_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEio_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEio_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecPEio-LegPINo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecPEio-LegPINio exchange */ +/******************************************/ + +#ifdef SecPEioLegPINio +lemma secPEio_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secPEio_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secPEio_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secPEio_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secPEio_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secPEio_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecPEio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecPEio-LegPINio exchange */ +/**********************************************/ + +/***************************************/ +/* Lemmas about SecNC-LegPINi exchange */ +/***************************************/ + +#ifdef SecNCLegPINi +lemma secNC_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secNC_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secNC_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secNC_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-LegPINi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about SecNC-LegPINo exchange */ +/***************************************/ + +#ifdef SecNCLegPINo +lemma secNC_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secNC_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secNC_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secNC_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*******************************************/ +/* End lemmas about SecNC-LegPINo exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about SecNC-LegPINio exchange */ +/****************************************/ + +#ifdef SecNCLegPINio +lemma secNC_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secNC_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secNC_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secNC_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secNC_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secNC_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecNC()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/********************************************/ +/* End lemmas about SecNC-LegPINio exchange */ +/********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-LegPINi exchange */ +/*****************************************/ + +#ifdef SecOOBiLegPINi +lemma secOOBi_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBi_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBi_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBi_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-LegPINi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBi-LegPINo exchange */ +/*****************************************/ + +#ifdef SecOOBiLegPINo +lemma secOOBi_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBi_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBi_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBi_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBi-LegPINo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBi-LegPINio exchange */ +/******************************************/ + +#ifdef SecOOBiLegPINio +lemma secOOBi_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBi_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBi_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBi_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBi_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBi_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBi()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBi-LegPINio exchange */ +/**********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-LegPINi exchange */ +/*****************************************/ + +#ifdef SecOOBoLegPINi +lemma secOOBo_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBo_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBo_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBo_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-LegPINi exchange */ +/*********************************************/ + +/*****************************************/ +/* Lemmas about SecOOBo-LegPINo exchange */ +/*****************************************/ + +#ifdef SecOOBoLegPINo +lemma secOOBo_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBo_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBo_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBo_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/*********************************************/ +/* End lemmas about SecOOBo-LegPINo exchange */ +/*********************************************/ + +/******************************************/ +/* Lemmas about SecOOBo-LegPINio exchange */ +/******************************************/ + +#ifdef SecOOBoLegPINio +lemma secOOBo_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBo_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBo_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBo_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBo_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBo_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBo()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBo-LegPINio exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-LegPINi exchange */ +/******************************************/ + +#ifdef SecOOBioLegPINi +lemma secOOBio_legPINi_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBio_legPINi_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBio_legPINi_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPINi_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPINi_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBio_legPINi_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINi()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-LegPINi exchange */ +/**********************************************/ + +/******************************************/ +/* Lemmas about SecOOBio-LegPINo exchange */ +/******************************************/ + +#ifdef SecOOBioLegPINo +lemma secOOBio_legPINo_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBio_legPINo_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBio_legPINo_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPINo_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPINo_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBio_legPINo_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINo()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + +/**********************************************/ +/* End lemmas about SecOOBio-LegPINo exchange */ +/**********************************************/ + +/*******************************************/ +/* Lemmas about SecOOBio-LegPINio exchange */ +/*******************************************/ + +#ifdef SecOOBioLegPINio +lemma secOOBio_legPINio_functional: exists-trace +" + Ex #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + (Ex idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 + ) +" + +lemma secOOBio_legPINio_auth_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + (Ex capI2 capR2 lk aco #k. + ResponderFinishedLegPairing(idR, capR2, idI, capI2, lk, aco) @k + ) +" + +lemma secOOBio_legPINio_auth_resp: +" + All idI idR capI1 capR1 lk aco #i1 #i2 #j. + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR1, idI, capI1, lk, aco) @j ==> + (Ex capI2 capR2 pkI pkR dh nsi nsr ri rr ei #k . + InitDHKeyCheck(idI, capI2, idR, capR2, pkI, pkR, dh, nsi, nsr, ri, rr, ei) @k + ) +" + +lemma secOOBio_legPINio_weaksecret_init: +" + All idI idR capI capR pkI pkR dh ltk #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + InitiatorFinishedSecPairing(idI, capI, idR, capR, pkI, pkR, dh, ltk) @j ==> + not (Ex #k. K(ltk) @k ) +" + +lemma secOOBio_legPINio_weaksecret_resp: +" + All idI idR capI capR lk aco #i1 #i2 #j . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 & + ResponderFinishedLegPairing(idR, capR, idI, capI, lk, aco) @j ==> + not (Ex #k. K(lk) @k ) +" + +lemma secOOBio_legPINio_double_impersonation: +" + All #i1 #i2 . + InitWillDoSecOOBio()[+] @i1 & RespWillDoLegPINio()[+] @i2 ==> + (All idI1 idR1 capI1 capR1 idI2 idR2 capI2 capR2 lk aco pkI pkR dh ltk #j1 #j2 . + InitiatorFinishedSecPairing(idI1, capI1, idR1, capR1, pkI, pkR, dh, ltk) @j1 & + ResponderFinishedLegPairing(idR2, capR2, idI2, capI2, lk, aco) @j2 ==> + not (Ex #k1 #k2 . + K(ltk) @k1 & K(lk) @k2 + ) + ) +" + +#endif + + +/***********************************************/ +/* End lemmas about SecOOBio-LegPINio exchange */ +/***********************************************/ + +/* +* Command-line to generate a Tamarin file with the entire model without all preprocessor macros: +* tamarin-prover ble.spthy -DInitSec -DLegPINiSecJW -DSecJWLegPINio -DSecOOBiSecPEio -DLegPINoSecJW -DSecPEioSecNC -DSecPEoSecJW -DSecNCLegPINi -DSecOOBoSecPEo -DSecOOBiLegPINo -DInitSecOOBio -DSecOOBoSecOOBo -DLegPINiSecNC -DSecPEiSecOOBi -DSecOOBioLegPINi -DSecPEioLegPINio -DRespLegPINo -DSecOOBiLegPINi -DSecJWSecOOBio -DRespSecPEi -DSecOOBiSecPEi -DSecOOBioSecOOBo -DSecPEoSecPEo -DInitLeg -DSecJWSecPEo -DSecOOBiLegPINio -DSecOOBoLegPINi -DSecOOBoSecOOBio -DLegPINoSecOOBi -DSecPEoSecPEi -DSecNCLegPINo -DRespSecPEo -DRespSecOOBo -DSecNCSecPEi -DSecPEioLegPINi -DInputInput -DInitSecPE -DRespSecOOBi -DSecPEioSecOOBi -DRespLegPINio -DRespSecOOB -DLegPINiSecPEo -DLegPINoSecPEo -DSecPEoLegPINio -DSecOOBoSecNC -DSecJWLegPINo -DSecPEioSecOOBio -DSecPEoSecOOBi -DLegPINiSecOOBo -DLegPINioSecPEo -DInitSecNC -DSecJWSecOOBi -DSecJWLegPINi -DSecJWSecNC -DInitSecOOBi -DLegPINiLegPINo -DLegPINiSecOOBio -DSecOOBioLegPINio -DSecPEioSecPEo -DLegPINioSecJW -DInitSecPEo -DSecNCSecJW -DLegPINioLegPINi -DSecOOBoLegPINo -DSecPEiSecPEi -DSecOOBioSecJW -DLegPINoSecPEio -DRespSecOOBio -DInitSecPEi -DRespSecPE -DSecPEoSecOOBo -DSecNCSecOOBio -DLegPINioSecOOBo -DOutputOutput -DSecNCSecOOBi -DInoutInput -DSecPEiSecJW -DSecPEoSecPEio -DLegPINioLegPINo -DLegPINiSecOOBi -DSecPEiSecOOBo -DSecOOBiSecOOBio -DLegPINoSecOOBo -DSecPEoSecNC -DInputInout -DLegPINoLegPINo -DInitLegPINo -DSecPEioSecPEio -DRespSecPEio -DSecOOBioSecOOBio -DSecNCSecPEo -DLegPINiLegPINio -DLegPINioSecOOBio -DSecOOBoSecPEi -DSecNCSecPEio -DSecNCSecOOBo -DInoutInout -DRespSecJW -DSecOOBioSecOOBi -DLegPINoSecNC -DSecPEiLegPINi -DSecPEioSecJW -DOutputInput -DInitLegPINio -DSecOOBiSecOOBo -DSecOOBioLegPINo -DSecOOBoLegPINio -DSecOOBioSecPEo -DSecOOBiSecOOBi -DSecJWSecPEio -DSecPEoSecOOBio -DSecOOBiSecNC -DSecPEoLegPINi -DSecOOBoSecOOBi -DLegPINiSecPEi -DSecPEioLegPINo -DSecNCLegPINio -DOutputInout -DSecOOBiSecPEo -DSecOOBioSecPEio -DRespLeg -DSecOOBoSecPEio -DSecPEiSecPEio -DSecPEiLegPINio -DLegPINioLegPINio -DLegPINioSecPEi -DSecPEiSecPEo -DLegPINiSecPEio -DSecPEoLegPINo -DLegPINoLegPINio -DLegPINoSecOOBio -DRespSec -DSecJWSecJW -DSecOOBioSecPEi -DSecPEiSecNC -DSecPEiSecOOBio -DLegPINoSecPEi -DRespSecNC -DInitLegPINi -DSecJWSecPEi -DSecPEioSecOOBo -DSecOOBoSecJW -DInitSecOOBo -DSecJWSecOOBo -DRespLegPINi -DLegPINioSecNC -DLegPINioSecOOBi -DInputOutput -DInitSecPEio -DLegPINioSecPEio -DInoutOutput -DSecOOBiSecJW -DInitSecOOB -DInitSecJW -DSecOOBioSecNC -DSecPEioSecPEi -DLegPINiLegPINi -DSecNCSecNC -DLegPINoLegPINi -DSecPEiLegPINo +*/ + +/* Command lines to prove individual cases: +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINi -DLegPINiLegPINi -DInputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINo -DLegPINiLegPINo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespLeg -DRespLegPINio -DLegPINiLegPINio -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINi -DLegPINoLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINo -DLegPINoLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespLeg -DRespLegPINio -DLegPINoLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINi -DLegPINioLegPINi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINo -DLegPINioLegPINo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespLeg -DRespLegPINio -DLegPINioLegPINio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecJW -DSecJWSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEi -DSecJWSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEo -DSecJWSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecPE -DRespSecPEio -DSecJWSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecNC -DSecJWSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBi -DSecJWSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBo -DSecJWSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespSec -DRespSecOOB -DRespSecOOBio -DSecJWSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecJW -DSecPEiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEi -DSecPEiSecPEi -DInputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEo -DSecPEiSecPEo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecPE -DRespSecPEio -DSecPEiSecPEio -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecNC -DSecPEiSecNC -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecJW -DSecPEoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEi -DSecPEoSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEo -DSecPEoSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecPE -DRespSecPEio -DSecPEoSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecNC -DSecPEoSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecJW -DSecPEioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEi -DSecPEioSecPEi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEo -DSecPEioSecPEo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecPE -DRespSecPEio -DSecPEioSecPEio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecNC -DSecPEioSecNC -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecPEioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecPEioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecPEioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecJW -DSecNCSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEi -DSecNCSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEo -DSecNCSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecPE -DRespSecPEio -DSecNCSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecNC -DSecNCSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBi -DSecNCSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBo -DSecNCSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespSec -DRespSecOOB -DRespSecOOBio -DSecNCSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecJW -DSecOOBiSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBiSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBiSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBiSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecNC -DSecOOBiSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBiSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBiSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBiSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecJW -DSecOOBoSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBoSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBoSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBoSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecNC -DSecOOBoSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBoSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBoSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBoSecOOBio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecJW -DSecOOBioSecJW --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEi -DSecOOBioSecPEi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEo -DSecOOBioSecPEo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecPE -DRespSecPEio -DSecOOBioSecPEio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecNC -DSecOOBioSecNC --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBi -DSecOOBioSecOOBi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBo -DSecOOBioSecOOBo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespSec -DRespSecOOB -DRespSecOOBio -DSecOOBioSecOOBio --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecJW -DLegPINiSecJW -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEi -DLegPINiSecPEi -DInputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEo -DLegPINiSecPEo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecPE -DRespSecPEio -DLegPINiSecPEio -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecNC -DLegPINiSecNC -DInputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINiSecOOBi -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINiSecOOBo -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINi -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINiSecOOBio -DInputInput -DInputOutput -DInputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecJW -DLegPINoSecJW -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEi -DLegPINoSecPEi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEo -DLegPINoSecPEo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecPE -DRespSecPEio -DLegPINoSecPEio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecNC -DLegPINoSecNC -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINoSecOOBi -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINoSecOOBo -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINo -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINoSecOOBio -DOutputInput -DOutputOutput -DOutputInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecJW -DLegPINioSecJW -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEi -DLegPINioSecPEi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEo -DLegPINioSecPEo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecPE -DRespSecPEio -DLegPINioSecPEio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecNC -DLegPINioSecNC -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBi -DLegPINioSecOOBi -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBo -DLegPINioSecOOBo -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitLeg -DInitLegPINio -DRespSec -DRespSecOOB -DRespSecOOBio -DLegPINioSecOOBio -DInoutInput -DInoutOutput -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINi -DSecJWLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINo -DSecJWLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecJW -DRespLeg -DRespLegPINio -DSecJWLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINi -DSecPEiLegPINi -DInputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINo -DSecPEiLegPINo -DInputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEi -DRespLeg -DRespLegPINio -DSecPEiLegPINio -DInputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINi -DSecPEoLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINo -DSecPEoLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEo -DRespLeg -DRespLegPINio -DSecPEoLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINi -DSecPEioLegPINi -DInoutInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINo -DSecPEioLegPINo -DInoutOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecPE -DInitSecPEio -DRespLeg -DRespLegPINio -DSecPEioLegPINio -DInoutInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINi -DSecNCLegPINi -DOutputInput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINo -DSecNCLegPINo -DOutputOutput --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecNC -DRespLeg -DRespLegPINio -DSecNCLegPINio -DOutputInout --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINi -DSecOOBiLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINo -DSecOOBiLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBi -DRespLeg -DRespLegPINio -DSecOOBiLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINi -DSecOOBoLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINo -DSecOOBoLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBo -DRespLeg -DRespLegPINio -DSecOOBoLegPINio --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINi -DSecOOBioLegPINi --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINo -DSecOOBioLegPINo --prove +tamarin-prover bredr.spthy -DInitSec -DInitSecOOB -DInitSecOOBio -DRespLeg -DRespLegPINio -DSecOOBioLegPINio --prove + + +JSON configuration file: +{ +"LegPINiLegPINi": ["InitLeg","InitLegPINi","RespLeg","RespLegPINi","LegPINiLegPINi","InputInput"], +"LegPINiLegPINo": ["InitLeg","InitLegPINi","RespLeg","RespLegPINo","LegPINiLegPINo","InputOutput"], +"LegPINiLegPINio": ["InitLeg","InitLegPINi","RespLeg","RespLegPINio","LegPINiLegPINio","InputInout"], +"LegPINoLegPINi": ["InitLeg","InitLegPINo","RespLeg","RespLegPINi","LegPINoLegPINi","OutputInput"], +"LegPINoLegPINo": ["InitLeg","InitLegPINo","RespLeg","RespLegPINo","LegPINoLegPINo","OutputOutput"], +"LegPINoLegPINio": ["InitLeg","InitLegPINo","RespLeg","RespLegPINio","LegPINoLegPINio","OutputInout"], +"LegPINioLegPINi": ["InitLeg","InitLegPINio","RespLeg","RespLegPINi","LegPINioLegPINi","InoutInput"], +"LegPINioLegPINo": ["InitLeg","InitLegPINio","RespLeg","RespLegPINo","LegPINioLegPINo","InoutOutput"], +"LegPINioLegPINio": ["InitLeg","InitLegPINio","RespLeg","RespLegPINio","LegPINioLegPINio","InoutInout"], +"SecJWSecJW": ["InitSec","InitSecJW","RespSec","RespSecJW","SecJWSecJW"], +"SecJWSecPEi": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEi","SecJWSecPEi"], +"SecJWSecPEo": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEo","SecJWSecPEo"], +"SecJWSecPEio": ["InitSec","InitSecJW","RespSec","RespSecPE","RespSecPEio","SecJWSecPEio"], +"SecJWSecNC": ["InitSec","InitSecJW","RespSec","RespSecNC","SecJWSecNC"], +"SecJWSecOOBi": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBi","SecJWSecOOBi"], +"SecJWSecOOBo": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBo","SecJWSecOOBo"], +"SecJWSecOOBio": ["InitSec","InitSecJW","RespSec","RespSecOOB","RespSecOOBio","SecJWSecOOBio"], +"SecPEiSecJW": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecJW","SecPEiSecJW","InputInput","InputOutput","InputInout"], +"SecPEiSecPEi": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEi","SecPEiSecPEi","InputInput"], +"SecPEiSecPEo": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEo","SecPEiSecPEo","InputOutput"], +"SecPEiSecPEio": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecPE","RespSecPEio","SecPEiSecPEio","InputInout"], +"SecPEiSecNC": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecNC","SecPEiSecNC","InputOutput"], +"SecPEiSecOOBi": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBi","SecPEiSecOOBi","InputInput","InputOutput","InputInout"], +"SecPEiSecOOBo": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBo","SecPEiSecOOBo","InputInput","InputOutput","InputInout"], +"SecPEiSecOOBio": ["InitSec","InitSecPE","InitSecPEi","RespSec","RespSecOOB","RespSecOOBio","SecPEiSecOOBio","InputInput","InputOutput","InputInout"], +"SecPEoSecJW": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecJW","SecPEoSecJW","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecPEi": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEi","SecPEoSecPEi","OutputInput"], +"SecPEoSecPEo": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEo","SecPEoSecPEo","OutputOutput"], +"SecPEoSecPEio": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecPE","RespSecPEio","SecPEoSecPEio","OutputInout"], +"SecPEoSecNC": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecNC","SecPEoSecNC","OutputOutput"], +"SecPEoSecOOBi": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBi","SecPEoSecOOBi","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecOOBo": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBo","SecPEoSecOOBo","OutputInput","OutputOutput","OutputInout"], +"SecPEoSecOOBio": ["InitSec","InitSecPE","InitSecPEo","RespSec","RespSecOOB","RespSecOOBio","SecPEoSecOOBio","OutputInput","OutputOutput","OutputInout"], +"SecPEioSecJW": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecJW","SecPEioSecJW","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecPEi": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEi","SecPEioSecPEi","InoutInput"], +"SecPEioSecPEo": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEo","SecPEioSecPEo","InoutOutput"], +"SecPEioSecPEio": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecPE","RespSecPEio","SecPEioSecPEio","InoutInout"], +"SecPEioSecNC": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecNC","SecPEioSecNC","InoutOutput"], +"SecPEioSecOOBi": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBi","SecPEioSecOOBi","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecOOBo": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBo","SecPEioSecOOBo","InoutInput","InoutOutput","InoutInout"], +"SecPEioSecOOBio": ["InitSec","InitSecPE","InitSecPEio","RespSec","RespSecOOB","RespSecOOBio","SecPEioSecOOBio","InoutInput","InoutOutput","InoutInout"], +"SecNCSecJW": ["InitSec","InitSecNC","RespSec","RespSecJW","SecNCSecJW","OutputInput","OutputOutput","OutputInout"], +"SecNCSecPEi": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEi","SecNCSecPEi","OutputInput"], +"SecNCSecPEo": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEo","SecNCSecPEo","OutputOutput"], +"SecNCSecPEio": ["InitSec","InitSecNC","RespSec","RespSecPE","RespSecPEio","SecNCSecPEio","OutputInout"], +"SecNCSecNC": ["InitSec","InitSecNC","RespSec","RespSecNC","SecNCSecNC","OutputOutput"], +"SecNCSecOOBi": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBi","SecNCSecOOBi","OutputInput","OutputOutput","OutputInout"], +"SecNCSecOOBo": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBo","SecNCSecOOBo","OutputInput","OutputOutput","OutputInout"], +"SecNCSecOOBio": ["InitSec","InitSecNC","RespSec","RespSecOOB","RespSecOOBio","SecNCSecOOBio","OutputInput","OutputOutput","OutputInout"], +"SecOOBiSecJW": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecJW","SecOOBiSecJW"], +"SecOOBiSecPEi": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEi","SecOOBiSecPEi"], +"SecOOBiSecPEo": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEo","SecOOBiSecPEo"], +"SecOOBiSecPEio": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecPE","RespSecPEio","SecOOBiSecPEio"], +"SecOOBiSecNC": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecNC","SecOOBiSecNC"], +"SecOOBiSecOOBi": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBi","SecOOBiSecOOBi"], +"SecOOBiSecOOBo": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBo","SecOOBiSecOOBo"], +"SecOOBiSecOOBio": ["InitSec","InitSecOOB","InitSecOOBi","RespSec","RespSecOOB","RespSecOOBio","SecOOBiSecOOBio"], +"SecOOBoSecJW": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecJW","SecOOBoSecJW"], +"SecOOBoSecPEi": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEi","SecOOBoSecPEi"], +"SecOOBoSecPEo": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEo","SecOOBoSecPEo"], +"SecOOBoSecPEio": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecPE","RespSecPEio","SecOOBoSecPEio"], +"SecOOBoSecNC": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecNC","SecOOBoSecNC"], +"SecOOBoSecOOBi": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBi","SecOOBoSecOOBi"], +"SecOOBoSecOOBo": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBo","SecOOBoSecOOBo"], +"SecOOBoSecOOBio": ["InitSec","InitSecOOB","InitSecOOBo","RespSec","RespSecOOB","RespSecOOBio","SecOOBoSecOOBio"], +"SecOOBioSecJW": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecJW","SecOOBioSecJW"], +"SecOOBioSecPEi": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEi","SecOOBioSecPEi"], +"SecOOBioSecPEo": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEo","SecOOBioSecPEo"], +"SecOOBioSecPEio": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecPE","RespSecPEio","SecOOBioSecPEio"], +"SecOOBioSecNC": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecNC","SecOOBioSecNC"], +"SecOOBioSecOOBi": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBi","SecOOBioSecOOBi"], +"SecOOBioSecOOBo": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBo","SecOOBioSecOOBo"], +"SecOOBioSecOOBio": ["InitSec","InitSecOOB","InitSecOOBio","RespSec","RespSecOOB","RespSecOOBio","SecOOBioSecOOBio"], +"LegPINiSecJW": ["InitLeg","InitLegPINi","RespSec","RespSecJW","LegPINiSecJW","InputInput","InputOutput","InputInout"], +"LegPINiSecPEi": ["InitLeg","InitLegPINi","RespSec","RespSecPE","RespSecPEi","LegPINiSecPEi","InputInput"], +"LegPINiSecPEo": ["InitLeg","InitLegPINi","RespSec","RespSecPE","RespSecPEo","LegPINiSecPEo","InputOutput"], +"LegPINiSecPEio": ["InitLeg","InitLegPINi","RespSec","RespSecPE","RespSecPEio","LegPINiSecPEio","InputInout"], +"LegPINiSecNC": ["InitLeg","InitLegPINi","RespSec","RespSecNC","LegPINiSecNC","InputOutput"], +"LegPINiSecOOBi": ["InitLeg","InitLegPINi","RespSec","RespSecOOB","RespSecOOBi","LegPINiSecOOBi","InputInput","InputOutput","InputInout"], +"LegPINiSecOOBo": ["InitLeg","InitLegPINi","RespSec","RespSecOOB","RespSecOOBo","LegPINiSecOOBo","InputInput","InputOutput","InputInout"], +"LegPINiSecOOBio": ["InitLeg","InitLegPINi","RespSec","RespSecOOB","RespSecOOBio","LegPINiSecOOBio","InputInput","InputOutput","InputInout"], +"LegPINoSecJW": ["InitLeg","InitLegPINo","RespSec","RespSecJW","LegPINoSecJW","OutputInput","OutputOutput","OutputInout"], +"LegPINoSecPEi": ["InitLeg","InitLegPINo","RespSec","RespSecPE","RespSecPEi","LegPINoSecPEi","OutputInput"], +"LegPINoSecPEo": ["InitLeg","InitLegPINo","RespSec","RespSecPE","RespSecPEo","LegPINoSecPEo","OutputOutput"], +"LegPINoSecPEio": ["InitLeg","InitLegPINo","RespSec","RespSecPE","RespSecPEio","LegPINoSecPEio","OutputInout"], +"LegPINoSecNC": ["InitLeg","InitLegPINo","RespSec","RespSecNC","LegPINoSecNC","OutputOutput"], +"LegPINoSecOOBi": ["InitLeg","InitLegPINo","RespSec","RespSecOOB","RespSecOOBi","LegPINoSecOOBi","OutputInput","OutputOutput","OutputInout"], +"LegPINoSecOOBo": ["InitLeg","InitLegPINo","RespSec","RespSecOOB","RespSecOOBo","LegPINoSecOOBo","OutputInput","OutputOutput","OutputInout"], +"LegPINoSecOOBio": ["InitLeg","InitLegPINo","RespSec","RespSecOOB","RespSecOOBio","LegPINoSecOOBio","OutputInput","OutputOutput","OutputInout"], +"LegPINioSecJW": ["InitLeg","InitLegPINio","RespSec","RespSecJW","LegPINioSecJW","InoutInput","InoutOutput","InoutInout"], +"LegPINioSecPEi": ["InitLeg","InitLegPINio","RespSec","RespSecPE","RespSecPEi","LegPINioSecPEi","InoutInput"], +"LegPINioSecPEo": ["InitLeg","InitLegPINio","RespSec","RespSecPE","RespSecPEo","LegPINioSecPEo","InoutOutput"], +"LegPINioSecPEio": ["InitLeg","InitLegPINio","RespSec","RespSecPE","RespSecPEio","LegPINioSecPEio","InoutInout"], +"LegPINioSecNC": ["InitLeg","InitLegPINio","RespSec","RespSecNC","LegPINioSecNC","InoutOutput"], +"LegPINioSecOOBi": ["InitLeg","InitLegPINio","RespSec","RespSecOOB","RespSecOOBi","LegPINioSecOOBi","InoutInput","InoutOutput","InoutInout"], +"LegPINioSecOOBo": ["InitLeg","InitLegPINio","RespSec","RespSecOOB","RespSecOOBo","LegPINioSecOOBo","InoutInput","InoutOutput","InoutInout"], +"LegPINioSecOOBio": ["InitLeg","InitLegPINio","RespSec","RespSecOOB","RespSecOOBio","LegPINioSecOOBio","InoutInput","InoutOutput","InoutInout"], +"SecJWLegPINi": ["InitSec","InitSecJW","RespLeg","RespLegPINi","SecJWLegPINi"], +"SecJWLegPINo": ["InitSec","InitSecJW","RespLeg","RespLegPINo","SecJWLegPINo"], +"SecJWLegPINio": ["InitSec","InitSecJW","RespLeg","RespLegPINio","SecJWLegPINio"], +"SecPEiLegPINi": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPINi","SecPEiLegPINi","InputInput"], +"SecPEiLegPINo": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPINo","SecPEiLegPINo","InputOutput"], +"SecPEiLegPINio": ["InitSec","InitSecPE","InitSecPEi","RespLeg","RespLegPINio","SecPEiLegPINio","InputInout"], +"SecPEoLegPINi": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPINi","SecPEoLegPINi","OutputInput"], +"SecPEoLegPINo": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPINo","SecPEoLegPINo","OutputOutput"], +"SecPEoLegPINio": ["InitSec","InitSecPE","InitSecPEo","RespLeg","RespLegPINio","SecPEoLegPINio","OutputInout"], +"SecPEioLegPINi": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPINi","SecPEioLegPINi","InoutInput"], +"SecPEioLegPINo": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPINo","SecPEioLegPINo","InoutOutput"], +"SecPEioLegPINio": ["InitSec","InitSecPE","InitSecPEio","RespLeg","RespLegPINio","SecPEioLegPINio","InoutInout"], +"SecNCLegPINi": ["InitSec","InitSecNC","RespLeg","RespLegPINi","SecNCLegPINi","OutputInput"], +"SecNCLegPINo": ["InitSec","InitSecNC","RespLeg","RespLegPINo","SecNCLegPINo","OutputOutput"], +"SecNCLegPINio": ["InitSec","InitSecNC","RespLeg","RespLegPINio","SecNCLegPINio","OutputInout"], +"SecOOBiLegPINi": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPINi","SecOOBiLegPINi"], +"SecOOBiLegPINo": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPINo","SecOOBiLegPINo"], +"SecOOBiLegPINio": ["InitSec","InitSecOOB","InitSecOOBi","RespLeg","RespLegPINio","SecOOBiLegPINio"], +"SecOOBoLegPINi": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPINi","SecOOBoLegPINi"], +"SecOOBoLegPINo": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPINo","SecOOBoLegPINo"], +"SecOOBoLegPINio": ["InitSec","InitSecOOB","InitSecOOBo","RespLeg","RespLegPINio","SecOOBoLegPINio"], +"SecOOBioLegPINi": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPINi","SecOOBioLegPINi"], +"SecOOBioLegPINo": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPINo","SecOOBioLegPINo"], +"SecOOBioLegPINio": ["InitSec","InitSecOOB","InitSecOOBio","RespLeg","RespLegPINio","SecOOBioLegPINio"], +} +*/ + +end diff --git a/examples/esorics23-bluetooth/models/mesh.spthy b/examples/esorics23-bluetooth/models/mesh.spthy new file mode 100644 index 000000000..0471417ea --- /dev/null +++ b/examples/esorics23-bluetooth/models/mesh.spthy @@ -0,0 +1,6848 @@ +theory BluetoothMeshProvisioning +begin + +builtins: diffie-hellman, symmetric-encryption + +functions: + aes_cmac/2, + null/0, // Constant representing the null bytestring + smk2/0, smk3/0, smk4/0, nb_one/0, nb_two/0, nb_three/0, id6/0, + id7/0, // This is called id64 in the specification, but there is a bug in Tamarin with symbols of arity 0 ending with two or more digits. + // Notation x00 is not understood as a function symbol and Tamarin fails to parse the file. However, x00() is properly understood. + // However, when extracting a subfile through macro selections, Tamarin removes the parenthesis and again fails to parse the subfile + s1/1, // Used as a hash function + k1/3, + k2/2, + k3/1, + k4/1, + aes_ccm_enc/3, aes_ccm_dec/3, aes_ccm_verify/4, // Encryption, decryption and verification + net_key/0 [private], // Network Key, unknown of the attacker + app_key/0 [private], // Application Key, unknown of the attacker + true_val/0, + prov_invite/0, prov_capabilities/0, prov_start/0, // Represent setup messages with constants + prov_complete/0, // Encpty message, which indicates completion of the protocol + static_oob/0 [private], + e/3, + extract_e/1 + +equations: + s1(m) = aes_cmac(null, m), + k1(n, salt, p) = aes_cmac(aes_cmac(salt, n), p), + k2(n, p) = ), aes_cmac(aes_cmac(s1(smk2()), n), ), p, nb_two>), aes_cmac(aes_cmac(s1(smk2()), n), ), p, nb_two>), p, nb_three>)>, + k3(n) = aes_cmac(aes_cmac(s1(smk3()), n), id7), + k4(n) = aes_cmac(aes_cmac(s1(smk4()), n), id6), + aes_ccm_dec(k, n, aes_ccm_enc(k, n, m)) = m, + aes_ccm_enc(k, n, aes_ccm_dec(k, n, m)) = m, + aes_ccm_verify(aes_ccm_enc(k, n, m), k, n, m) = true_val, + extract_e(e(t,s,n)) = n // Representation of a public key, allows the extraction of the public component + +#ifdef NoMalleableCMAC +#else +functions: + get_b1/3, // Get the first block of the cmac + get_b2/3 // Get the second block of the cmac + +equations: + get_b1(aes_cmac(k, ), k, b2) = b1, + get_b2(aes_cmac(k, ), k, b1) = b2, + get_b1(cnf, k, get_b2(cnf,dh,b1)) = b1, + get_b2(cnf, k, get_b1(cnf,dh,b2)) = b2, + aes_cmac(k, ) = c, + aes_cmac(k, ) = c +#endif + +#ifdef DevEoOOBno +rule DeviceDoEoOOBno: + [] + --[ + DeviceWillDoEoOOBno(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceOOBKeyExchange(), + DeviceNoOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEoOOBi +rule DeviceDoEoOOBi: + [] + --[ + DeviceWillDoEoOOBi(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceOOBKeyExchange(), + DeviceInputOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEoOOBo +rule DeviceDoEoOOBo: + [] + --[ + DeviceWillDoEoOOBo(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceOOBKeyExchange(), + DeviceOutputOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEoOOBs +rule DeviceDoEoOOBs: + [] + --[ + DeviceWillDoEoOOBo(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceOOBKeyExchange(), + DeviceStaticOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEiOOBno +rule DeviceDoEiOOBno: + [] + --[ + DeviceWillDoEiOOBno(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceInbandKeyExchange(), + DeviceNoOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEiOOBi +rule DeviceDoEiOOBi: + [] + --[ + DeviceWillDoEiOOBi(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceInbandKeyExchange(), + DeviceInputOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEiOOBo +rule DeviceDoEiOOBo: + [] + --[ + DeviceWillDoEiOOBo(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceInbandKeyExchange(), + DeviceOutputOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef DevEiOOBs +rule DeviceDoEiOOBs: + [] + --[ + DeviceWillDoEiOOBo(), + DeviceOnlyOnceProv() + ]-> + [ + DeviceInbandKeyExchange(), + DeviceStaticOOBAuth(), + DeviceStartProvisioning() + ] +#endif + +#ifdef ProvEoOOBno +rule ProvisionerDoEoOOBno: + [] + --[ + ProvisionerWillDoEoOOBno(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerOOBKeyExchange(), + ProvisionerNoOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEoOOBi +rule ProvisionerDoEoOOBi: + [] + --[ + ProvisionerWillDoEoOOBi(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerOOBKeyExchange(), + ProvisionerInputOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEoOOBo +rule ProvisionerDoEoOOBo: + [] + --[ + ProvisionerWillDoEoOOBo(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerOOBKeyExchange(), + ProvisionerOutputOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEoOOBs +rule ProvisionerDoEoOOBs: + [] + --[ + ProvisionerWillDoEoOOBo(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerOOBKeyExchange(), + ProvisionerStaticOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEiOOBno +rule ProvisionerDoEiOOBno: + [] + --[ + ProvisionerWillDoEiOOBno(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerInbandKeyExchange(), + ProvisionerNoOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEiOOBi +rule ProvisionerDoEiOOBi: + [] + --[ + ProvisionerWillDoEiOOBi(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerInbandKeyExchange(), + ProvisionerInputOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEiOOBo +rule ProvisionerDoEiOOBo: + [] + --[ + ProvisionerWillDoEiOOBo(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerInbandKeyExchange(), + ProvisionerOutputOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +#ifdef ProvEiOOBs +rule ProvisionerDoEiOOBs: + [] + --[ + ProvisionerWillDoEiOOBo(), + ProvisionerOnlyOnceProv() + ]-> + [ + ProvisionerInbandKeyExchange(), + ProvisionerStaticOOBAuth(), + ProvisionerStartProvisioning() + ] +#endif + +/* Setup of the Provisioning protocol +The exchange of messages is the following: +P -> D: ProvisioningInvite +D -> P: ProvisioningCapabilities +P -> D: ProvisioningStart + +In Mesh implementations, those messages are used to choose which flavor of the Provisioning +protocol is used, based on type of authentication supported and type of key exchange supported. + +Here, those messages are represented as constants. +Because the model is ran on all combinations of key exchanges/authentication, all possible pairs +are already captured. +Hence, the content of those messages cannot lead to a case which is not already studied by +explicitely running the verification of lemmas on all possible pair of interactions, which is +why it's acceptable to represent them as constants. + +One element is not perfectly represented in the model; this is the size of the authentication parameter: +Bluetooth Mesh allows to choose authdata being 1..16 bytes long. + +The model currently models authdata as a fresh nonce of 16 bytes, hence it is not able to capture potential +brute force of this value if it had low entropy. +*/ + +rule ProvisionerSendProvInvite: + [ + ProvisionerStartProvisioning() + ] + --[]-> + [ + ProvisionerReadyToStart(), + Out(prov_invite) + ] + +rule DeviceSendProvCapabilities: + [ + DeviceStartProvisioning(), + In(prov_invite) + ] + --[]-> + [ + DeviceReadyToStart(), + Out(prov_capabilities) + ] + +rule ProvisionerSendStart: + [ + ProvisionerReadyToStart(), + In(prov_capabilities) + ] + --[]-> + [ + ProvisionerReadyECDH(), + Out(prov_start) + ] + +rule DeviceRecvStart: + [ + DeviceReadyToStart(), + In(prov_start) + ] + --[]-> + [ + DeviceReadyECDH() + ] + +#ifdef ProvEi +rule ProvisionerInBandKE: + let pkP = in + [ + ProvisionerReadyECDH(), + ProvisionerInbandKeyExchange(), + Fr(~ps) + ] + --[ + ProvisionerSentPublicKey(~ps, pkP) + ]-> + [ + ProvisionerSentPublicKey(~ps, pkP), + Out(pkP) + ] + +rule ProvisionerRecvPubKeyInBandKE: + [ + ProvisionerSentPublicKey(~ps, pkP), + In(pkD) + ] + --[ + ProvisionerComputeECDH(pkP, pkD, ~ps) + ]-> + [ + ProvisionerComputeECDH(pkP, pkD, ~ps) + ] +#endif + +#ifdef ProvECDH +rule ProvisionerDeriveNormalDHKey: + let + pkDx = e('C', DH_neutral, n) + pkD = + dhkey = e('C', r, n^~ps) // In Bluetooth, only X is taken + in + [ + ProvisionerComputeECDH(pkP, pkD, ~ps), + In(r) + ] + --[ + ValidPt(pkDx, pkDy), Raised('C', DH_neutral, r, ~ps), + ProvisionerFinishedKeyExchange(pkP, pkD, dhkey) + ]-> + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dhkey) + ] +#endif + +#ifdef ProvECDHUnpatched +rule ProvisionerDeriveInvalidDHKey: + let + pkD = + pkDx = e(otx,osx,orx) + pkDy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~ps) // In Bluetooth, only X is taken + in + [ + ProvisionerComputeECDH(pkP, , ~ps), + In() + ] + --[ + InvalidPt(pkDx, pkDy), Raised(, , , ~ps), + ProvisionerFinishedKeyExchange(pkP, pkD, dhkey) + ]-> + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dhkey) + ] +#endif + +#ifdef DevEi +rule DeviceInBandKE: + let pkD = in + [ + DeviceReadyECDH(), + DeviceInbandKeyExchange(), + Fr(~ds), + In(pkP) + ] + --[ + DeviceComputeECDH(pkD, pkP, ~ds) + ]-> + [ + DeviceComputeECDH(pkD, pkP, ~ds), + Out(pkD) + ] +#endif + +#ifdef DevECDH +rule DeviceDeriveNormalDHKey: + let + pkPx = e('C', DH_neutral, n) + pkP = + dhkey = e('C', r, n^~ds) // In Bluetooth, only X is taken + in + [ + DeviceComputeECDH(pkD, pkP, ~ds), + In(r) + ] + --[ + ValidPt(pkPx, pkPy), Raised('C', DH_neutral, r, ~ds), + DeviceFinishedKeyExchange(pkD, pkP, dhkey) + ]-> + [ + DeviceFinishedKeyExchange(pkD, pkP, dhkey) + ] +#endif + +#ifdef DevECDHUnpatched +rule DeviceDeriveInvalidDHKey: + let + pkP = + pkPx = e(otx,osx,orx) + pkPy = e(oty,osy,ory) + dhkey = e(tx, rx, nx^~ss) // In Bluetooth, only X is taken + in + [ + ProvisionerComputeECDH(pkD, , ~ds), + In() + ] + --[ + InvalidPt(pkPx, pkPy), Raised(, , , ~ss), + ProvisionerFinishedKeyExchange(pkD, pkP, dhkey) + ]-> + [ + ProvisionerFinishedKeyExchange(pkD, pkP, dhkey) + ] +#endif + +#ifdef ProvEo +rule ProvisionerOOBKeyExchange: + let pkP = in + [ + ProvisionerReadyECDH(), + ProvisionerOOBKeyExchange(), + Fr(~ps) + ] + --[ + ProvisionerTransmitOOBPublicKey(~ps, pkP) + ]-> + [ + ProvisionerTransmitOOBPublicKey(~ps, pkP), + KeyExchangeOOBChannel(pkP) + ] + +rule ProvisionerEndOOBKeyExchange: + [ + ProvisionerTransmitOOBPublicKey(~ps, pkP), + In(pkD) + ] + --[ + ProvisionerComputeECDH(pkP, pkD, ~ps) + ]-> + [ + ProvisionerComputeECDH(pkP, pkD, ~ps) + ] +#endif + +#ifdef DevEo +rule DeviceOOBKeyExchange: + let pkD = in + [ + DeviceReadyECDH(), + DeviceOOBKeyExchange(), + KeyExchangeOOBChannel(pkP), + Fr(~ds) + ] + --[ + DeviceComputeECDH(pkD, pkP, ~ds) + ]-> + [ + DeviceComputeECDH(pkD, pkP, ~ds), + Out(pkD) + ] +#endif + +#ifdef ProvOOBno +rule ProvisionerChooseNoAuth: + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dh), + ProvisionerNoOOBAuth() + ] + --[]-> + [ + ProvisionerCanStartAuth(pkP, pkD, dh, '0') + ] +#endif + +#ifdef ProvOOBi +rule ProvisionerChooseInputAuth: + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dh), + ProvisionerInputOOBAuth(), + Fr(~auth) + ] + --[]-> + [ + ProvisionerOutputAuthData(~auth), // If Input OOB is used, the Provisioner outputs a value, the user inputs it in the device + ProvisionerWaitingUserInteraction(pkP, pkD, dh), + LowEntropyAuthValue(~auth) + ] +#endif + +#ifdef ProvOOBo +rule ProvisionerChooseOutputAuth: + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dh), + ProvisionerOutputOOBAuth() + ] + --[]-> + [ + ProvisionerInputAuthData(), // If Output OOB is used, the Device outputs a value, the user inputs it in the provisioner + ProvisionerWaitingUserInteraction(pkP, pkD, dh) + ] +#endif + +#ifdef ProvOOBs +rule ProvisionerChooseStaticAuth: + [ + ProvisionerFinishedKeyExchange(pkP, pkD, dh), + ProvisionerStaticOOBAuth() + ] + --[]-> + [ + ProvisionerStaticAuthData(), // If Static OOB is used, AuthData is exchanged using unspecified means + ProvisionerWaitingUserInteraction(pkP, pkD, dh) + ] +#endif + +#ifdef DevOOBno +rule DeviceChooseNoAuth: + [ + DeviceFinishedKeyExchange(pkD, pkP, dh), + DeviceNoOOBAuth() + ] + --[]-> + [ + DeviceCanStartAuth(pkD, pkP, dh, '0') + ] +#endif + +#ifdef DevOOBi +rule DeviceChooseInputAuth: + [ + DeviceFinishedKeyExchange(pkD, pkP, dh), + DeviceInputOOBAuth() + ] + --[]-> + [ + DeviceInputAuthData(), // If Input OOB is used, the Provisioner outputs a value, the user inputs it in the device + DeviceWaitingUserInteraction(pkD, pkP, dh) + ] +#endif + +#ifdef DevOOBo +rule DeviceChooseOutputAuth: + [ + DeviceFinishedKeyExchange(pkD, pkP, dh), + DeviceOutputOOBAuth(), + Fr(~auth) + ] + --[]-> + [ + DeviceOutputAuthData(~auth), // If Output OOB is used, the Device outputs a value, the user inputs it in the provisioner + DeviceWaitingUserInteraction(pkD, pkP, dh), + LowEntropyAuthValue(~auth) + ] +#endif + +#ifdef DevOOBs +rule DeviceChooseStaticAuth: + [ + DeviceFinishedKeyExchange(pkD, pkP, dh), + DeviceStaticOOBAuth() + ] + --[]-> + [ + DeviceStaticAuthData(), // If Static OOB is used, AuthData is exchanged using unspecified means + DeviceWaitingUserInteraction(pkD, pkP, dh) + ] +#endif + +rule ProvisionerWaitingUser: + [ + ProvisionerWaitingUserInteraction(pkP, pkD, dh), + ProvisionerAuthProceed(auth) + ] + --[ ]-> + [ + ProvisionerCanStartAuth(pkP, pkD, dh, auth) + ] + +rule DeviceWaitingUser: + [ + DeviceWaitingUserInteraction(pkD, pkP, dh), + DeviceAuthProceed(auth) + ] + --[ ]-> + [ + DeviceCanStartAuth(pkD, pkP, dh, auth) + ] + +rule ProvisionerSendConfirm: + let + confirmation_salt = s1() + ck = k1(dh, confirmation_salt, 'prck') + Cp = aes_cmac(ck, <~Np, auth>) + in + [ + ProvisionerCanStartAuth(pkP, pkD, dh, auth), + Fr(~Np) + ] + --[ + ProvisionerSendConfirm(pkP, pkD, dh, ck, ~Np, auth) + ]-> + [ + ProvisionerSendConfirm(pkP, pkD, dh, ck, ~Np, auth), + Out(Cp) + ] + +#ifdef PatchProvisioning2 +rule DeviceSendConfirm: + let + confirmation_salt = s1() + ck = k1(dh, confirmation_salt, 'prck') + Cd = aes_cmac(ck, ) + in + [ + DeviceCanStartAuth(pkD, pkP, dh, auth), + Fr(~Nd), + In(Cp) + ] + --[ + DeviceSendConfirm(pkD, pkP, dh, ck, ~Nd, Cp, auth) + ]-> + [ + DeviceSendConfirm(pkD, pkP, dh, ck, ~Nd, Cp, auth), + Out(Cd) + ] + +#else +rule DeviceSendConfirm: + let + confirmation_salt = s1() + ck = k1(dh, confirmation_salt, 'prck') + Cd = aes_cmac(ck, <~Nd, auth>) + in + [ + DeviceCanStartAuth(pkD, pkP, dh, auth), + Fr(~Nd), + In(Cp) + ] + --[ + DeviceSendConfirm(pkD, pkP, dh, ck, ~Nd, Cp, auth) + ]-> + [ + DeviceSendConfirm(pkD, pkP, dh, ck, ~Nd, Cp, auth), + Out(Cd) + ] +#endif + +#ifdef PatchProvisioning1 +rule ProvisionerSendRandom: + [ + ProvisionerSendConfirm(pkP, pkD, dh, ck, ~Np, auth), + In(Cd) + ] + --[ + NotEq(aes_cmac(ck, <~Np, auth>), Cd), + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, Cd, auth) + ]-> + [ + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, Cd, auth), + Out(~Np) + ] + +#else + +rule ProvisionerSendRandom: + [ + ProvisionerSendConfirm(pkP, pkD, dh, ck, ~Np, auth), + In(Cd) + ] + --[ + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, Cd, auth) + ]-> + [ + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, Cd, auth), + Out(~Np) + ] +#endif + +rule DeviceSendRandom: + let computed_Cp = aes_cmac(ck, ) in + [ + DeviceSendConfirm(pkD, pkP, dh, ck, ~Nd, computed_Cp, auth), + In(Np) + ] + --[ + DeviceSendRandom(pkD, pkP, dh, ck, ~Nd, Np, auth) + ]-> + [ + DeviceSendRandom(pkD, pkP, dh, ck, ~Nd, Np, auth), + Out(~Nd) + ] + +#ifdef PatchProvisioning2 +rule ProvisionerRecvRandom: + let + computed_Cd = aes_cmac(ck, ) + in + [ + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, computed_Cd, auth), + In(Nd) + ] + --[ + ProvisionerRecvRandom(pkP, pkD, dh, ck, ~Np, Nd, auth) + ]-> + [ + ProvisionerRecvRandom(pkP, pkD, dh, ck, ~Np, Nd, auth) + ] + +#else +rule ProvisionerRecvRandom: + let + computed_Cd = aes_cmac(ck, ) + in + [ + ProvisionerSendRandom(pkP, pkD, dh, ck, ~Np, computed_Cd, auth), + In(Nd) + ] + --[ + ProvisionerRecvRandom(pkP, pkD, dh, ck, ~Np, Nd, auth) + ]-> + [ + ProvisionerRecvRandom(pkP, pkD, dh, ck, ~Np, Nd, auth) + ] +#endif + +rule ProvisionerSendNetKey: + let + confirmation_salt = s1() + provisioning_salt = s1() + sk = k1(dh, provisioning_salt, 'prsk') + sn = k1(dh, provisioning_salt, 'prsn') + dev_key = k1(dh, provisioning_salt, 'prdk') + in + [ + ProvisionerRecvRandom(pkP, pkD, dh, ck, ~Np, Nd, auth) + ] + --[ + ProvisionerSendNetKey(pkP, pkD, dh, ck, ~Np, Nd, sk, net_key, dev_key) + ]-> + [ + ProvisionerSendNetKey(pkP, pkD, dh, ck, ~Np, Nd, sk, net_key, dev_key), + Out(aes_ccm_enc(sk, sn, net_key)) // Represents the ProvisioningData message which contains NetKey + ] + +rule DeviceRecvNetKey: + let + confirmation_salt = s1() + provisioning_salt = s1() + sk = k1(dh, provisioning_salt, 'prsk') + sn = k1(dh, provisioning_salt, 'prsn') + dev_key = k1(dh, provisioning_salt, 'prdk') + dec_net_key = aes_ccm_dec(sk, sn, prov_data) // Explicit decryption, to verify the correctness of the model + in + [ + DeviceSendRandom(pkD, pkP, dh, ck, ~Nd, Np, auth), + In(prov_data) + ] + --[ + IsTrue(aes_ccm_verify(prov_data, sk, sn, dec_net_key)), + DeviceRecvNetKey(pkD, pkP, dh, ck, ~Nd, Np, sk, dec_net_key, dev_key), + DeviceFinishedProvisioning(pkD, pkP, dh, ck, ~Nd, Np, sk, dec_net_key, dev_key) + ]-> + [ + DeviceRecvNetKey(pkD, pkP, dh, ck, ~Nd, Np, sk, dec_net_key, dev_key), + DeviceFinishedProvisioning(pkD, pkP, dh, ck, ~Nd, Np, sk, dec_net_key, dev_key), + Out(prov_complete) + ] + +rule ProvisionerEndProvisioning: + [ + ProvisionerSendNetKey(pkP, pkD, dh, ck, ~Np, Nd, sk, nk, dev_key), + In(prov_complete) + ] + --[ + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, ~Np, Nd, sk, nk, dev_key, app_key) + ]-> + [ + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, ~Np, Nd, sk, nk, dev_key, app_key), + Out(aes_ccm_enc(dev_key, '0', app_key)) + //Out(senc(app_key, dev_key)) + ] + +rule DeviceEndKeyDistribution: + let dec_app_key = aes_ccm_dec(dev_key, '0', c) in + //let dec_app_key = sdec(c, dev_key) in + [ + DeviceRecvNetKey(pkD, pkP, dh, ck, ~Nd, Np, sk, nk, dev_key), + In(c) + ] + --[ + IsTrue(aes_ccm_verify(c, dev_key, '0', dec_app_key)), + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, ~Nd, Np, sk, nk, dev_key, dec_app_key) + ]-> + [ + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, ~Nd, Np, sk, nk, dev_key, dec_app_key) + ] + +/* User interaction module */ + +rule InputOOBAuth: + [ + ProvisionerOutputAuthData(auth), + DeviceInputAuthData() + ] + --[ ]-> + [ + ProvisionerAuthProceed(auth), + DeviceAuthProceed(auth) + ] + +rule OutputOOBAuth: + [ + ProvisionerInputAuthData(), + DeviceOutputAuthData(auth) + ] + --[ ]-> + [ + ProvisionerAuthProceed(auth), + DeviceAuthProceed(auth) + ] + +rule ProvStaticOOBAuth: + [ + ProvisionerStaticAuthData() + ] + --[ ]-> + [ + ProvisionerAuthProceed(static_oob) + ] + +rule DevStaticOOBAuth: + [ + DeviceStaticAuthData() + ] + --[ ]-> + [ + DeviceAuthProceed(static_oob) + ] + +/* End of user interaction module */ + +/* Oracle for retrieving short AuthValue */ +#ifdef NoLowEntropyAuthValue +#else +rule OracleAuthValue: + [ + LowEntropyAuthValue(auth), + In(aes_cmac(ck, )), + In(N), + In(ck) + ] + --[ AttackerRetrieveAuthValue(ck,N,auth) ]-> + [ + Out(auth) + ] +#endif + +/* End of Oracle */ + +restriction DeviceOnlyOnceProv: +"All #i #j. DeviceOnlyOnceProv() @i & DeviceOnlyOnceProv() @j ==> #i = #j" + + +restriction ProvisionerOnlyOnceProv: +"All #i #j. ProvisionerOnlyOnceProv() @i & ProvisionerOnlyOnceProv() @j ==> #i = #j" + +restriction IsTrue: +"All t #i. IsTrue(t) @i ==> t = true_val" + +restriction NotEq: +"All c #i. (NotEq(c, c) @i) ==> F" + +// For ECDH model +restriction DHConsistency: + "All t s r1 r2 y #i #j . + Raised(t,s,r1,y) @ i & Raised(t,s,r2,y) @j + ==> r1 = r2" + +restriction DHIdentity: + "All t r y #i . + Raised(t,DH_neutral,r,y) @ i ==> r = DH_neutral" + +restriction ValidPt: + "∀ x y #i. + (ValidPt(x,y) @ #i) ⇒ (x = y)" + +restriction InvalidPt: + "∀ x #i. + (InvalidPt(x,x) @ #i) ⇒ F" + +/*****************************************/ +/* Lemmas about EiOOBno-EiOOBno exchange */ +/*****************************************/ + +#ifdef EiOOBnoEiOOBno +lemma EiOOBno_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*********************************************/ +/* End lemmas about EiOOBno-EiOOBno exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EiOOBi exchange */ +/****************************************/ + +#ifdef EiOOBnoEiOOBi +lemma EiOOBno_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EiOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EiOOBo exchange */ +/****************************************/ + +#ifdef EiOOBnoEiOOBo +lemma EiOOBno_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EiOOBo exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EiOOBs exchange */ +/****************************************/ + +#ifdef EiOOBnoEiOOBs +lemma EiOOBno_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EiOOBs exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBi-EiOOBno exchange */ +/****************************************/ + +#ifdef EiOOBiEiOOBno +lemma EiOOBi_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBi-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EiOOBi exchange */ +/***************************************/ + +#ifdef EiOOBiEiOOBi +lemma EiOOBi_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EiOOBo exchange */ +/***************************************/ + +#ifdef EiOOBiEiOOBo +lemma EiOOBi_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EiOOBs exchange */ +/***************************************/ + +#ifdef EiOOBiEiOOBs +lemma EiOOBi_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EiOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EiOOBo-EiOOBno exchange */ +/****************************************/ + +#ifdef EiOOBoEiOOBno +lemma EiOOBo_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBo-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EiOOBi exchange */ +/***************************************/ + +#ifdef EiOOBoEiOOBi +lemma EiOOBo_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EiOOBo exchange */ +/***************************************/ + +#ifdef EiOOBoEiOOBo +lemma EiOOBo_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EiOOBs exchange */ +/***************************************/ + +#ifdef EiOOBoEiOOBs +lemma EiOOBo_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EiOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EiOOBs-EiOOBno exchange */ +/****************************************/ + +#ifdef EiOOBsEiOOBno +lemma EiOOBs_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBs-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EiOOBi exchange */ +/***************************************/ + +#ifdef EiOOBsEiOOBi +lemma EiOOBs_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EiOOBo exchange */ +/***************************************/ + +#ifdef EiOOBsEiOOBo +lemma EiOOBs_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EiOOBs exchange */ +/***************************************/ + +#ifdef EiOOBsEiOOBs +lemma EiOOBs_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EiOOBs exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about EiOOBno-EoOOBno exchange */ +/*****************************************/ + +#ifdef EiOOBnoEoOOBno +lemma EiOOBno_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*********************************************/ +/* End lemmas about EiOOBno-EoOOBno exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EoOOBi exchange */ +/****************************************/ + +#ifdef EiOOBnoEoOOBi +lemma EiOOBno_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EoOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EoOOBo exchange */ +/****************************************/ + +#ifdef EiOOBnoEoOOBo +lemma EiOOBno_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EoOOBo exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBno-EoOOBs exchange */ +/****************************************/ + +#ifdef EiOOBnoEoOOBs +lemma EiOOBno_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBno_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBno_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBno_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBno_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBno_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBno_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBno-EoOOBs exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EiOOBi-EoOOBno exchange */ +/****************************************/ + +#ifdef EiOOBiEoOOBno +lemma EiOOBi_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBi-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EoOOBi exchange */ +/***************************************/ + +#ifdef EiOOBiEoOOBi +lemma EiOOBi_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EoOOBo exchange */ +/***************************************/ + +#ifdef EiOOBiEoOOBo +lemma EiOOBi_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBi-EoOOBs exchange */ +/***************************************/ + +#ifdef EiOOBiEoOOBs +lemma EiOOBi_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBi_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBi_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBi_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBi_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBi_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBi_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBi-EoOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EiOOBo-EoOOBno exchange */ +/****************************************/ + +#ifdef EiOOBoEoOOBno +lemma EiOOBo_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBo-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EoOOBi exchange */ +/***************************************/ + +#ifdef EiOOBoEoOOBi +lemma EiOOBo_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EoOOBo exchange */ +/***************************************/ + +#ifdef EiOOBoEoOOBo +lemma EiOOBo_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBo-EoOOBs exchange */ +/***************************************/ + +#ifdef EiOOBoEoOOBs +lemma EiOOBo_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBo_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBo_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBo_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBo_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBo_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBo_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBo-EoOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EiOOBs-EoOOBno exchange */ +/****************************************/ + +#ifdef EiOOBsEoOOBno +lemma EiOOBs_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EiOOBs-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EoOOBi exchange */ +/***************************************/ + +#ifdef EiOOBsEoOOBi +lemma EiOOBs_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EoOOBo exchange */ +/***************************************/ + +#ifdef EiOOBsEoOOBo +lemma EiOOBs_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EiOOBs-EoOOBs exchange */ +/***************************************/ + +#ifdef EiOOBsEoOOBs +lemma EiOOBs_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EiOOBs_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EiOOBs_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EiOOBs_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EiOOBs_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EiOOBs_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EiOOBs_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EiOOBs-EoOOBs exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about EoOOBno-EiOOBno exchange */ +/*****************************************/ + +#ifdef EoOOBnoEiOOBno +lemma EoOOBno_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*********************************************/ +/* End lemmas about EoOOBno-EiOOBno exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EiOOBi exchange */ +/****************************************/ + +#ifdef EoOOBnoEiOOBi +lemma EoOOBno_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EiOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EiOOBo exchange */ +/****************************************/ + +#ifdef EoOOBnoEiOOBo +lemma EoOOBno_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EiOOBo exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EiOOBs exchange */ +/****************************************/ + +#ifdef EoOOBnoEiOOBs +lemma EoOOBno_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EiOOBs exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBi-EiOOBno exchange */ +/****************************************/ + +#ifdef EoOOBiEiOOBno +lemma EoOOBi_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBi-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EiOOBi exchange */ +/***************************************/ + +#ifdef EoOOBiEiOOBi +lemma EoOOBi_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EiOOBo exchange */ +/***************************************/ + +#ifdef EoOOBiEiOOBo +lemma EoOOBi_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EiOOBs exchange */ +/***************************************/ + +#ifdef EoOOBiEiOOBs +lemma EoOOBi_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EiOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EoOOBo-EiOOBno exchange */ +/****************************************/ + +#ifdef EoOOBoEiOOBno +lemma EoOOBo_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBo-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EiOOBi exchange */ +/***************************************/ + +#ifdef EoOOBoEiOOBi +lemma EoOOBo_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EiOOBo exchange */ +/***************************************/ + +#ifdef EoOOBoEiOOBo +lemma EoOOBo_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EiOOBs exchange */ +/***************************************/ + +#ifdef EoOOBoEiOOBs +lemma EoOOBo_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EiOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EoOOBs-EiOOBno exchange */ +/****************************************/ + +#ifdef EoOOBsEiOOBno +lemma EoOOBs_EiOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EiOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EiOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EiOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBs-EiOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EiOOBi exchange */ +/***************************************/ + +#ifdef EoOOBsEiOOBi +lemma EoOOBs_EiOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EiOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EiOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EiOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EiOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EiOOBo exchange */ +/***************************************/ + +#ifdef EoOOBsEiOOBo +lemma EoOOBs_EiOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EiOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EiOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EiOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EiOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EiOOBs exchange */ +/***************************************/ + +#ifdef EoOOBsEiOOBs +lemma EoOOBs_EiOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EiOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EiOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EiOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EiOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EiOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EiOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EiOOBs exchange */ +/*******************************************/ + +/*****************************************/ +/* Lemmas about EoOOBno-EoOOBno exchange */ +/*****************************************/ + +#ifdef EoOOBnoEoOOBno +lemma EoOOBno_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*********************************************/ +/* End lemmas about EoOOBno-EoOOBno exchange */ +/*********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EoOOBi exchange */ +/****************************************/ + +#ifdef EoOOBnoEoOOBi +lemma EoOOBno_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EoOOBi exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EoOOBo exchange */ +/****************************************/ + +#ifdef EoOOBnoEoOOBo +lemma EoOOBno_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EoOOBo exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBno-EoOOBs exchange */ +/****************************************/ + +#ifdef EoOOBnoEoOOBs +lemma EoOOBno_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBno_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBno_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBno_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBno_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBno_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBno_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBno-EoOOBs exchange */ +/********************************************/ + +/****************************************/ +/* Lemmas about EoOOBi-EoOOBno exchange */ +/****************************************/ + +#ifdef EoOOBiEoOOBno +lemma EoOOBi_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBi-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EoOOBi exchange */ +/***************************************/ + +#ifdef EoOOBiEoOOBi +lemma EoOOBi_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EoOOBo exchange */ +/***************************************/ + +#ifdef EoOOBiEoOOBo +lemma EoOOBi_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBi-EoOOBs exchange */ +/***************************************/ + +#ifdef EoOOBiEoOOBs +lemma EoOOBi_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBi_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBi_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBi_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBi_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBi_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBi_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBi-EoOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EoOOBo-EoOOBno exchange */ +/****************************************/ + +#ifdef EoOOBoEoOOBno +lemma EoOOBo_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBo-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EoOOBi exchange */ +/***************************************/ + +#ifdef EoOOBoEoOOBi +lemma EoOOBo_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EoOOBo exchange */ +/***************************************/ + +#ifdef EoOOBoEoOOBo +lemma EoOOBo_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBo-EoOOBs exchange */ +/***************************************/ + +#ifdef EoOOBoEoOOBs +lemma EoOOBo_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBo_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBo_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBo_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBo_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBo_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBo_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBo-EoOOBs exchange */ +/*******************************************/ + +/****************************************/ +/* Lemmas about EoOOBs-EoOOBno exchange */ +/****************************************/ + +#ifdef EoOOBsEoOOBno +lemma EoOOBs_EoOOBno_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EoOOBno_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EoOOBno_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EoOOBno_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBno_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBno_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBno_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBno_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBno_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBno_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/********************************************/ +/* End lemmas about EoOOBs-EoOOBno exchange */ +/********************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EoOOBi exchange */ +/***************************************/ + +#ifdef EoOOBsEoOOBi +lemma EoOOBs_EoOOBi_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EoOOBi_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EoOOBi_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EoOOBi_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBi_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBi_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBi_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBi_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBi_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBi_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EoOOBi exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EoOOBo exchange */ +/***************************************/ + +#ifdef EoOOBsEoOOBo +lemma EoOOBs_EoOOBo_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EoOOBo_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EoOOBo_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EoOOBo_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBo_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBo_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBo_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBo_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBo_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBo_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EoOOBo exchange */ +/*******************************************/ + +/***************************************/ +/* Lemmas about EoOOBs-EoOOBs exchange */ +/***************************************/ + +#ifdef EoOOBsEoOOBs +lemma EoOOBs_EoOOBs_functional: exists-trace +" +Ex pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j +" + +lemma EoOOBs_EoOOBs_auth_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + ( + Ex #j. + DeviceFinishedProvisioning(pkD, pkP, dh, ck, nd, np, sk, nk, dk) @j + ) +" + +lemma EoOOBs_EoOOBs_auth_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + ( + Ex #j. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @j + ) +" + +lemma EoOOBs_EoOOBs_weaksecret_nk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBs_weaksecret_dk_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBs_weaksecret_ak_prov: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + ProvisionerFinishedProvisioning(pkP, pkD, dh, ck, np, nd, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBs_weaksecret_nk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(nk) @j) +" + +lemma EoOOBs_EoOOBs_weaksecret_dk_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(dk) @j) +" + +lemma EoOOBs_EoOOBs_weaksecret_ak_dev: +" +All pkP pkD dh ck np nd sk nk dk ak #i. + DeviceFinishedKeyDistribution(pkD, pkP, dh, ck, nd, np, sk, nk, dk, ak) @i ==> + not (Ex #j. K(ak) @j) +" + +lemma EoOOBs_EoOOBs_double_impersonation: +" +All pkP1 pkD1 pkP2 pkD2 dh1 dh2 ck1 ck2 np1 np2 nd1 nd2 sk1 sk2 nk1 nk2 dk1 dk2 ak1 ak2 #i #j. + DeviceFinishedKeyDistribution(pkD1, pkP1, dh1, ck1, nd1, np1, sk1, nk1, dk1, ak1) @i & + ProvisionerFinishedProvisioning(pkP2, pkD2, dh2, ck2, np2, nd2, sk2, nk2, dk2, ak2) @j ==> + not (Ex #k1 #k2 #k3 #k4 . + K(nk1) @k1 & K(dk1) @k2 & K(nk2) @k3 & K(dk2) @k4 + ) +" + +#endif + +/*******************************************/ +/* End lemmas about EoOOBs-EoOOBs exchange */ +/*******************************************/ + +/* +* Command-line to generate a Tamarin file with the entire model without all preprocessor macros: +* tamarin-prover mesh.spthy -DEiOOBoEiOOBno -DProvEiOOBo -DEoOOBoEoOOBs -DEiOOBiEiOOBo -DEiOOBnoEiOOBi -DDevOOBi -DDevECDH -DProvEiOOBi -DEiOOBnoEiOOBo -DEoOOBsEiOOBno -DEoOOBsEiOOBo -DEoOOBnoEiOOBi -DEoOOBoEoOOBno -DEiOOBnoEoOOBno -DEoOOBiEiOOBo -DEiOOBnoEiOOBno -DEiOOBoEiOOBs -DEiOOBnoEoOOBs -DEoOOBsEiOOBs -DEiOOBoEoOOBi -DEoOOBnoEoOOBi -DEoOOBoEiOOBno -DDevEiOOBno -DEiOOBiEoOOBo -DEiOOBoEoOOBs -DEoOOBiEoOOBno -DEiOOBsEoOOBno -DEoOOBnoEoOOBs -DProvOOBi -DProvEoOOBs -DEoOOBnoEoOOBno -DEoOOBoEiOOBi -DDevEo -DEoOOBnoEiOOBs -DEoOOBiEoOOBo -DEoOOBnoEoOOBo -DEoOOBiEiOOBs -DProvEoOOBno -DDevEoOOBi -DDevEoOOBs -DProvEiOOBs -DProvEiOOBno -DEoOOBoEoOOBo -DDevOOBo -DEiOOBiEiOOBi -DEiOOBoEiOOBi -DEiOOBiEoOOBno -DProvEo -DEoOOBiEiOOBno -DDevEi -DEiOOBoEoOOBo -DDevOOBno -DEoOOBoEiOOBs -DEiOOBiEiOOBs -DEiOOBiEiOOBno -DProvEoOOBi -DEoOOBiEoOOBi -DEiOOBsEiOOBno -DEoOOBsEoOOBo -DEiOOBnoEiOOBs -DDevEiOOBs -DProvOOBo -DEoOOBnoEiOOBo -DEiOOBnoEoOOBo -DEiOOBsEiOOBi -DProvEoOOBo -DEiOOBsEiOOBo -DEoOOBnoEiOOBno -DEoOOBsEoOOBi -DEiOOBsEoOOBo -DEoOOBiEoOOBs -DEoOOBsEoOOBs -DEiOOBoEoOOBno -DDevEiOOBi -DEiOOBiEoOOBi -DProvECDH -DEoOOBoEiOOBo -DEoOOBiEiOOBi -DProvOOBno -DDevEoOOBo -DEiOOBsEoOOBi -DProvEi -DEiOOBoEiOOBo -DProvOOBs -DEiOOBiEoOOBs -DDevOOBs -DEoOOBsEiOOBi -DDevEiOOBo -DEoOOBoEoOOBi -DEiOOBnoEoOOBi -DDevEoOOBno -DEiOOBsEoOOBs -DEoOOBsEoOOBno -DEiOOBsEiOOBs +*/ + +/* Command lines to prove individual cases: +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBnoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBnoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBnoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBnoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBiEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBiEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBiEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBiEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBsEiOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBsEiOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBsEiOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBsEiOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBnoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBnoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBnoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBno -DProvOOBno -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBnoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBiEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBiEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBiEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBi -DProvOOBi -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBiEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBo -DProvOOBo -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEiOOBsEoOOBno --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEiOOBsEoOOBi --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEiOOBsEoOOBo --prove +tamarin-prover mesh.spthy -DProvEi -DProvEiOOBs -DProvOOBs -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEiOOBsEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBnoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBnoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBnoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBnoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBiEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBiEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBiEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBiEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBoEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBoEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBoEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBoEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBsEiOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBsEiOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBsEiOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEi -DDevEiOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBsEiOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBnoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBnoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBnoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBno -DProvOOBno -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBnoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBiEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBiEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBiEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBi -DProvOOBi -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBiEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBoEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBoEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBoEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBo -DProvOOBo -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBoEoOOBs --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBno -DDevOOBno -DProvECDH -DDevECDH -DEoOOBsEoOOBno --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBi -DDevOOBi -DProvECDH -DDevECDH -DEoOOBsEoOOBi --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBo -DDevOOBo -DProvECDH -DDevECDH -DEoOOBsEoOOBo --prove +tamarin-prover mesh.spthy -DProvEo -DProvEoOOBs -DProvOOBs -DDevEo -DDevEoOOBs -DDevOOBs -DProvECDH -DDevECDH -DEoOOBsEoOOBs --prove + + +JSON configuration file: +{ +"EiOOBnoEiOOBno": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBnoEiOOBno"], +"EiOOBnoEiOOBi": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBnoEiOOBi"], +"EiOOBnoEiOOBo": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBnoEiOOBo"], +"EiOOBnoEiOOBs": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBnoEiOOBs"], +"EiOOBiEiOOBno": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBiEiOOBno"], +"EiOOBiEiOOBi": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBiEiOOBi"], +"EiOOBiEiOOBo": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBiEiOOBo"], +"EiOOBiEiOOBs": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBiEiOOBs"], +"EiOOBoEiOOBno": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBoEiOOBno"], +"EiOOBoEiOOBi": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBoEiOOBi"], +"EiOOBoEiOOBo": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBoEiOOBo"], +"EiOOBoEiOOBs": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBoEiOOBs"], +"EiOOBsEiOOBno": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBsEiOOBno"], +"EiOOBsEiOOBi": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBsEiOOBi"], +"EiOOBsEiOOBo": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBsEiOOBo"], +"EiOOBsEiOOBs": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBsEiOOBs"], +"EiOOBnoEoOOBno": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBnoEoOOBno"], +"EiOOBnoEoOOBi": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBnoEoOOBi"], +"EiOOBnoEoOOBo": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBnoEoOOBo"], +"EiOOBnoEoOOBs": ["ProvEi","ProvEiOOBno","ProvOOBno","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBnoEoOOBs"], +"EiOOBiEoOOBno": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBiEoOOBno"], +"EiOOBiEoOOBi": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBiEoOOBi"], +"EiOOBiEoOOBo": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBiEoOOBo"], +"EiOOBiEoOOBs": ["ProvEi","ProvEiOOBi","ProvOOBi","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBiEoOOBs"], +"EiOOBoEoOOBno": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBoEoOOBno"], +"EiOOBoEoOOBi": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBoEoOOBi"], +"EiOOBoEoOOBo": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBoEoOOBo"], +"EiOOBoEoOOBs": ["ProvEi","ProvEiOOBo","ProvOOBo","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBoEoOOBs"], +"EiOOBsEoOOBno": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EiOOBsEoOOBno"], +"EiOOBsEoOOBi": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EiOOBsEoOOBi"], +"EiOOBsEoOOBo": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EiOOBsEoOOBo"], +"EiOOBsEoOOBs": ["ProvEi","ProvEiOOBs","ProvOOBs","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EiOOBsEoOOBs"], +"EoOOBnoEiOOBno": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBnoEiOOBno"], +"EoOOBnoEiOOBi": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBnoEiOOBi"], +"EoOOBnoEiOOBo": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBnoEiOOBo"], +"EoOOBnoEiOOBs": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBnoEiOOBs"], +"EoOOBiEiOOBno": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBiEiOOBno"], +"EoOOBiEiOOBi": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBiEiOOBi"], +"EoOOBiEiOOBo": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBiEiOOBo"], +"EoOOBiEiOOBs": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBiEiOOBs"], +"EoOOBoEiOOBno": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBoEiOOBno"], +"EoOOBoEiOOBi": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBoEiOOBi"], +"EoOOBoEiOOBo": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBoEiOOBo"], +"EoOOBoEiOOBs": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBoEiOOBs"], +"EoOOBsEiOOBno": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEi","DevEiOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBsEiOOBno"], +"EoOOBsEiOOBi": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEi","DevEiOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBsEiOOBi"], +"EoOOBsEiOOBo": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEi","DevEiOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBsEiOOBo"], +"EoOOBsEiOOBs": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEi","DevEiOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBsEiOOBs"], +"EoOOBnoEoOOBno": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBnoEoOOBno"], +"EoOOBnoEoOOBi": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBnoEoOOBi"], +"EoOOBnoEoOOBo": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBnoEoOOBo"], +"EoOOBnoEoOOBs": ["ProvEo","ProvEoOOBno","ProvOOBno","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBnoEoOOBs"], +"EoOOBiEoOOBno": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBiEoOOBno"], +"EoOOBiEoOOBi": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBiEoOOBi"], +"EoOOBiEoOOBo": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBiEoOOBo"], +"EoOOBiEoOOBs": ["ProvEo","ProvEoOOBi","ProvOOBi","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBiEoOOBs"], +"EoOOBoEoOOBno": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBoEoOOBno"], +"EoOOBoEoOOBi": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBoEoOOBi"], +"EoOOBoEoOOBo": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBoEoOOBo"], +"EoOOBoEoOOBs": ["ProvEo","ProvEoOOBo","ProvOOBo","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBoEoOOBs"], +"EoOOBsEoOOBno": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEo","DevEoOOBno","DevOOBno","ProvECDH","DevECDH","EoOOBsEoOOBno"], +"EoOOBsEoOOBi": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEo","DevEoOOBi","DevOOBi","ProvECDH","DevECDH","EoOOBsEoOOBi"], +"EoOOBsEoOOBo": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEo","DevEoOOBo","DevOOBo","ProvECDH","DevECDH","EoOOBsEoOOBo"], +"EoOOBsEoOOBs": ["ProvEo","ProvEoOOBs","ProvOOBs","DevEo","DevEoOOBs","DevOOBs","ProvECDH","DevECDH","EoOOBsEoOOBs"], +} +*/ + +end diff --git a/examples/esorics23-bluetooth/results/results_ble.png b/examples/esorics23-bluetooth/results/results_ble.png new file mode 100644 index 000000000..2d0facbc7 Binary files /dev/null and b/examples/esorics23-bluetooth/results/results_ble.png differ diff --git a/examples/esorics23-bluetooth/results/results_bredr.png b/examples/esorics23-bluetooth/results/results_bredr.png new file mode 100644 index 000000000..8b43e6a3b Binary files /dev/null and b/examples/esorics23-bluetooth/results/results_bredr.png differ diff --git a/examples/esorics23-bluetooth/results/results_mesh.png b/examples/esorics23-bluetooth/results/results_mesh.png new file mode 100644 index 000000000..2ff8d6496 Binary files /dev/null and b/examples/esorics23-bluetooth/results/results_mesh.png differ