├── .gitignore ├── .merlin ├── Examples ├── in_papers │ ├── CCS19-ChevalKremerRakotonirina │ │ ├── AKA.dps │ │ ├── BAC_1ident_1fresh.dps │ │ ├── BAC_2ident_1fresh.dps │ │ ├── BAC_2ident_2fresh.dps │ │ ├── BAC_2ident_3fresh.dps │ │ ├── BAC_3ident_1fresh.dps │ │ ├── BAC_3ident_2fresh.dps │ │ ├── BAC_4ident_1fresh.dps │ │ ├── Helios_2A_1B.dps │ │ ├── Helios_2A_2B.dps │ │ ├── Helios_3A_1B.dps │ │ ├── Helios_3A_2B.dps │ │ ├── Helios_3A_3B.dps │ │ ├── Helios_4A_1B.dps │ │ ├── Helios_4A_2B.dps │ │ ├── Helios_5A_1B.dps │ │ ├── Helios_7A_3B.dps │ │ ├── Helios_BPRIV.dps │ │ ├── Scytl.dps │ │ ├── Toy_bac.dps │ │ ├── Toy_voting_2hv_1dv.dps │ │ ├── Toy_voting_2hv_2dv.dps │ │ └── Toy_voting_2hv_3dv.dps │ ├── JCS19-BabelChevalKremer │ │ ├── IO_Unambiguous │ │ │ ├── IO_AKA.dps │ │ │ ├── IO_DenningSacco.dps │ │ │ ├── IO_NSL.dps │ │ │ ├── IO_PA_anonimity.dps │ │ │ ├── IO_PA_unlinkability.dps │ │ │ ├── IO_PrivateAuthentication.dps │ │ │ ├── IO_WideMouthFrog.dps │ │ │ └── IO_YahalomLowe.dps │ │ ├── Semantics_Comparaison │ │ │ ├── classic_not_private.dps │ │ │ ├── determinate_classic_not_private.dps │ │ │ ├── private_classic_not_eavesdrop.dps │ │ │ └── private_not_classic.dps │ │ ├── Single_Channel │ │ │ ├── AKA.dps │ │ │ ├── DenningSacco.dps │ │ │ ├── Helios.dps │ │ │ ├── NSL.dps │ │ │ ├── PA-anonimity.dps │ │ │ ├── PA-unlinkability.dps │ │ │ ├── PrivateAuthentication.dps │ │ │ ├── Scytl.dps │ │ │ ├── WideMouthFrog.dps │ │ │ └── YahalomLowe.dps │ │ └── Strongly_Action_Determinate │ │ │ ├── SAD_AKA.dps │ │ │ ├── SAD_DenningSacco.dps │ │ │ ├── SAD_NSL.dps │ │ │ ├── SAD_PA_anonimity.dps │ │ │ ├── SAD_PA_unlinkability.dps │ │ │ ├── SAD_PrivateAuthentication.dps │ │ │ ├── SAD_WideMouthFrog.dps │ │ │ └── SAD_YahalomLowe.dps │ └── POST17-BabelChevalKremer │ │ ├── classic_not_private.dps │ │ ├── private_classic_not_eavesdrop.dps │ │ └── private_not_classic.dps ├── session_equivalence │ ├── AKA │ │ └── anonymity │ │ │ ├── AKA-2sessions.dps │ │ │ ├── AKA-3sessions.dps │ │ │ └── AKA-4sessions.dps │ ├── BAC │ │ ├── BAC-2sessions-inclusion.dps │ │ ├── BAC-2sessions.dps │ │ ├── BAC-3sessions-inclusion.dps │ │ ├── BAC-3sessions.dps │ │ ├── BAC-4sessions-1fresh-inclusion.dps │ │ ├── BAC-4sessions-1fresh.dps │ │ ├── BAC-4sessions-2fresh-inclusion.dps │ │ ├── BAC-4sessions-2fresh.dps │ │ ├── BAC-5sessions-1fresh-inclusion.dps │ │ ├── BAC-5sessions-1fresh.dps │ │ ├── BAC-5sessions-2fresh-inclusion.dps │ │ ├── BAC-5sessions-2fresh.dps │ │ ├── BAC-5sessions-3fresh-inclusion.dps │ │ └── BAC-5sessions-3fresh.dps │ ├── Denning-Sacco │ │ ├── DenningSacco-11sessions-4dishonests.dps │ │ ├── DenningSacco-1session.dps │ │ ├── DenningSacco-2sessions.dps │ │ ├── DenningSacco-3sessions.dps │ │ ├── DenningSacco-4sessions-2dishonests.dps │ │ ├── DenningSacco-6sessions-4dishonests-2.dps │ │ ├── DenningSacco-6sessions-4dishonests.dps │ │ └── DenningSacco-7sessions-4dishonests.dps │ ├── Helios │ │ ├── Helios_no_revote_ZKP.dps │ │ ├── Helios_no_revote_weeding.dps │ │ ├── Helios_revote_ZKP21.dps │ │ ├── Helios_revote_ZKP22.dps │ │ ├── Helios_revote_ZKP31.dps │ │ ├── Helios_revote_ZKP32.dps │ │ ├── Helios_revote_ZKP33.dps │ │ ├── Helios_revote_ZKP41.dps │ │ ├── Helios_revote_ZKP42.dps │ │ ├── Helios_revote_ZKP51.dps │ │ ├── Helios_revote_ZKPmax.dps │ │ ├── Helios_revote_weeding.dps │ │ └── Helios_vanilla_attack.dps │ ├── Helios_bpriv │ │ ├── helios_bpriv_vanilla.dps │ │ ├── helios_bpriv_weed.dps │ │ ├── helios_bpriv_zkp7ballots.dps │ │ └── helios_bpriv_zkp7ballots_overkill.dps │ ├── PaV │ │ ├── Pret-a-voter-false-attack.dps │ │ └── Pret-a-voter.dps │ ├── quantum │ │ ├── QBC-attack │ │ │ ├── QBC_10qubits.dps │ │ │ ├── QBC_11qubits.dps │ │ │ ├── QBC_12qubits.dps │ │ │ ├── QBC_4qubits.dps │ │ │ ├── QBC_6qubits.dps │ │ │ └── QBC_8qubits.dps │ │ └── QBC-proof │ │ │ ├── QBC_10qubits.dps │ │ │ ├── QBC_11qubits.dps │ │ │ ├── QBC_12qubits.dps │ │ │ ├── QBC_4qubits.dps │ │ │ ├── QBC_6qubits.dps │ │ │ └── QBC_8qubits.dps │ └── scytl.dps ├── toys_and_tests │ ├── README.md │ ├── session_equivalence │ │ ├── BAC-2sessions.dps │ │ ├── BAC-3sessions.dps │ │ ├── BAC-4sessions-2fresh-IO_unambiguous.dps │ │ ├── BAC-4sessions-2fresh-double-inclusion.dps │ │ ├── BAC-4sessions-2fresh-inclusion_pure.dps │ │ ├── BAC-4sessions-2fresh_pure.dps │ │ ├── Otway-Rees-3sessions-2dishonest.dps │ │ ├── PrivateAuthentication-3sessions.dps │ │ ├── bug1.dps │ │ ├── bug2.dps │ │ ├── bug3.dps │ │ ├── bug4.dps │ │ ├── bug5.dps │ │ ├── bug6.dps │ │ ├── bug7.dps │ │ ├── bugSKremer.dps │ │ ├── bug_67.dps │ │ ├── bug_67_2.dps │ │ ├── bug_68.dps │ │ ├── destroyer.dps │ │ ├── display_trace1.dps │ │ ├── fail_determinate.dps │ │ ├── helios_bpriv_zkp7ballots_test.dps │ │ ├── heuristic.dps │ │ ├── improper1.dps │ │ ├── inclusion_not_equiv.dps │ │ ├── quantum.dps │ │ ├── toy_bac │ │ │ ├── bac_mini.dps │ │ │ └── bac_mini_2sessions_false_attack.dps │ │ ├── toy_vote │ │ │ ├── minivote_2hv1dv.dps │ │ │ ├── minivote_2hv2dv.dps │ │ │ └── minivote_2hv3dv.dps │ │ ├── warning.dps │ │ └── warning_and_error.dps │ └── trace_equivalence │ │ ├── AA-bug.dps │ │ ├── LAK06-UK3-pair.dps │ │ ├── Simple_10_par.dps │ │ ├── Simple_1_par.dps │ │ ├── Simple_2_par.dps │ │ ├── Simple_3_par.dps │ │ ├── Simple_4_par.dps │ │ ├── Simple_5_par.dps │ │ ├── Simple_6_par.dps │ │ ├── Simple_7_par.dps │ │ ├── Simple_8_par.dps │ │ ├── Simple_9_par.dps │ │ ├── WMF-bug.dps │ │ ├── bug_59.dps │ │ ├── bug_59_2.dps │ │ ├── bug_69.dps │ │ ├── bug_70.dps │ │ ├── bug_71.dps │ │ ├── bug_71_Passive-ActivityTracking-State.dps │ │ ├── bug_72_simulator_BAC.dps │ │ ├── bug_itsaka.dps │ │ ├── bug_itsaka2.dps │ │ ├── bug_itsaka3.dps │ │ ├── choice.dps │ │ ├── choice2.dps │ │ ├── determinate_else.dps │ │ ├── elsebranchdisplay.dps │ │ ├── equality_constructor.dps │ │ ├── equivalent.dps │ │ ├── equivalent2.dps │ │ ├── equivalent3.dps │ │ ├── example_0.dps │ │ ├── example_1.dps │ │ ├── example_2.dps │ │ ├── example_3.dps │ │ ├── example_constant.dps │ │ ├── example_stackOverflow.dps │ │ ├── get_public_key_bug.dps │ │ ├── history_skeletons.dps │ │ ├── loli_destroyer.dps │ │ ├── loli_destroyer2.dps │ │ ├── non-equivalent.dps │ │ ├── nonequivalentnoaction.dps │ │ ├── nonequivalentnoaction2.dps │ │ ├── not_static_message.dps │ │ ├── pap-1-session.dps │ │ ├── private_function1.dps │ │ ├── private_names.dps │ │ ├── test_mergin_branch1.dps │ │ ├── test_mergin_branch2.dps │ │ ├── test_subterm1.dps │ │ ├── test_subterm2.dps │ │ ├── test_subterm3.dps │ │ ├── test_subterm4.dps │ │ ├── trace_inclusion.dps │ │ ├── tuple.dps │ │ ├── warning.dps │ │ ├── warning_and_error.dps │ │ └── yahalom-paulson-bug.dps ├── trace_equivalence │ ├── 3G-AKA-protocol │ │ ├── anonymity │ │ │ ├── AKA-15sessions-pure.dps │ │ │ ├── AKA-15sessions-pure2.dps │ │ │ ├── AKA-2sessions.dps │ │ │ ├── AKA-3sessions.dps │ │ │ ├── AKA-4sessions.dps │ │ │ ├── AKA-5sessions.dps │ │ │ ├── AKA-6sessions-pure.dps │ │ │ ├── AKA-6sessions.dps │ │ │ ├── AKA-7sessions.dps │ │ │ ├── AKA-8sessions.dps │ │ │ ├── AKA-9sessions-pure.dps │ │ │ ├── AKA-9sessions.dps │ │ │ └── AKA-9sessions2.dps │ │ └── unlinkability │ │ │ ├── AKA-2sessions.dps │ │ │ └── AKA-3sessions.dps │ ├── Denning_sacco │ │ ├── DenningSacco-11sessions-4dishonests.dps │ │ ├── DenningSacco-18sessions-6dishonests.dps │ │ ├── DenningSacco-1session.dps │ │ ├── DenningSacco-20sessions-8dishonests.dps │ │ ├── DenningSacco-2sessions.dps │ │ ├── DenningSacco-3sessions-2dishonests.dps │ │ ├── DenningSacco-3sessions.dps │ │ ├── DenningSacco-4sessions-2dishonests.dps │ │ ├── DenningSacco-5sessions-3dishonests.dps │ │ ├── DenningSacco-6sessions-4dishonests.dps │ │ └── DenningSacco-7sessions-4dishonests.dps │ ├── Electronic_passport │ │ ├── Basic-access-control │ │ │ ├── BAC-2sessions.dps │ │ │ └── BAC-3sessions.dps │ │ ├── Passive-authentication-anonymity │ │ │ ├── PA-anonimity-11sessions-1dishonnest.dps │ │ │ ├── PA-anonimity-1session.dps │ │ │ ├── PA-anonimity-2sessions.dps │ │ │ ├── PA-anonimity-3sessions.dps │ │ │ ├── PA-anonimity-4sessions-1dishonnest.dps │ │ │ ├── PA-anonimity-5sessions-1dishonnest.dps │ │ │ └── PA-anonimity-8sessions-1dishonnest.dps │ │ └── Passive-authentication-unlinkability │ │ │ ├── PA-unlinkability-11sessions-1dishonnest.dps │ │ │ ├── PA-unlinkability-2sessions.dps │ │ │ ├── PA-unlinkability-3sessions.dps │ │ │ ├── PA-unlinkability-4sessions-1dishonest.dps │ │ │ ├── PA-unlinkability-5sessions-1dishonnest.dps │ │ │ └── PA-unlinkability-8sessions-1dishonnest.dps │ ├── Helios │ │ ├── Helios_no_revote_ZKP.dps │ │ ├── Helios_no_revote_weeding.dps │ │ ├── Helios_revote_ZKP11.dps │ │ ├── Helios_revote_ZKP21.dps │ │ ├── Helios_revote_weeding.dps │ │ ├── Helios_revote_weeding3.dps │ │ └── Helios_vanilla_attack.dps │ ├── Helios_bpriv │ │ ├── helios_bpriv106.dps │ │ ├── helios_bpriv115.dps │ │ ├── helios_bpriv205.dps │ │ ├── helios_bpriv214.dps │ │ ├── helios_bpriv223.dps │ │ ├── helios_bpriv304.dps │ │ ├── helios_bpriv313.dps │ │ ├── helios_bpriv322.dps │ │ ├── helios_bpriv331.dps │ │ ├── helios_bpriv403.dps │ │ ├── helios_bpriv412.dps │ │ ├── helios_bpriv421.dps │ │ ├── helios_bpriv430.dps │ │ ├── helios_bpriv502.dps │ │ ├── helios_bpriv511.dps │ │ ├── helios_bpriv520.dps │ │ ├── helios_bpriv601.dps │ │ ├── helios_bpriv610.dps │ │ └── helios_bpriv700.dps │ ├── Needham_schroeder │ │ ├── NSL-1session.dps │ │ ├── NSL-3sessions-2dishonest.dps │ │ ├── NSL-6sessions-4dishonest.dps │ │ └── NSL-8sessions-4dishonest.dps │ ├── Otway-rees │ │ ├── Otway-Rees-1session.dps │ │ ├── Otway-Rees-2sessions.dps │ │ ├── Otway-Rees-3sessions-2dishonest.dps │ │ ├── Otway-Rees-4sessions-2dishonest.dps │ │ └── Otway-Rees-6sessions-4dishonest.dps │ ├── Pret-a-voter │ │ └── Pret-a-voter.dps │ ├── Private_authentication │ │ ├── PrivateAuthentication-1session-attack.dps │ │ ├── PrivateAuthentication-1session.dps │ │ ├── PrivateAuthentication-2sessions.dps │ │ ├── PrivateAuthentication-3sessions.dps │ │ ├── PrivateAuthentication-5sessions-2dishonest.dps │ │ ├── PrivateAuthentication-6sessions-2dishonest.dps │ │ ├── PrivateAuthentication-9sessions-3dishonest-pure.dps │ │ └── PrivateAuthentication-9sessions-3dishonest.dps │ ├── Scytl │ │ └── scytl.dps │ ├── Wide-mouth-frog │ │ ├── WMF-1session.dps │ │ ├── WMF-2sessions.dps │ │ ├── WMF-3sessions-2dishonests.dps │ │ ├── WMF-3sessions.dps │ │ ├── WMF-4sessions-2dishonests.dps │ │ ├── WMF-5sessions-3dishonests.dps │ │ ├── WMF-6sessions-4dishonests.dps │ │ ├── WMF-7sessions-4dishonests.dps │ │ └── WMF-9sessions-4dishonests.dps │ ├── Yahalom-Lowe │ │ ├── YahalomLowe-10sessions-4dishonest.dps │ │ ├── YahalomLowe-10sessions-5dishonest.dps │ │ ├── YahalomLowe-11sessions-4dishonest.dps │ │ ├── YahalomLowe-1session.dps │ │ ├── YahalomLowe-2sessions.dps │ │ ├── YahalomLowe-3sessions-2dishonest.dps │ │ ├── YahalomLowe-3sessions.dps │ │ ├── YahalomLowe-4sessions-2dishonest.dps │ │ ├── YahalomLowe-5sessions-3dishonest.dps │ │ ├── YahalomLowe-6sessions-4dishonest.dps │ │ ├── YahalomLowe-7sessions-4dishonest.dps │ │ └── YahalomLowe-9sessions-4dishonest.dps │ └── quantum │ │ ├── QBC-attack │ │ ├── QBC_4qubits.dps │ │ └── QBC_6qubits.dps │ │ └── QBC-proof │ │ ├── QBC_4qubits.dps │ │ └── QBC_6qubits.dps └── tutorial │ ├── pap-1-session-attack.dps │ ├── pap-1-session.dps │ ├── pap-2-sessions.dps │ ├── pap-3-sessions.dps │ ├── pap-por-9-sessions.dps │ ├── pap-session-equiv-5-sessions.dps │ └── trace-vs-session.dps ├── LICENSE ├── Makefile ├── README.md ├── Source ├── core_library │ ├── config.ml.in │ ├── config.mli │ ├── constraint_system.ml │ ├── constraint_system.mli │ ├── data_structure.ml │ ├── data_structure.mli │ ├── display.ml │ ├── display.mli │ ├── extensions.ml │ ├── formula.ml │ ├── formula.mli │ ├── process.ml │ ├── process.mli │ ├── rewrite_rules.ml │ ├── rewrite_rules.mli │ ├── statistic.ml │ ├── term.ml │ ├── term.mli │ └── types.mli ├── distributed │ ├── distrib.ml │ ├── distrib.mli │ ├── distributed_equivalence.ml │ ├── distributed_equivalence.mli │ └── worker.ml ├── interface │ ├── display_ui.ml │ ├── display_ui.mli │ ├── execution_manager.ml │ ├── execution_manager.mli │ ├── grammar_ui.mly │ ├── interface.ml │ ├── interface.mli │ ├── lexer_ui.mll │ ├── parsing_functions_ui.ml │ ├── parsing_functions_ui.mli │ ├── simulator.ml │ ├── simulator.mli │ └── types_ui.mli ├── main.ml ├── main_api.ml ├── parser │ ├── grammar.mly │ ├── lexer.mll │ ├── parser_functions.ml │ └── parser_functions.mli └── query_solving │ ├── determinate_equivalence.ml │ ├── determinate_equivalence.mli │ ├── determinate_process.ml │ ├── determinate_process.mli │ ├── generic_equivalence.ml │ ├── generic_equivalence.mli │ ├── generic_process.ml │ ├── generic_process.mli │ ├── session_equivalence.ml │ └── session_process.ml ├── _tags ├── changelog ├── deepsec.opam └── script ├── check └── cpu_linux_osx /.gitignore: -------------------------------------------------------------------------------- 1 | .depend 2 | deepsec 3 | deepsec_api 4 | deepsec_worker 5 | test_deepsec 6 | index_old.html 7 | 8 | log 9 | 10 | *.js 11 | *.cmi 12 | *.cmt 13 | *.cmti 14 | *.cmx 15 | *.o 16 | *.bbl 17 | *.blg 18 | *.dvi 19 | *.log 20 | *.out 21 | *.toc 22 | *.pdf 23 | *.gz 24 | *.DS_Store 25 | *.native 26 | 27 | result_files 28 | 29 | Source/interface/grammar_ui.ml 30 | Source/interface/grammar_ui.mli 31 | Source/interface/grammar_ui.output 32 | Source/interface/lexer_ui.ml 33 | Source/parser/grammar.ml 34 | Source/parser/grammar.mli 35 | Source/parser/grammar.output 36 | Source/parser/lexer.ml 37 | Source/testing/testing_grammar.ml 38 | Source/testing/testing_grammar.mli 39 | Source/testing/testing_grammar.output 40 | Source/testing/testing_lexer.ml 41 | Source/core_library/config.ml 42 | 43 | # documentation/Core_library.tex 44 | # documentation/Subterms.tex 45 | # documentation/Testing.tex 46 | # documentation/Distributed.tex 47 | # documentation/main.aux 48 | 49 | index.html 50 | testing_data/tests_to_check/* 51 | testing_data/testing.html 52 | testing_data/validated_tests/*.html 53 | testing_data/validated_tests/*.js 54 | testing_data/faulty_tests/* 55 | result 56 | 57 | 58 | Examples/Benchmark/.* 59 | Examples/Benchmark/bench_* 60 | 61 | worker_deepsec 62 | manager_deepsec 63 | 64 | 65 | # other files 66 | *_build 67 | /Examples/session_equivalence/tests/scratch.dps 68 | /documentation/files/* 69 | !/documentation/files/.content 70 | -------------------------------------------------------------------------------- /.merlin: -------------------------------------------------------------------------------- 1 | B _build/** 2 | B Source/** 3 | B +threads 4 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_1ident_1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | if xm_m = mac(xm_e,k_m) 36 | then 37 | let (xn_r,xn_t,xk_r) = sdec(xm_e,k_e) in 38 | if xn_t = n_t 39 | then ( 40 | new k_t; 41 | let z = senc((n_t,xn_r,k_t),k_e) in 42 | out(c,(z,mac(z,k_m))) 43 | ) else out(c,Error_6300) 44 | else out(c,Error_6300) 45 | else out(c,Error_6300). 46 | 47 | let system(k_e,k_m) = 48 | passport(k_e,k_m) | reader(k_e,k_m). 49 | 50 | // Unlinkability 51 | 52 | let system1 = 53 | !^2 new k_e; new k_m; system(k_e,k_m). 54 | 55 | let system2 = 56 | new k_e; new k_m; !^2 system(k_e,k_m). 57 | 58 | 59 | query session_equiv(system1,system2). 60 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_2ident_1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | // Unlinkability 43 | 44 | let system1 = 45 | !^3 new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 46 | 47 | let system2 = 48 | new k_e; new k_m; (!^2 passport(k_e,k_m) | !^2 reader(k_e,k_m)) 49 | | new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 50 | 51 | 52 | query session_equiv(system1,system2). 53 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_2ident_2fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_equiv(system_1111,system_211). 67 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_2ident_3fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_2111). 74 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_3ident_1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_equiv(system_1111,system_31). 67 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_3ident_2fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_311). 74 | -------------------------------------------------------------------------------- /Examples/in_papers/CCS19-ChevalKremerRakotonirina/BAC_4ident_1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_41). 74 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/IO_Unambiguous/IO_DenningSacco.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, s1, s2. 12 | 13 | free c1,c2,c3. 14 | 15 | free ok. 16 | 17 | fun senc/2. 18 | reduc sdec(senc(x,y),y) -> x. 19 | 20 | let processA(a,kas,b) = 21 | out(c1,(a,b)); 22 | in(c2,xa); 23 | let (=b,xab,xmb) = sdec(xa,kas) in 24 | out(c3,xmb). 25 | 26 | let processB(b,kbs,a) = 27 | in(c1,yb); 28 | let (yab,=a)= sdec(yb,kbs) in 29 | 0. 30 | 31 | let processS(a,kas,b,kbs) = 32 | in(c1,zs); 33 | if zs = (a,b) then 34 | new kab; 35 | out(c2,senc((b,kab,senc((kab,a),kbs)),kas)). 36 | 37 | let processSProp(a,kas,b,kbs,s) = 38 | in(c1,zs); 39 | if zs = (a,b) then 40 | out(c2,senc((b,s,senc((s,a),kbs)),kas)). 41 | 42 | // Main 43 | 44 | let Preal = 45 | new kas; new kbs; 46 | ( 47 | processA(a,kas,b) | processB(b,kbs,a) | processSProp(a,kas,b,kbs,s1) | 48 | processA(a,kas,b) | processB(b,kbs,a) | processS(a,kas,b,kbs) 49 | ). 50 | 51 | 52 | let Pideal = 53 | new kas; new kbs; 54 | ( 55 | processA(a,kas,b) | processB(b,kbs,a) | processSProp(a,kas,b,kbs,s2) | 56 | processA(a,kas,b) | processB(b,kbs,a) | processS(a,kas,b,kbs) 57 | ). 58 | 59 | query trace_equiv(Preal,Pideal). 60 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/IO_Unambiguous/IO_NSL.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free c0,c1,c2,c3. 14 | 15 | free kc. 16 | 17 | fun pk/1. 18 | fun aenc/3. 19 | reduc adec(aenc(x,r,pk(k)),k) -> x. 20 | 21 | // Alice 22 | let A(a,b,ka,pkb) = 23 | new na; 24 | new r1; 25 | new r3; 26 | out(c1,aenc((a,na),r1,pkb)); 27 | in(c2,xenc); 28 | let (=b,=na,x3) = adec(xenc,ka) in 29 | out(c3, aenc(x3,r3,pkb)). 30 | 31 | // Bob (+property) 32 | let B1(b,a,kb,pka) = 33 | new r2; 34 | in(c1,z); 35 | let (=a,z2) = adec(z,kb) in 36 | out(c2,aenc((b,z2,s1),r2,pka)); 37 | in(c3,x). 38 | 39 | let B2(b,a,kb,pka) = 40 | new r2; 41 | in(c1,z); 42 | let (=a,z2) = adec(z,kb) in 43 | out(c2,aenc((b,z2,s2),r2,pka)); 44 | in(c3,x). 45 | 46 | 47 | // Bob 48 | let B(b,a,kb,pka) = 49 | new nb; 50 | new r2; 51 | in(c1,z); 52 | let (=a,z2) = adec(z,kb) in 53 | out(c2,aenc((b,z2,nb),r2,pka)); 54 | in(c3,x). 55 | 56 | let P = 57 | new ka; new kb; 58 | out(c0,pk(ka)); 59 | out(c0,pk(kb)); 60 | ( 61 | A(a,b,ka,pk(kb)) | B1(b,a,kb,pk(ka)) | 62 | A(a,c,ka,pk(kc)) | 63 | B(b,c,kb,pk(kc)) 64 | ). 65 | 66 | 67 | let Q = 68 | new ka; new kb; 69 | out(c0,pk(ka)); 70 | out(c0,pk(kb)); 71 | ( 72 | A(a,b,ka,pk(kb)) | B2(b,a,kb,pk(ka)) | 73 | A(a,c,ka,pk(kc)) | 74 | B(b,c,kb,pk(kc)) 75 | ). 76 | 77 | 78 | query trace_equiv(P,Q). 79 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/IO_Unambiguous/IO_PrivateAuthentication.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c0,c1,c2. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - on channel ca 20 | - by the agent with private key ska 21 | - with the agent with public key pkb 22 | */ 23 | 24 | let processA(ska,pkb) = 25 | new na; 26 | out(c1,aenc((na,pk(ska)),pkb)); 27 | in(c2,x). 28 | 29 | 30 | /* 31 | Description of role B played: 32 | - on channel cb 33 | - by the agent with private key skb 34 | - with the agent with public key pka 35 | */ 36 | 37 | let processB(skb,pka) = 38 | in(c1,yb); 39 | new nb; 40 | let (yna,=pka) = adec(yb,skb) in 41 | out(c2,aenc((yna,nb,pk(skb)),pka)) 42 | else out(c2,aenc(nb,pk(skb))). 43 | 44 | /* 45 | Main 46 | */ 47 | 48 | let ProcessAB = 49 | out(c0,pk(ska)); 50 | out(c0,pk(skb)); 51 | out(c0,pk(skc)); 52 | ( 53 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expect to talk to A 54 | processA(ska,pk(skb)) | processB(skb,pk(ska)) // B expect to talk to A 55 | ). 56 | 57 | let ProcessCB = 58 | out(c0,pk(ska)); 59 | out(c0,pk(skb)); 60 | out(c0,pk(skc)); 61 | ( 62 | processA(skc,pk(skb)) | processB(skb,pk(skc)) | // B expect to talk to C 63 | processA(ska,pk(skb)) | processB(skb,pk(ska)) // B expect to talk to A 64 | ). 65 | 66 | 67 | query trace_equiv(ProcessAB,ProcessCB). 68 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/IO_Unambiguous/IO_WideMouthFrog.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free c1,c2. 12 | 13 | fun senc/2. 14 | reduc sdec(senc(x,y),y) -> x. 15 | 16 | let A1(a,b,kas) = 17 | out(c1, (a, senc((b,s1),kas))). 18 | 19 | let A2(a,b,kas) = 20 | out(c1, (a, senc((b,s2),kas))). 21 | 22 | let A(a,b,kas) = 23 | new kab; 24 | out(c1, (a, senc((b,kab),kas))). 25 | 26 | let S(a,b,kas,kbs) = 27 | in(c1, x); 28 | let (=a,xenc) = x in 29 | let (=b,xk) = sdec(xenc,kas) in 30 | out(c2, senc((a,xk),kbs)). 31 | 32 | let B(b,a,kbs) = 33 | in(c2,y); 34 | let (ya,yk) = sdec(y,kbs) in 0. 35 | 36 | let P = 37 | A1(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) | 38 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) | 39 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs). 40 | 41 | let Q = 42 | A2(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) | 43 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) | 44 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs). 45 | 46 | query trace_equiv(P,Q). 47 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/IO_Unambiguous/IO_YahalomLowe.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free c1,c2,c3. 16 | 17 | //Public data : 18 | free a,b,s. 19 | free s1,s2. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | // Alice: 25 | let A(a,b,kas) = 26 | new na; 27 | out(c1,(a,na)); 28 | in(c3,x0); 29 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 30 | 0. 31 | 32 | // Bob : 33 | let B(b,a,kbs) = 34 | in(c1,y0); 35 | let (=a,yna) = y0 in 36 | new nb; 37 | out(c2,senc((a,yna,nb),kbs)); 38 | in(c3,y1); 39 | let (=a,ykab) = sdec(y1,kbs) in 40 | 0. 41 | 42 | // Server (+ property): 43 | let S1(a,b,kas,kbs) = 44 | in(c2,z0); 45 | let (=a,zna,znb) = sdec(z0,kbs) in 46 | out(c3,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 47 | 48 | let S2(a,b,kas,kbs) = 49 | in(c2,z0); 50 | let (=a,zna,znb) = sdec(z0,kbs) in 51 | out(c3,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 52 | 53 | //Server: 54 | let S(a,b,kas,kbs) = 55 | in(c2,z0); 56 | new kab; 57 | let (=a,zna,znb) = sdec(z0,kbs) in 58 | out(c3,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs))). 59 | 60 | 61 | // Protocols : 62 | let P = 63 | new kas; new kbs; 64 | ( 65 | A(a,b,kas) | S1(a,b,kas,kbs) | B(b,a,kbs) | 66 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) 67 | ). 68 | 69 | 70 | let Q = 71 | new kas; new kbs; 72 | ( 73 | A(a,b,kas) | S2(a,b,kas,kbs) | B(b,a,kbs) | 74 | A(a,b,kas) | S(a,b,kas,kbs) | B(b,a,kbs) 75 | ). 76 | 77 | 78 | query trace_equiv(P,Q). 79 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Semantics_Comparaison/classic_not_private.dps: -------------------------------------------------------------------------------- 1 | (* 2 | The two processes A and B are equivalent in classic semantcis 3 | but not in private semantics nor in the eavesdrop semantics. 4 | *) 5 | 6 | free c. 7 | free a. 8 | free d. 9 | 10 | let P(y,s) = 11 | if y = s 12 | then 13 | in(c,z); 14 | out(c,s); 15 | out(d,a) 16 | else out(d,a). 17 | 18 | let A = new s; ( 19 | in(c,x);out(c,s);out(d,a) 20 | | in(c,y); P(y,s) 21 | ). 22 | 23 | let B = new s; in(c,x); ( 24 | out(c,s);out(d,a) 25 | | in(c,y); P(y,s) 26 | ). 27 | 28 | query trace_equiv(A,B). 29 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Semantics_Comparaison/determinate_classic_not_private.dps: -------------------------------------------------------------------------------- 1 | (* 2 | The two processes A and B are determinate and equivalent in the 3 | classic semantics but not in the private semantics nor in the eavesdrop 4 | semantics. 5 | *) 6 | 7 | free c. 8 | free d. 9 | 10 | free k1,k2,k3,k4,k5,k6,k7 [private]. 11 | 12 | let R5(x5) = 13 | if x5 = k5 then 14 | in(d,z); 15 | ( 16 | out(c,k6) 17 | | in(c,x6); if x6 = k6 then out(d,k7); in(c,x7); in(d,x8) 18 | ). 19 | 20 | let R3 = 21 | out(c,k4); in(d,x5); R5(x5) | in(c,x4); if x4 = k4 then out(d,k5). 22 | 23 | let R1(x1) = 24 | if x1 = k1 then out(d,k2); in(c,x3); if x3 = k3 then R3 else in(d,x). 25 | 26 | let A = 27 | in(c,x1); R1(x1) | out(c,k1) | in(d,x2); if x2 = k2 then out(c,k3). 28 | 29 | let B = 30 | in(c,x1); R1(x1) | out(c,k1); in(d,x2); if x2 = k2 then out(c,k3). 31 | 32 | 33 | query trace_equiv(A,B). 34 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Semantics_Comparaison/private_classic_not_eavesdrop.dps: -------------------------------------------------------------------------------- 1 | (* 2 | The two processes A and B are equivalent in both classic and 3 | private semantics but not equivalent in eavesdrop semantics. 4 | *) 5 | 6 | free c. 7 | free e. 8 | free d. 9 | 10 | let P2(x,s1,s2) = if x = s1 then in(d,z); if z = s1 then out(d,s2). 11 | 12 | let P1(x,s1,s2) = P2(x,s1,s2) | if x = s2 then out(e,x). 13 | 14 | let A = new s1; new s2; ( 15 | out(c,s1);in(c,x); P1(x,s1,s2) 16 | | in(c,y); P2(y,s1,s2) 17 | ). 18 | 19 | let B = new s1; new s2; ( 20 | out(c,s1);in(c,x); P2(x,s1,s2) 21 | | in(c,y); P1(y,s1,s2) 22 | ). 23 | 24 | query trace_equiv(A,B). 25 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Semantics_Comparaison/private_not_classic.dps: -------------------------------------------------------------------------------- 1 | /* 2 | The two processes A and B are equivalence in private semantics 3 | but not in the classic semantics nor in the eavesdrop semantics. 4 | */ 5 | 6 | free c. 7 | free e. 8 | free d. 9 | 10 | let P2(x,s1,s2) = if x = s1 then out(d,s2). 11 | 12 | let P1(x,s1,s2) = P2(x,s1,s2) | if x = s2 then out(e,x). 13 | 14 | let A = new s1; new s2; ( 15 | out(c,s1);in(c,x); P1(x,s1,s2) 16 | | in(c,y); P2(y,s1,s2) 17 | ). 18 | 19 | let B = new s1; new s2; ( 20 | out(c,s1);in(c,x); P2(x,s1,s2) 21 | | in(c,y); P1(y,s1,s2) 22 | ). 23 | 24 | query trace_equiv(A,B). 25 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Single_Channel/DenningSacco.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ok. 14 | 15 | fun senc/2. 16 | reduc sdec(senc(x,y),y) -> x. 17 | 18 | let processA(ca,a,kas,b) = 19 | out(ca,(a,b)); 20 | in(ca,xa); 21 | let (=b,xab,xmb) = sdec(xa,kas) in 22 | out(ca,xmb). 23 | 24 | let processB(cb,b,kbs,a) = 25 | in(cb,yb); 26 | let (yab,=a)= sdec(yb,kbs) in 27 | 0. 28 | 29 | let processS(cs,a,kas,b,kbs) = 30 | in(cs,zs); 31 | if zs = (a,b) then 32 | new kab; 33 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 34 | 35 | let processSProp(cs,a,kas,b,kbs,s) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 39 | 40 | // Main 41 | 42 | let Preal = 43 | new kas; new kbs; 44 | ( 45 | processA(c,a,kas,b) | processB(c,b,kbs,a) | processSProp(c,a,kas,b,kbs,s1) | 46 | processA(c,a,kas,b) | processB(c,b,kbs,a) | processS(c,a,kas,b,kbs) 47 | ). 48 | 49 | 50 | let Pideal = 51 | new kas; new kbs; 52 | ( 53 | processA(c,a,kas,b) | processB(c,b,kbs,a) | processSProp(c,a,kas,b,kbs,s2) | 54 | processA(c,a,kas,b) | processB(c,b,kbs,a) | processS(c,a,kas,b,kbs) 55 | ). 56 | 57 | query trace_equiv(Preal,Pideal). 58 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Single_Channel/NSL.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ch. 14 | 15 | free kc. 16 | 17 | fun pk/1. 18 | fun aenc/3. 19 | reduc adec(aenc(x,r,pk(k)),k) -> x. 20 | 21 | // Alice 22 | let A(ca,a,b,ka,pkb) = 23 | new na; 24 | new r1; 25 | new r3; 26 | out(ca,aenc((a,na),r1,pkb)); 27 | in(ca,xenc); 28 | let (=b,=na,x3) = adec(xenc,ka) in 29 | out(ca, aenc(x3,r3,pkb)). 30 | 31 | // Bob (+property) 32 | let B1(cb,b,a,kb,pka) = 33 | new r2; 34 | in(cb,z); 35 | let (=a,z2) = adec(z,kb) in 36 | out(cb,aenc((b,z2,s1),r2,pka)); 37 | in(cb,x). 38 | 39 | let B2(cb,b,a,kb,pka) = 40 | new r2; 41 | in(cb,z); 42 | let (=a,z2) = adec(z,kb) in 43 | out(cb,aenc((b,z2,s2),r2,pka)); 44 | in(cb,x). 45 | 46 | 47 | // Bob 48 | let B(cb,b,a,kb,pka) = 49 | new nb; 50 | new r2; 51 | in(cb,z); 52 | let (=a,z2) = adec(z,kb) in 53 | out(cb,aenc((b,z2,nb),r2,pka)); 54 | in(cb,x). 55 | 56 | let P = 57 | new ka; new kb; 58 | out(ch,pk(ka)); 59 | out(ch,pk(kb)); 60 | ( 61 | A(ch,a,b,ka,pk(kb)) | B1(ch,b,a,kb,pk(ka)) | 62 | A(ch,a,c,ka,pk(kc)) | 63 | B(ch,b,c,kb,pk(kc)) 64 | ). 65 | 66 | 67 | let Q = 68 | new ka; new kb; 69 | out(ch,pk(ka)); 70 | out(ch,pk(kb)); 71 | ( 72 | A(ch,a,b,ka,pk(kb)) | B2(ch,b,a,kb,pk(ka)) | 73 | A(ch,a,c,ka,pk(kc)) | 74 | B(ch,b,c,kb,pk(kc)) 75 | ). 76 | 77 | 78 | query trace_equiv(P,Q). 79 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Single_Channel/PrivateAuthentication.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - on channel ca 20 | - by the agent with private key ska 21 | - with the agent with public key pkb 22 | */ 23 | 24 | let processA(ca,ska,pkb) = 25 | new na; 26 | out(ca,aenc((na,pk(ska)),pkb)); 27 | in(ca,x). 28 | 29 | 30 | /* 31 | Description of role B played: 32 | - on channel cb 33 | - by the agent with private key skb 34 | - with the agent with public key pka 35 | */ 36 | 37 | let processB(cb,skb,pka) = 38 | in(cb,yb); 39 | new nb; 40 | let (yna,=pka) = adec(yb,skb) in 41 | out(cb,aenc((yna,nb,pk(skb)),pka)) 42 | else out(cb,aenc(nb,pk(skb))). 43 | 44 | /* 45 | Main 46 | */ 47 | 48 | let ProcessAB = 49 | out(c,pk(ska)); 50 | out(c,pk(skb)); 51 | out(c,pk(skc)); 52 | ( 53 | processA(c,ska,pk(skb)) | processB(c,skb,pk(ska)) | // B expect to talk to A 54 | processA(c,ska,pk(skb)) | processB(c,skb,pk(ska)) // B expect to talk to A 55 | ). 56 | 57 | let ProcessCB = 58 | out(c,pk(ska)); 59 | out(c,pk(skb)); 60 | out(c,pk(skc)); 61 | ( 62 | processA(c,skc,pk(skb)) | processB(c,skb,pk(skc)) | // B expect to talk to C 63 | processA(c,ska,pk(skb)) | processB(c,skb,pk(ska)) // B expect to talk to A 64 | ). 65 | 66 | 67 | query trace_equiv(ProcessAB,ProcessCB). 68 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Single_Channel/WideMouthFrog.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ch. 12 | 13 | fun senc/2. 14 | reduc sdec(senc(x,y),y) -> x. 15 | 16 | let A1(ca,a,b,kas) = 17 | out(ca, (a, senc((b,s1),kas))). 18 | 19 | let A2(ca,a,b,kas) = 20 | out(ca, (a, senc((b,s2),kas))). 21 | 22 | let A(ca,a,b,kas) = 23 | new kab; 24 | out(ca, (a, senc((b,kab),kas))). 25 | 26 | let S(cs,a,b,kas,kbs) = 27 | in(cs, x); 28 | let (=a,xenc) = x in 29 | let (=b,xk) = sdec(xenc,kas) in 30 | out(cs, senc((a,xk),kbs)). 31 | 32 | let B(cb,b,a,kbs) = 33 | in(cb,y); 34 | let (ya,yk) = sdec(y,kbs) in 0. 35 | 36 | let P = 37 | A1(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs) | 38 | A(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs) | 39 | A(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs). 40 | 41 | let Q = 42 | A2(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs) | 43 | A(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs) | 44 | A(ch,a,b,kas) | S(ch,a,b,kas,kbs) | B(ch,b,a,kbs). 45 | 46 | query trace_equiv(P,Q). 47 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Single_Channel/YahalomLowe.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free c. 16 | 17 | //Public data : 18 | free a,b,s. 19 | free s1,s2. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | // Alice: 25 | let A(ca,a,b,kas) = 26 | new na; 27 | out(ca,(a,na)); 28 | in(ca,x0); 29 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 30 | 0. 31 | 32 | // Bob : 33 | let B(cb,b,a,kbs) = 34 | in(cb,y0); 35 | let (=a,yna) = y0 in 36 | new nb; 37 | out(cb,senc((a,yna,nb),kbs)); 38 | in(cb,y1); 39 | let (=a,ykab) = sdec(y1,kbs) in 40 | 0. 41 | 42 | // Server (+ property): 43 | let S1(cs,a,b,kas,kbs) = 44 | in(cs,z0); 45 | let (=a,zna,znb) = sdec(z0,kbs) in 46 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 47 | 48 | let S2(cs,a,b,kas,kbs) = 49 | in(cs,z0); 50 | let (=a,zna,znb) = sdec(z0,kbs) in 51 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 52 | 53 | //Server: 54 | let S(cs,a,b,kas,kbs) = 55 | in(cs,z0); 56 | new kab; 57 | let (=a,zna,znb) = sdec(z0,kbs) in 58 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs))). 59 | 60 | 61 | // Protocols : 62 | let P = 63 | new kas; new kbs; 64 | ( 65 | A(c,a,b,kas) | S1(c,a,b,kas,kbs) | B(c,b,a,kbs) | 66 | A(c,a,b,kas) | S(c,a,b,kas,kbs) | B(c,b,a,kbs) 67 | ). 68 | 69 | 70 | let Q = 71 | new kas; new kbs; 72 | ( 73 | A(c,a,b,kas) | S2(c,a,b,kas,kbs) | B(c,b,a,kbs) | 74 | A(c,a,b,kas) | S(c,a,b,kas,kbs) | B(c,b,a,kbs) 75 | ). 76 | 77 | 78 | query trace_equiv(P,Q). 79 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Strongly_Action_Determinate/SAD_DenningSacco.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ca1, ca2. 14 | free cb1, cb2. 15 | free cs1, cs2. 16 | 17 | free ok. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let processA(ca,a,kas,b) = 23 | out(ca,(a,b)); 24 | in(ca,xa); 25 | let (=b,xab,xmb) = sdec(xa,kas) in 26 | out(ca,xmb). 27 | 28 | let processB(cb,b,kbs,a) = 29 | in(cb,yb); 30 | let (yab,=a)= sdec(yb,kbs) in 31 | 0. 32 | 33 | let processS(cs,a,kas,b,kbs) = 34 | in(cs,zs); 35 | if zs = (a,b) then 36 | new kab; 37 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 38 | 39 | let processSProp(cs,a,kas,b,kbs,s) = 40 | in(cs,zs); 41 | if zs = (a,b) then 42 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 43 | 44 | // Main 45 | 46 | let Preal = 47 | new kas; new kbs; 48 | ( 49 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 50 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 51 | ). 52 | 53 | 54 | let Pideal = 55 | new kas; new kbs; 56 | ( 57 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 58 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 59 | ). 60 | 61 | query trace_equiv(Preal,Pideal). 62 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Strongly_Action_Determinate/SAD_NSL.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ca1,ca2. 14 | free cb1,cb2. 15 | 16 | free cd. 17 | 18 | free kc. 19 | 20 | fun pk/1. 21 | fun aenc/3. 22 | reduc adec(aenc(x,r,pk(k)),k) -> x. 23 | 24 | // Alice 25 | let A(ca,a,b,ka,pkb) = 26 | new na; 27 | new r1; 28 | new r3; 29 | out(ca,aenc((a,na),r1,pkb)); 30 | in(ca,xenc); 31 | let (=b,=na,x3) = adec(xenc,ka) in 32 | out(ca, aenc(x3,r3,pkb)). 33 | 34 | // Bob (+property) 35 | let B1(cb,b,a,kb,pka) = 36 | new r2; 37 | in(cb,z); 38 | let (=a,z2) = adec(z,kb) in 39 | out(cb,aenc((b,z2,s1),r2,pka)); 40 | in(cb,x). 41 | 42 | let B2(cb,b,a,kb,pka) = 43 | new r2; 44 | in(cb,z); 45 | let (=a,z2) = adec(z,kb) in 46 | out(cb,aenc((b,z2,s2),r2,pka)); 47 | in(cb,x). 48 | 49 | 50 | // Bob 51 | let B(cb,b,a,kb,pka) = 52 | new nb; 53 | new r2; 54 | in(cb,z); 55 | let (=a,z2) = adec(z,kb) in 56 | out(cb,aenc((b,z2,nb),r2,pka)); 57 | in(cb,x). 58 | 59 | let P = 60 | new ka; new kb; 61 | out(cd,pk(ka)); 62 | out(cd,pk(kb)); 63 | ( 64 | A(ca1,a,b,ka,pk(kb)) | B1(cb1,b,a,kb,pk(ka)) | 65 | A(ca2,a,c,ka,pk(kc)) | 66 | B(cb2,b,c,kb,pk(kc)) 67 | ). 68 | 69 | 70 | let Q = 71 | new ka; new kb; 72 | out(cd,pk(ka)); 73 | out(cd,pk(kb)); 74 | ( 75 | A(ca1,a,b,ka,pk(kb)) | B2(cb1,b,a,kb,pk(ka)) | 76 | A(ca2,a,c,ka,pk(kc)) | 77 | B(cb2,b,c,kb,pk(kc)) 78 | ). 79 | 80 | query trace_equiv(P,Q). 81 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Strongly_Action_Determinate/SAD_PrivateAuthentication.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca1,ca2. 9 | free cb1,cb2. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) -> x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else out(cb,aenc(nb,pk(skb))). 45 | 46 | /* 47 | Main 48 | */ 49 | 50 | let ProcessAB = 51 | out(c,pk(ska)); 52 | out(c,pk(skb)); 53 | out(c,pk(skc)); 54 | ( 55 | processA(ca1,ska,pk(skb)) | processB(cb1,skb,pk(ska)) | // B expect to talk to A 56 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) // B expect to talk to A 57 | ). 58 | 59 | let ProcessCB = 60 | out(c,pk(ska)); 61 | out(c,pk(skb)); 62 | out(c,pk(skc)); 63 | ( 64 | processA(ca1,skc,pk(skb)) | processB(cb1,skb,pk(skc)) | // B expect to talk to C 65 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) // B expect to talk to A 66 | ). 67 | 68 | 69 | query trace_equiv(ProcessAB,ProcessCB). 70 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Strongly_Action_Determinate/SAD_WideMouthFrog.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | 15 | fun senc/2. 16 | reduc sdec(senc(x,y),y) -> x. 17 | 18 | let A1(ca,a,b,kas) = 19 | out(ca, (a, senc((b,s1),kas))). 20 | 21 | let A2(ca,a,b,kas) = 22 | out(ca, (a, senc((b,s2),kas))). 23 | 24 | let A(ca,a,b,kas) = 25 | new kab; 26 | out(ca, (a, senc((b,kab),kas))). 27 | 28 | let S(cs,a,b,kas,kbs) = 29 | in(cs, x); 30 | let (=a,xenc) = x in 31 | let (=b,xk) = sdec(xenc,kas) in 32 | out(cs, senc((a,xk),kbs)). 33 | 34 | let B(cb,b,a,kbs) = 35 | in(cb,y); 36 | let (ya,yk) = sdec(y,kbs) in 0. 37 | 38 | let P = 39 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 40 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 41 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs). 42 | 43 | let Q = 44 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 45 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 46 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs). 47 | 48 | query trace_equiv(P,Q). 49 | -------------------------------------------------------------------------------- /Examples/in_papers/JCS19-BabelChevalKremer/Strongly_Action_Determinate/SAD_YahalomLowe.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | free ca2,cs2,cb2. 17 | 18 | //Public data : 19 | free a,b,s. 20 | free s1,s2. 21 | 22 | fun senc/2. 23 | reduc sdec(senc(x,y),y) -> x. 24 | 25 | // Alice: 26 | let A(ca,a,b,kas) = 27 | new na; 28 | out(ca,(a,na)); 29 | in(ca,x0); 30 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 31 | 0. 32 | 33 | // Bob : 34 | let B(cb,b,a,kbs) = 35 | in(cb,y0); 36 | let (=a,yna) = y0 in 37 | new nb; 38 | out(cb,senc((a,yna,nb),kbs)); 39 | in(cb,y1); 40 | let (=a,ykab) = sdec(y1,kbs) in 41 | 0. 42 | 43 | // Server (+ property): 44 | let S1(cs,a,b,kas,kbs) = 45 | in(cs,z0); 46 | let (=a,zna,znb) = sdec(z0,kbs) in 47 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 48 | 49 | let S2(cs,a,b,kas,kbs) = 50 | in(cs,z0); 51 | let (=a,zna,znb) = sdec(z0,kbs) in 52 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 53 | 54 | //Server: 55 | let S(cs,a,b,kas,kbs) = 56 | in(cs,z0); 57 | new kab; 58 | let (=a,zna,znb) = sdec(z0,kbs) in 59 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs))). 60 | 61 | 62 | // Protocols : 63 | let P = 64 | new kas; new kbs; 65 | ( 66 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 67 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 68 | ). 69 | 70 | 71 | let Q = 72 | new kas; new kbs; 73 | ( 74 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 75 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 76 | ). 77 | 78 | 79 | query trace_equiv(P,Q). 80 | -------------------------------------------------------------------------------- /Examples/in_papers/POST17-BabelChevalKremer/classic_not_private.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free a. 3 | free d. 4 | 5 | let P(y,s) = 6 | if y = s 7 | then 8 | in(c,z); 9 | out(c,s); 10 | out(d,a) 11 | else out(d,a). 12 | 13 | let A = new s; ( 14 | in(c,x);out(c,s);out(d,a) 15 | | in(c,y); P(y,s) 16 | ). 17 | 18 | let B = new s; in(c,x); ( 19 | out(c,s);out(d,a) 20 | | in(c,y); P(y,s) 21 | ). 22 | 23 | query trace_equiv(A,B). 24 | -------------------------------------------------------------------------------- /Examples/in_papers/POST17-BabelChevalKremer/private_classic_not_eavesdrop.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free e. 3 | free d. 4 | 5 | let P2(x,s1,s2) = if x = s1 then in(d,z); if z = s1 then out(d,s2). 6 | 7 | let P1(x,s1,s2) = P2(x,s1,s2) | if x = s2 then out(e,x). 8 | 9 | let A = new s1; new s2; ( 10 | out(c,s1);in(c,x); P1(x,s1,s2) 11 | | in(c,y); P2(y,s1,s2) 12 | ). 13 | 14 | let B = new s1; new s2; ( 15 | out(c,s1);in(c,x); P2(x,s1,s2) 16 | | in(c,y); P1(y,s1,s2) 17 | ). 18 | 19 | query trace_equiv(A,B). 20 | -------------------------------------------------------------------------------- /Examples/in_papers/POST17-BabelChevalKremer/private_not_classic.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free e. 3 | free d. 4 | 5 | let P2(x,s1,s2) = if x = s1 then out(d,s2). 6 | 7 | let P1(x,s1,s2) = P2(x,s1,s2) | if x = s2 then out(e,x). 8 | 9 | let A = new s1; new s2; ( 10 | out(c,s1);in(c,x); P1(x,s1,s2) 11 | | in(c,y); P2(y,s1,s2) 12 | ). 13 | 14 | let B = new s1; new s2; ( 15 | out(c,s1);in(c,x); P2(x,s1,s2) 16 | | in(c,y); P1(y,s1,s2) 17 | ). 18 | 19 | query trace_equiv(A,B). 20 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-2sessions-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | if xm_m = mac(xm_e,k_m) 36 | then 37 | let (xn_r,xn_t,xk_r) = sdec(xm_e,k_e) in 38 | if xn_t = n_t 39 | then ( 40 | new k_t; 41 | let z = senc((n_t,xn_r,k_t),k_e) in 42 | out(c,(z,mac(z,k_m))) 43 | ) else out(c,Error_6300) 44 | else out(c,Error_6300) 45 | else out(c,Error_6300). 46 | 47 | let system(k_e,k_m) = 48 | passport(k_e,k_m) | reader(k_e,k_m). 49 | 50 | // Unlinkability 51 | 52 | let system1 = 53 | !^2 new k_e; new k_m; system(k_e,k_m). 54 | 55 | let system2 = 56 | new k_e; new k_m; !^2 system(k_e,k_m). 57 | 58 | 59 | query session_incl(system2,system1). /* inclusion holds */ 60 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-2sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | if xm_m = mac(xm_e,k_m) 36 | then 37 | let (xn_r,xn_t,xk_r) = sdec(xm_e,k_e) in 38 | if xn_t = n_t 39 | then ( 40 | new k_t; 41 | let z = senc((n_t,xn_r,k_t),k_e) in 42 | out(c,(z,mac(z,k_m))) 43 | ) else out(c,Error_6300) 44 | else out(c,Error_6300) 45 | else out(c,Error_6300). 46 | 47 | let system(k_e,k_m) = 48 | passport(k_e,k_m) | reader(k_e,k_m). 49 | 50 | // Unlinkability 51 | 52 | let system1 = 53 | !^2 new k_e; new k_m; system(k_e,k_m). 54 | 55 | let system2 = 56 | new k_e; new k_m; !^2 system(k_e,k_m). 57 | 58 | 59 | query session_equiv(system1,system2). 60 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-3sessions-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | // Unlinkability 43 | 44 | let system1 = 45 | !^3 new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 46 | 47 | let system2 = 48 | new k_e; new k_m; (!^2 passport(k_e,k_m) | !^2 reader(k_e,k_m)) 49 | | new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 50 | 51 | 52 | query session_incl(system2,system1). /* inclusion holds */ 53 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-3sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | // Unlinkability 43 | 44 | let system1 = 45 | !^3 new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 46 | 47 | let system2 = 48 | new k_e; new k_m; (!^2 passport(k_e,k_m) | !^2 reader(k_e,k_m)) 49 | | new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 50 | 51 | 52 | query session_equiv(system1,system2). 53 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-4sessions-1fresh-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_incl(system_31, system_1111). 67 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-4sessions-1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_equiv(system_1111,system_31). 67 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-4sessions-2fresh-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_incl(system_211,system_1111). 67 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-4sessions-2fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_equiv(system_1111,system_211). 67 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-1fresh-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_incl(system_41, system_11111). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-1fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_41). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-2fresh-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_incl(system_311,system_11111). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-2fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_311). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-3fresh-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_incl(system_2111,system_11111). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/BAC/BAC-5sessions-3fresh.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(k_e,k_m) | reader(k_e,k_m). 44 | 45 | let fresh_system = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_11111 = 51 | !^5 fresh_system. 52 | 53 | let system_2111 = 54 | new k_e; new k_m; !^2 system(k_e,k_m) | !^3 fresh_system. 55 | 56 | let system_311 = 57 | new k_e; new k_m; !^3 system(k_e,k_m) | !^2 fresh_system. 58 | 59 | let system_41 = 60 | new k_e; new k_m; !^4 system(k_e,k_m) | fresh_system. 61 | 62 | let system_5 = 63 | new k_e; new k_m; !^5 system(k_e,k_m). 64 | 65 | let system_221 = 66 | !^2 new k_e; new k_m; !^2 system(k_e,k_m) | fresh_system. 67 | 68 | let system_32 = 69 | new k_e; new k_m; !^3 system(k_e,k_m) | 70 | new k_e; new k_m; !^2 system(k_e,k_m). 71 | 72 | 73 | query session_equiv(system_11111,system_2111). 74 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-1session.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ca1, ca2. 14 | free cb1, cb2. 15 | free cs1, cs2. 16 | 17 | free ok. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let processA(ca,a,kas,b) = 23 | out(ca,(a,b)); 24 | in(ca,xa); 25 | let (=b,xab,xmb) = sdec(xa,kas) in 26 | out(ca,xmb). 27 | 28 | let processB(cb,b,kbs,a) = 29 | in(cb,yb); 30 | let (yab,=a)= sdec(yb,kbs) in 31 | 0. 32 | 33 | let processS(cs,a,kas,b,kbs) = 34 | in(cs,zs); 35 | if zs = (a,b) then 36 | new kab; 37 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 38 | 39 | let processSProp(cs,a,kas,b,kbs,s) = 40 | in(cs,zs); 41 | if zs = (a,b) then 42 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 43 | 44 | // Main 45 | 46 | let Preal = 47 | new kas; new kbs; 48 | ( 49 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) 50 | ). 51 | 52 | 53 | let Pideal = 54 | new kas; new kbs; 55 | ( 56 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) 57 | ). 58 | 59 | query session_equiv(Preal,Pideal). 60 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ca1, ca2. 14 | free cb1, cb2. 15 | free cs1, cs2. 16 | 17 | free ok. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let processA(ca,a,kas,b) = 23 | out(ca,(a,b)); 24 | in(ca,xa); 25 | let (=b,xab,xmb) = sdec(xa,kas) in 26 | out(ca,xmb). 27 | 28 | let processB(cb,b,kbs,a) = 29 | in(cb,yb); 30 | let (yab,=a)= sdec(yb,kbs) in 31 | 0. 32 | 33 | let processS(cs,a,kas,b,kbs) = 34 | in(cs,zs); 35 | if zs = (a,b) then 36 | new kab; 37 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 38 | 39 | let processSProp(cs,a,kas,b,kbs,s) = 40 | in(cs,zs); 41 | if zs = (a,b) then 42 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 43 | 44 | // Main 45 | 46 | let Preal = 47 | new kas; new kbs; 48 | ( 49 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 50 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 51 | ). 52 | 53 | 54 | let Pideal = 55 | new kas; new kbs; 56 | ( 57 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 58 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 59 | ). 60 | 61 | query session_equiv(Preal,Pideal). 62 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c, s1, s2. 11 | 12 | free ca1, ca2, ca3. 13 | free cb1, cb2, cb3. 14 | free cs1, cs2, cs3. 15 | 16 | free ok. 17 | 18 | fun senc/2. 19 | reduc sdec(senc(x,y),y) -> x. 20 | 21 | let processA(ca,a,kas,b) = 22 | out(ca,(a,b)); 23 | in(ca,xa); 24 | let (=b,xab,xmb) = sdec(xa,kas) in 25 | out(ca,xmb). 26 | 27 | let processB(cb,b,kbs,a) = 28 | in(cb,yb); 29 | let (yab,=a)= sdec(yb,kbs) in 30 | 0. 31 | 32 | let processS(cs,a,kas,b,kbs) = 33 | in(cs,zs); 34 | if zs = (a,b) then 35 | new kab; 36 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 37 | 38 | let processSProp(cs,a,kas,b,kbs,s) = 39 | in(cs,zs); 40 | if zs = (a,b) then 41 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 42 | 43 | // Main 44 | 45 | let Preal = 46 | new kas; new kbs; 47 | ( 48 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 49 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) | 50 | processA(ca3,a,kas,b) | processB(cb3,b,kbs,a) | processS(cs3,a,kas,b,kbs) 51 | ). 52 | 53 | 54 | let Pideal = 55 | new kas; new kbs; 56 | ( 57 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 58 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) | 59 | processA(ca3,a,kas,b) | processB(cb3,b,kbs,a) | processS(cs3,a,kas,b,kbs) 60 | ). 61 | 62 | query session_equiv(Preal,Pideal). 63 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-4sessions-2dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4. 17 | free cs1, cs2, cs3, cs4. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) 55 | ). 56 | 57 | 58 | let Pideal = 59 | new kas; new kbs; 60 | ( 61 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 62 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 63 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) | 64 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) 65 | ). 66 | 67 | query session_equiv(Preal,Pideal). 68 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-6sessions-4dishonests-2.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | 3 | 1. A -> S: A, B 4 | 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | 3. A -> B: {Kab,A}Kbs 6 | Strong secrecy of Kab 7 | 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4, cb5, cb6. 17 | free cs1, cs2, cs3, cs4, cs5, cs6. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processB(cb6,a,kbs,c) | processA(ca2,a,kas,c) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca1,a,kas,b) | processS(cs2,a,kas,c,kcs) | 53 | processB(cb3,b,kbs,b) | processS(cs3,c,kcs,b,kbs) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 55 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 56 | processB(cb1,b,kbs,a) | processS(cs6,c,kcs,a,kas) 57 | ). 58 | 59 | 60 | let Pideal = 61 | new kas; new kbs; 62 | ( 63 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 64 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 65 | processB(cb3,b,kbs,c) | processS(cs3,c,kcs,b,kbs) | 66 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 67 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 68 | processB(cb6,a,kbs,c) | processS(cs6,c,kcs,a,kas) 69 | ). 70 | 71 | query session_equiv(Preal,Pideal). 72 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Denning-Sacco/DenningSacco-6sessions-4dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | 3 | 1. A -> S: A, B 4 | 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | 3. A -> B: {Kab,A}Kbs 6 | Strong secrecy of Kab 7 | 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4, cb5, cb6. 17 | free cs1, cs2, cs3, cs4, cs5, cs6. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processB(cb3,b,kbs,b) | processS(cs3,c,kcs,b,kbs) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 55 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 56 | processB(cb6,a,kbs,c) | processS(cs6,c,kcs,a,kas) 57 | ). 58 | 59 | 60 | let Pideal = 61 | new kas; new kbs; 62 | ( 63 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 64 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 65 | processB(cb3,b,kbs,c) | processS(cs3,c,kcs,b,kbs) | 66 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 67 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 68 | processB(cb6,a,kbs,c) | processS(cs6,c,kcs,a,kas) 69 | ). 70 | 71 | query session_equiv(Preal,Pideal). 72 | -------------------------------------------------------------------------------- /Examples/session_equivalence/Helios/Helios_vanilla_attack.dps: -------------------------------------------------------------------------------- 1 | // helios protocol with identities and mixnet - no privacy because of ballot replay attack 2 | 3 | fun aenc/3. 4 | fun pk/1. 5 | 6 | 7 | reduc adec(aenc(x,r,pk(y)),y) -> x. 8 | 9 | free ch. 10 | 11 | free a,b,c. 12 | free yes,no. 13 | 14 | let V(id, v, pkT, bb) = 15 | new r; 16 | let ballot = aenc(v,r,pkT) in 17 | out(bb, (id,ballot)); // sending on authenticated channel 18 | out(ch, (id,ballot)). // modelled by both sending on private and public channel 19 | // NB: If the channels are anonymous, i.e. if we remove the identifier `id', then the attack does not work anymore. 20 | 21 | 22 | let BB(bb, mn) = 23 | (in(bb, b1); let (=a,v1) = b1 in out(mn,v1)) | 24 | (in(bb, b2); let (=b,v2) = b2 in out(mn,v2)) | 25 | (in(ch, b3); let (=c,v3) = b3 in out(mn,v3)). 26 | 27 | 28 | let T(skT,mn) = 29 | in(mn,x1); 30 | in(mn,x2); 31 | in(mn,x3); 32 | ( 33 | out(ch, adec(x1,skT)) | out(ch, adec(x2,skT)) | out(ch, adec(x3,skT)) 34 | ). 35 | 36 | 37 | let AyBn = 38 | new skT; 39 | let pkT = pk(skT) in 40 | new bb; 41 | new mn; 42 | out(ch,pkT); 43 | ( 44 | V(a,yes,pkT,bb) | V(b,no,pkT,bb) | BB(bb,mn) | T(skT,mn) 45 | ). 46 | 47 | let AnBy = 48 | new skT; 49 | let pkT = pk(skT) in 50 | new bb; 51 | new mn; 52 | out(ch, pkT); 53 | ( 54 | V(a,no,pkT,bb) | V(b,yes,pkT,bb) | BB(bb,mn) | T(skT,mn) 55 | ). 56 | 57 | 58 | query session_equiv(AyBn,AnBy). 59 | 60 | // privacy cannot be proven because of vote replay attack 61 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/README.md: -------------------------------------------------------------------------------- 1 | ## Toys examples and tests 2 | 3 | The files contained in this folder are mostly used to tests the implementation of DeepSec for our regression suite. 4 | They do not necessarily corresponds to real-world protocols or cryptographic properties. 5 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-2sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | if xm_m = mac(xm_e,k_m) 36 | then 37 | let (xn_r,xn_t,xk_r) = sdec(xm_e,k_e) in 38 | if xn_t = n_t 39 | then ( 40 | new k_t; 41 | let z = senc((n_t,xn_r,k_t),k_e) in 42 | out(c,(z,mac(z,k_m))) 43 | ) else out(c,Error_6300) 44 | else out(c,Error_6300) 45 | else out(c,Error_6300). 46 | 47 | // Unlinkability 48 | 49 | let system1 = 50 | (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))) | 51 | (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))). 52 | 53 | let system2 = 54 | new k_e; new k_m; 55 | ( 56 | passport(k_e,k_m) | reader(k_e,k_m) | 57 | passport(k_e,k_m) | reader(k_e,k_m) 58 | ). 59 | 60 | 61 | query session_equiv(system1,system2). 62 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-3sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | // Unlinkability 43 | 44 | let system1 = 45 | !^3 (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))). 46 | 47 | let system2 = 48 | (new k_e; new k_m; !^2 (passport(k_e,k_m) | reader(k_e,k_m))) 49 | | (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))). 50 | 51 | 52 | query session_equiv(system1,system2). 53 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-4sessions-2fresh-IO_unambiguous.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | free c1,c2,c3,c4. 7 | 8 | free Error_6300. 9 | free get_challenge. 10 | 11 | fun senc/2. 12 | 13 | reduc sdec(senc(x,y),y) -> x. 14 | 15 | // Description of the reader role 16 | 17 | let reader(c,k_e,k_m) = 18 | out(c1,get_challenge); 19 | in(c2,xn_t); 20 | new n_r; 21 | new k_r; 22 | let xm = senc((n_r,xn_t,k_r),k_e) in 23 | out(c3,(xm,mac(xm,k_m))); 24 | in(c4,y). 25 | 26 | // Description of the passport role 27 | 28 | let passport(c,k_e,k_m) = 29 | in(c1,x); 30 | if x = get_challenge 31 | then 32 | new n_t; 33 | out(c2,n_t); 34 | in(c3,y); 35 | let (xm_e,xm_m) = y in 36 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 37 | new k_t; 38 | let z = senc((n_t,xn_r,k_t),k_e) in 39 | out(c4,(z,mac(z,k_m))) 40 | else 0 41 | else out(c4,Error_6300). 42 | 43 | let system(k_e,k_m) = 44 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 45 | 46 | let system_fresh = 47 | new k_e; new k_m; system(k_e,k_m). 48 | 49 | // Unlinkability 50 | 51 | let system_1111 = // system to compare with 52 | !^4 system_fresh. 53 | 54 | let system_22 = // attack 55 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 56 | 57 | let system_211 = // equivalence 58 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 59 | 60 | let system_31 = // attack 61 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 62 | 63 | let system_4 = // attack 64 | new k_e; new k_m; !^4 system(k_e,k_m). 65 | 66 | query session_equiv(system_1111,system_211). 67 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-4sessions-2fresh-double-inclusion.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | let system(k_e,k_m) = 43 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 44 | 45 | let system_fresh = 46 | new k_e; new k_m; system(k_e,k_m). 47 | 48 | // Unlinkability 49 | 50 | let system_1111 = // system to compare with 51 | !^4 system_fresh. 52 | 53 | let system_22 = // attack 54 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 55 | 56 | let system_211 = // equivalence 57 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 58 | 59 | let system_31 = // attack 60 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 61 | 62 | let system_4 = // attack 63 | new k_e; new k_m; !^4 system(k_e,k_m). 64 | 65 | 66 | query session_incl(system_1111,system_211). 67 | query session_incl(system_211,system_1111). 68 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-4sessions-2fresh-inclusion_pure.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | new pure1; 39 | new pure2; 40 | out(c,(pure1,pure2)) 41 | else 0 42 | else out(c,Error_6300). 43 | 44 | let system(k_e,k_m) = 45 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 46 | 47 | let system_fresh = 48 | new k_e; new k_m; system(k_e,k_m). 49 | 50 | // Unlinkability 51 | 52 | let system_1111 = // system to compare with 53 | !^4 system_fresh. 54 | 55 | let system_22 = // attack 56 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 57 | 58 | let system_211 = // equivalence 59 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 60 | 61 | let system_31 = // attack 62 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 63 | 64 | let system_4 = // attack 65 | new k_e; new k_m; !^4 system(k_e,k_m). 66 | 67 | 68 | query session_incl(system_211,system_1111). 69 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/BAC-4sessions-2fresh_pure.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c,d. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(c,k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(c,k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | new pure1; 39 | new pure2; 40 | out(c,(pure1,pure2)) 41 | else 0 42 | else out(c,Error_6300). 43 | 44 | let system(k_e,k_m) = 45 | passport(c,k_e,k_m) | reader(c,k_e,k_m). 46 | 47 | let system_fresh = 48 | new k_e; new k_m; system(k_e,k_m). 49 | 50 | // Unlinkability 51 | 52 | let system_1111 = // system to compare with 53 | !^4 system_fresh. 54 | 55 | let system_22 = // attack 56 | !^2 new k_e; new k_m; !^2 system(k_e,k_m). 57 | 58 | let system_211 = // equivalence 59 | new k_e; new k_m; !^2 system(k_e,k_m) | !^2 system_fresh. 60 | 61 | let system_31 = // attack 62 | new k_e; new k_m; !^3 system(k_e,k_m) | system_fresh. 63 | 64 | let system_4 = // attack 65 | new k_e; new k_m; !^4 system(k_e,k_m). 66 | 67 | 68 | query session_equiv(system_211,system_1111). 69 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/PrivateAuthentication-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca1,ca2,ca3. 9 | free cb1,cb2,cb3. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) -> x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else 45 | new k; out(cb,k). 46 | 47 | /* 48 | Main 49 | */ 50 | 51 | let ProcessAB = 52 | out(c,pk(ska)); 53 | out(c,pk(skb)); 54 | out(c,pk(skc)); 55 | ( 56 | processA(ca1,ska,pk(skb)) | processB(cb1,skb,pk(ska)) | // B expects to talk to A 57 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) | // B expects to talk to A 58 | processA(ca3,skc,pk(ska)) | processB(cb3,ska,pk(skc)) // A expects to talk to C (C is not an intruder) 59 | ). 60 | 61 | let ProcessCB = 62 | out(c,pk(ska)); 63 | out(c,pk(skb)); 64 | out(c,pk(skc)); 65 | ( 66 | processA(ca1,skc,pk(skb)) | processB(cb1,skb,pk(skc)) | // B expects to talk to C 67 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) | // B expects to talk to A 68 | processA(ca3,skc,pk(ska)) | processB(cb3,ska,pk(skc)) // A expects to talk to C (C is not an intruder) 69 | ). 70 | 71 | 72 | query session_equiv(ProcessAB,ProcessCB). 73 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug1.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | 4 | let A = 5 | new n_t; 6 | out(c,n_t). 7 | 8 | let B(k) = 9 | in(c,x); 10 | out(c,mac(x,k)). 11 | 12 | let sys = A | new k; !^2 B(k). 13 | 14 | query session_equiv(sys,sys). // equivalent 15 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | const ok. 3 | 4 | let passport = 5 | out(c,ok); 6 | in(c,x). 7 | 8 | let system1 = 9 | !^2 passport. 10 | 11 | let system2 = 12 | passport | passport. 13 | 14 | 15 | query session_equiv(system1,system2). // equivalent 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug3.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free d [private]. 3 | const ok,boom. 4 | 5 | let A = out(d,ok) | (in(d,x); out(c,ok)). 6 | let B = out(d,ok) | (in(d,x); out(c,boom)). 7 | 8 | let C = in(d,x) | (out(d,ok); out(c,ok)). 9 | let D = in(d,x) | (out(d,ok); out(c,boom)). 10 | 11 | let E = (in(d,x); out(c,ok)) | (out(d,ok); out(c,ok)). 12 | let F = (in(d,x); out(c,ok)) | (out(d,ok); out(c,boom)). 13 | 14 | query session_equiv(A,B). // attack found 15 | query session_equiv(C,D). // equivalent? wut? 16 | query session_equiv(E,F). // and attack found again. Problem of improper blocks? 17 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug4.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free d [private]. 3 | const ok,boom. 4 | 5 | let A = 6 | in(d,x) | 7 | in(d,x) | 8 | (out(d,ok); out(c,boom)) | 9 | (out(d,ok); out(c,ok)) | 10 | (in(c,x); out(c,ok); in(c,y); out(c,boom)). 11 | 12 | let B = 13 | in(d,x) | 14 | in(d,x) | 15 | (out(d,ok); out(c,boom)) | 16 | (out(d,ok); out(c,ok)) | 17 | (in(c,x); out(c,ok); in(c,y); out(c,ok)). 18 | 19 | query session_equiv(A,B). 20 | 21 | // note: !^2 in(d,x) | out(d,boom) induces priority 4 22 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug5.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free d[private]. 3 | 4 | let A1 = 5 | in(d,y); 6 | out(c,y). 7 | 8 | let A2 = 9 | in(d,y); 10 | in(c,z); 11 | let (z1,z2) = y in 12 | out(c,z1) 13 | else 14 | out(c,y). 15 | 16 | let B = 17 | in(c,x); 18 | out(d,x). 19 | 20 | query session_equiv(A1 | B,A2 | B). // Not equivalent 21 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug6.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free d[private]. 3 | 4 | let A1 = 5 | in(d,y); 6 | in(c,z); 7 | out(c,y). 8 | 9 | let A2 = 10 | in(d,y); 11 | in(c,z); 12 | let (z1,z2) = y in 13 | out(c,z1) 14 | else 15 | out(c,y). 16 | 17 | let B = 18 | in(c,x); 19 | out(d,x). 20 | 21 | query session_equiv(A1 | B,A2 | B). // Not equivalent 22 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug7.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free d[private]. 3 | 4 | let A1 = 5 | in(d,y); 6 | in(c,z); 7 | out(c,y). 8 | 9 | let A2 = 10 | in(d,y); 11 | in(c,z); 12 | let (z1,z2) = y in 13 | out(c,y) 14 | else 15 | out(c,y). 16 | 17 | let B = 18 | in(c,x); 19 | out(d,x). 20 | 21 | query session_equiv(A1 | B,A2 | B). // Not equivalent 22 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bugSKremer.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - on channel ca 20 | - by the agent with private key ska 21 | - with the agent with public key pkb 22 | */ 23 | 24 | let processA(ca,ska,pkb) = 25 | new na; 26 | out(ca,aenc((na,pk(ska)),pkb)); 27 | in(ca,x). 28 | 29 | 30 | /* 31 | Description of role B played: 32 | - on channel cb 33 | - by the agent with private key skb 34 | - with the agent with public key pka 35 | */ 36 | 37 | let processB(cb,skb,pka) = 38 | in(cb,yb); 39 | new nb; 40 | let (yna,=pka) = adec(yb,skb) in 41 | out(cb,aenc((yna,nb,pk(skb)),pka)) 42 | else out(cb,aenc(nb,pk(skb))). 43 | 44 | /* 45 | Main 46 | */ 47 | 48 | let ProcessAB = 49 | out(c,pk(ska)); 50 | out(c,pk(skb)); 51 | out(c,pk(skc)); 52 | ( 53 | !^2 processA(c,ska,pk(skb)) | !^2 processB(c,skb,pk(ska)) 54 | ). 55 | 56 | let ProcessCB = 57 | out(c,pk(ska)); 58 | out(c,pk(skb)); 59 | out(c,pk(skc)); 60 | ( 61 | processA(c,skc,pk(skb)) | processB(c,skb,pk(skc)) | 62 | processA(c,ska,pk(skb)) | processB(c,skb,pk(ska)) 63 | ). 64 | 65 | 66 | query session_equiv(ProcessAB,ProcessCB). 67 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug_67.dps: -------------------------------------------------------------------------------- 1 | fun f/2. 2 | free a,b. 3 | free p,k [private]. 4 | 5 | let A(k) = new r; out(a,f(k,r)). 6 | let start = out(p,a). 7 | 8 | let P = start | A(a) | A(a). 9 | let Q = start | A(a) | A(b). 10 | 11 | query session_equiv(P,Q). // Should hold 12 | query trace_equiv(P,Q). // Should hold 13 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/bug_67_2.dps: -------------------------------------------------------------------------------- 1 | fun f/2. 2 | free a,b. 3 | free p,k [private]. 4 | 5 | let A(k) = out(a,k). 6 | let start = out(p,a). 7 | 8 | let P = start | A(a) | A(a). 9 | let Q = start | A(a) | A(b). 10 | 11 | query session_equiv(P,Q). // Should not hold 12 | query trace_equiv(P,Q). // Should not hold 13 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/destroyer.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun h/2. 3 | 4 | let P = in(c,x); in(c,y); out(c,h(x,y)). 5 | let Q = !^4 P. 6 | 7 | query session_equiv(Q,Q). 8 | 9 | /* Experiments (4 sessions) 10 | DEEPSEC trace: 11min 11 | Akiss: instant 12 | ProVerif: instant */ 13 | 14 | 15 | let PP = in(c,x); out(c,x). 16 | let QQ = !^6 PP. 17 | 18 | query session_equiv(QQ,QQ). 19 | 20 | /* Experiments (6 sessions) 21 | DEEPSEC trace: 12s 22 | Akiss: instant 23 | ProVerif: instant */ 24 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/display_trace1.dps: -------------------------------------------------------------------------------- 1 | // symmetric encryption. 2 | fun aenc/3. 3 | fun pk/1. 4 | reduc adec(aenc(x,y,pk(z)),z) -> x. 5 | 6 | free s [private]. 7 | free ca,cb,err. 8 | 9 | query session_equiv(out(ca,s),out(cb,s)). 10 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/fail_determinate.dps: -------------------------------------------------------------------------------- 1 | free a,b. 2 | 3 | 4 | let sys1 = out(a,a) | out(b,b). 5 | let sys2 = out(a,b) | out(b,a). 6 | 7 | query session_equiv(sys1,sys2). // non-equivalent 8 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/heuristic.dps: -------------------------------------------------------------------------------- 1 | free c, ok, error, get_challenge. 2 | 3 | fun enc/3. 4 | reduc dec(enc(x,y,z),z) -> x. 5 | 6 | let P(k) = 7 | new n; 8 | out(c,n); 9 | in(c,x); 10 | if dec(x,k) = n then out(c,ok) 11 | else out(c,error). 12 | 13 | let R(k) = 14 | in(c,n); 15 | new r; 16 | out(c,enc(n,r,k)). 17 | 18 | 19 | let S(k) = 20 | R(k) | P(k). 21 | 22 | let X = 23 | !^2 new k; S(k). 24 | 25 | let Y = 26 | new k; !^2 S(k). 27 | 28 | query session_equiv(X,Y). 29 | query session_equiv(Y,X). 30 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/improper1.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | free a,b. 4 | 5 | let A = 6 | in(c,x); 7 | ( 8 | !^2 in(c,y); if y = x then out(c,a) else out(c,b) 9 | ). 10 | 11 | let sys = A. 12 | 13 | query session_equiv(sys,sys). // equivalent 14 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/inclusion_not_equiv.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | const ok. 3 | 4 | 5 | // This is **not** an actual counterexample (session inclusion does not hold because of the skeleton check) 6 | let P = 7 | new k; ( 8 | out(c,k) | 9 | in(c,x); 10 | let (y,z) = x in 11 | if y = k then 12 | if z = k then 13 | out(c,ok) 14 | ). 15 | 16 | let Q = 17 | new k; ( 18 | out(c,k) | 19 | in(c,x); 20 | let (y,z) = x in 21 | if y = k then 22 | out(c,ok) 23 | ). 24 | 25 | 26 | query trace_equiv(P,Q). 27 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/toy_bac/bac_mini_2sessions_false_attack.dps: -------------------------------------------------------------------------------- 1 | // other model of bac where the readers receive their key from the passports, 2 | // by private communication 3 | 4 | free c, ok, error. 5 | free auth [private]. 6 | 7 | fun enc/3. 8 | reduc dec(enc(x,y,z),z) -> x. 9 | 10 | let passport(k) = 11 | out(auth,k); 12 | new n; 13 | out(c,n); 14 | in(c,x); 15 | if dec(x,k) = n then out(c,ok) 16 | else out(c,error). 17 | 18 | let reader = 19 | in(auth,k); 20 | in(c,n); 21 | new r; 22 | out(c,enc(n,r,k)). 23 | 24 | let process11 = 25 | !^2 new k; passport(k) | 26 | !^2 reader. 27 | 28 | let process2 = 29 | new k; !^2 passport(k) | 30 | !^2 reader. 31 | 32 | query session_incl(process2,process11). // false attack 33 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/warning.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | free a,b. 4 | 5 | let A = 6 | in(c,x); 7 | ( 8 | new k; 9 | new k; 10 | new kb; 11 | new kb; 12 | !^2 in(c,y); if y = x then out(c,k) else out(c,b) 13 | ). 14 | 15 | let sys = A. 16 | 17 | query session_equiv(sys,sys). // equivalent 18 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/session_equivalence/warning_and_error.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | free a,b. 4 | 5 | let A = 6 | in(c,x); 7 | ( 8 | new k; 9 | new k; 10 | !^2 in(c,y); if y = x then out(c,ka) else out(c,b) 11 | ). 12 | 13 | let sys = A. 14 | 15 | query session_equiv(sys,sys). // equivalent 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/LAK06-UK3-pair.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability LAK with pairs - 2 sessions 2 | // In the CSF'18 paper about Tamarin/XOR, they studied the version with XOR, 3 | // and replacing the XOR with pair lead to a file on which Tamarin establish the equivalence. 4 | // Si success visible avec out(ok) alors non-equivalent 5 | // Si success non visible avec then 0 alors equivalent. 6 | // 7 | // R -> T: r0 8 | // T -> R: r1, h(r0 XOR r1 XOR k) 9 | // R -> T: h(h(r0 XOR r1 XOR k) XOR k XOR r0) 10 | // 11 | 12 | 13 | 14 | fun h/3. 15 | 16 | free cr. 17 | free ct. 18 | free ok. 19 | free ko. 20 | 21 | // Description of the reader role 22 | 23 | let reader(k) = 24 | new r0; 25 | out(cr,r0); 26 | in(cr,xr); 27 | let (xr1, xh) = xr in 28 | if xh = h(r0,xr1,k) then 29 | out(cr,h(xh,k,r0)). 30 | 31 | // Description of tag role 32 | 33 | let tag(k) = 34 | in(ct,xr0); 35 | new r1; 36 | out(ct,(r1,h(xr0,r1,k))); 37 | in(ct,y); 38 | if y = h(h(xr0,r1,k),k,xr0) then out(ct,ok). 39 | 40 | // Unlinkability 41 | 42 | let system1 = 43 | (new k1; (tag(k1) | reader(k1))) | 44 | (new k2; (tag(k2) | reader(k2))). 45 | 46 | let system2 = 47 | new k; 48 | ( 49 | tag(k) | reader(k) | 50 | tag(k) | reader(k) 51 | ). 52 | 53 | 54 | query trace_equiv(system1,system2). 55 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_10_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 10 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | free c5. 11 | free c6. 12 | free c7. 13 | free c8. 14 | free c9. 15 | 16 | // Public constant 17 | free ok. 18 | let P = 19 | new n0; 20 | new n1; 21 | new n2; 22 | new n3; 23 | new n4; 24 | new n5; 25 | new n6; 26 | new n7; 27 | new n8; 28 | new n9; 29 | (( in(c0, x); if x = ok then out(c0, n0) ) | 30 | ( in(c1, x); if x = ok then out(c1, n1) ) | 31 | ( in(c2, x); if x = ok then out(c2, n2) ) | 32 | ( in(c3, x); if x = ok then out(c3, n3) ) | 33 | ( in(c4, x); if x = ok then out(c4, n4) ) | 34 | ( in(c5, x); if x = ok then out(c5, n5) ) | 35 | ( in(c6, x); if x = ok then out(c6, n6) ) | 36 | ( in(c7, x); if x = ok then out(c7, n7) ) | 37 | ( in(c8, x); if x = ok then out(c8, n8) ) | 38 | ( in(c9, x); if x = ok then out(c9, n9) ) 39 | ). 40 | 41 | query trace_equiv(P,P). 42 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_1_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 1 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | 7 | // Public constant 8 | free ok. 9 | let P = 10 | new n0; 11 | ( 12 | ( in(c0, x); if x = ok then out(c0, n0) ) 13 | ). 14 | 15 | query trace_equiv(P,P). 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_2_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 2 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | 8 | // Public constant 9 | free ok. 10 | let P = 11 | new n0; 12 | new n1; 13 | (( in(c0, x); if x = ok then out(c0, n0) ) | 14 | ( in(c1, x); if x = ok then out(c1, n1) ) 15 | ). 16 | 17 | query trace_equiv(P,P). 18 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_3_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 3 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | 9 | // Public constant 10 | free ok. 11 | let P = 12 | new n0; 13 | new n1; 14 | new n2; 15 | (( in(c0, x); if x = ok then out(c0, n0) ) | 16 | ( in(c1, x); if x = ok then out(c1, n1) ) | 17 | ( in(c2, x); if x = ok then out(c2, n2) ) 18 | ). 19 | 20 | query trace_equiv(P,P). 21 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_4_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 4 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | 10 | // Public constant 11 | free ok. 12 | let P = 13 | new n0; 14 | new n1; 15 | new n2; 16 | new n3; 17 | (( in(c0, x); if x = ok then out(c0, n0) ) | 18 | ( in(c1, x); if x = ok then out(c1, n1) ) | 19 | ( in(c2, x); if x = ok then out(c2, n2) ) | 20 | ( in(c3, x); if x = ok then out(c3, n3) ) 21 | ). 22 | 23 | query trace_equiv(P,P). 24 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_5_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 5 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | 11 | // Public constant 12 | free ok. 13 | let P = 14 | new n0; 15 | new n1; 16 | new n2; 17 | new n3; 18 | new n4; 19 | (( in(c0, x); if x = ok then out(c0, n0) ) | 20 | ( in(c1, x); if x = ok then out(c1, n1) ) | 21 | ( in(c2, x); if x = ok then out(c2, n2) ) | 22 | ( in(c3, x); if x = ok then out(c3, n3) ) | 23 | ( in(c4, x); if x = ok then out(c4, n4) ) 24 | ). 25 | 26 | query trace_equiv(P,P). 27 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_6_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 6 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | free c5. 11 | 12 | // Public constant 13 | free ok. 14 | let P = 15 | new n0; 16 | new n1; 17 | new n2; 18 | new n3; 19 | new n4; 20 | new n5; 21 | (( in(c0, x); if x = ok then out(c0, n0) ) | 22 | ( in(c1, x); if x = ok then out(c1, n1) ) | 23 | ( in(c2, x); if x = ok then out(c2, n2) ) | 24 | ( in(c3, x); if x = ok then out(c3, n3) ) | 25 | ( in(c4, x); if x = ok then out(c4, n4) ) | 26 | ( in(c5, x); if x = ok then out(c5, n5) ) 27 | ). 28 | 29 | query trace_equiv(P,P). 30 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_7_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 7 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | free c5. 11 | free c6. 12 | 13 | // Public constant 14 | free ok. 15 | let P = 16 | new n0; 17 | new n1; 18 | new n2; 19 | new n3; 20 | new n4; 21 | new n5; 22 | new n6; 23 | (( in(c0, x); if x = ok then out(c0, n0) ) | 24 | ( in(c1, x); if x = ok then out(c1, n1) ) | 25 | ( in(c2, x); if x = ok then out(c2, n2) ) | 26 | ( in(c3, x); if x = ok then out(c3, n3) ) | 27 | ( in(c4, x); if x = ok then out(c4, n4) ) | 28 | ( in(c5, x); if x = ok then out(c5, n5) ) | 29 | ( in(c6, x); if x = ok then out(c6, n6) ) 30 | ). 31 | 32 | query trace_equiv(P,P). 33 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_8_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 8 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | free c5. 11 | free c6. 12 | free c7. 13 | 14 | // Public constant 15 | free ok. 16 | let P = 17 | new n0; 18 | new n1; 19 | new n2; 20 | new n3; 21 | new n4; 22 | new n5; 23 | new n6; 24 | new n7; 25 | (( in(c0, x); if x = ok then out(c0, n0) ) | 26 | ( in(c1, x); if x = ok then out(c1, n1) ) | 27 | ( in(c2, x); if x = ok then out(c2, n2) ) | 28 | ( in(c3, x); if x = ok then out(c3, n3) ) | 29 | ( in(c4, x); if x = ok then out(c4, n4) ) | 30 | ( in(c5, x); if x = ok then out(c5, n5) ) | 31 | ( in(c6, x); if x = ok then out(c6, n6) ) | 32 | ( in(c7, x); if x = ok then out(c7, n7) ) 33 | ). 34 | 35 | query trace_equiv(P,P). 36 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/Simple_9_par.dps: -------------------------------------------------------------------------------- 1 | // Benchmarks for POR 2 | // 9 IN.OUT in parallel 3 | 4 | // Channels 5 | free c0. 6 | free c1. 7 | free c2. 8 | free c3. 9 | free c4. 10 | free c5. 11 | free c6. 12 | free c7. 13 | free c8. 14 | 15 | // Public constant 16 | free ok. 17 | let P = 18 | new n0; 19 | new n1; 20 | new n2; 21 | new n3; 22 | new n4; 23 | new n5; 24 | new n6; 25 | new n7; 26 | new n8; 27 | (( in(c0, x); if x = ok then out(c0, n0) ) | 28 | ( in(c1, x); if x = ok then out(c1, n1) ) | 29 | ( in(c2, x); if x = ok then out(c2, n2) ) | 30 | ( in(c3, x); if x = ok then out(c3, n3) ) | 31 | ( in(c4, x); if x = ok then out(c4, n4) ) | 32 | ( in(c5, x); if x = ok then out(c5, n5) ) | 33 | ( in(c6, x); if x = ok then out(c6, n6) ) | 34 | ( in(c7, x); if x = ok then out(c7, n7) ) | 35 | ( in(c8, x); if x = ok then out(c8, n8) ) 36 | ). 37 | 38 | query trace_equiv(P,P). 39 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/WMF-bug.dps: -------------------------------------------------------------------------------- 1 | free a. 2 | free b. 3 | free i. 4 | free kis. 5 | free m1. 6 | free m2. 7 | free ca. 8 | free cb. 9 | free cs. 10 | 11 | fun senc/2. 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | let processA(ca,a,kas,b) = 15 | new kab; 16 | in(ca,z); 17 | out(ca, (a, senc((b,kab),kas))). 18 | 19 | let processS(cs,a,b,kas,kbs) = 20 | in(cs, x); 21 | let (xa,xenc) = x in 22 | if xa = a then 23 | let (xb,xk) = sdec(xenc,kas) in 24 | if xb = b 25 | then out(cs, senc((a,xk),kbs)). 26 | 27 | let processB1(cb,b,a,kbs) = 28 | in(cb,y); 29 | let (ya,yk) = sdec(y,kbs) in 30 | if ya = a then out(cb,senc(m1,yk)). 31 | 32 | let processB2(cb,b,a,kbs) = 33 | in(cb,y); 34 | let (ya,yk) = sdec(y,kbs) in 35 | if ya = a then new k; out(cb,senc(m2,k)). 36 | 37 | 38 | let P = 39 | new kas; new kbs; 40 | ( processS(cs,i,b,kis,kbs) | processB1(cb,b,i,kbs)). 41 | 42 | 43 | let Q = 44 | new kas; new kbs; 45 | ( processS(cs,i,b,kis,kbs) | processB2(cb,b,i,kbs)). 46 | 47 | 48 | query trace_equiv(P,Q). 49 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_59.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | fun sign/2. 4 | fun pk/1. 5 | 6 | reduc verify(sign(m, sk), m, pk(sk)) -> m. 7 | 8 | // Sign what is received on Channel c and 9 | // additionally pass public key back on c 10 | let ProcessA(c) = 11 | in(c, msg); 12 | new sk; 13 | out(c, (sign(msg, sk), pk(sk))). 14 | 15 | // Simply receive and do nothing 16 | let ProcessB(c) = 17 | in(c, msg). 18 | 19 | let Process = ProcessA(c) | ProcessB(c). 20 | query trace_equiv(Process, Process). 21 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_59_2.dps: -------------------------------------------------------------------------------- 1 | free c1, c2. 2 | 3 | fun sign/2. 4 | fun pk/1. 5 | 6 | let ProcessA(c1) = 7 | in(c1, msg); 8 | new sk; 9 | out(c1, (sign(msg, sk), pk(sk))). 10 | 11 | let ProcessB(c1, c2) = 12 | in(c2, msg); 13 | let (x, y, z) = msg in 14 | out(c1, z). 15 | 16 | let ProcessC(c1, c2) = 17 | in(c2, msg); 18 | out(c1, msg). 19 | 20 | let Process = 21 | ProcessA(c2) | !^2 ProcessB(c2, c1) | ProcessC(c2, c1). 22 | 23 | query trace_equiv(Process, Process). 24 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_69.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | free x. 4 | reduc f(x) -> x. // here [x] is parsed as a variable, i.e. [f(c) = c]. Note that if we wrote f(z) -> x, [x] would be parsed as a constant 5 | query trace_equiv(out(c,c),out(c,f(c))). 6 | 7 | const y. 8 | reduc g(y) -> y. // here [y] is parsed as a constant, i.e. [g(c)] fails 9 | query trace_equiv(out(c,c),out(c,g(c))). 10 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_70.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | const double. 4 | 5 | /* bug */ 6 | reduc test((x,x)) -> double. 7 | let A(x,y) = if test((x,y)) = double then out(c,c). 8 | 9 | /* no bug */ 10 | /* reduc test(x,x) -> double. 11 | let A(x,y) = if test(x,y) = double then out(c,c). */ 12 | 13 | // a query to avoid an error but the bug is independent of it 14 | let P = out(c,c). 15 | query trace_equiv(P,P). 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_71.dps: -------------------------------------------------------------------------------- 1 | 2 | free c. 3 | free s [private]. 4 | const s0 [private]. 5 | const s1 [private]. 6 | 7 | reduc 8 | update(s0) -> s1; 9 | update(s1) -> s0. 10 | 11 | let system1 = 12 | out(c, s0); out(c,s1). 13 | 14 | let system2 = 15 | new state; out(c, s0); out(c, state). 16 | 17 | query trace_equiv(system1, system2). 18 | (* Not trace equivalent hence one could deduce the specific activity *) -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_71_Passive-ActivityTracking-State.dps: -------------------------------------------------------------------------------- 1 | // Activity Inference: Passive attack Traffic Analysis BLE Analysis 2 | 3 | free c. 4 | free p [private].//For protocol communication 5 | free s [private].//To update state 6 | free request, granted.//Requests for connection 7 | const s0, s1 [private]. 8 | 9 | reduc 10 | update(s0) -> s1; 11 | update(s1) -> s0. 12 | 13 | let device1 = 14 | out(p, request). 15 | 16 | let device2 = 17 | in(s, state); in(p, x); out(c, update(state)); out(p, granted); out(s, update(state)). 18 | 19 | let system1 = 20 | out(s, s0); out(c, s0); device1 | device2. 21 | 22 | let system2 = 23 | new state; out(c, s0); out(c, state). 24 | 25 | query trace_equiv(system1, system2). 26 | (* Not trace equivalent hence one could deduce the specific activity *) -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_72_simulator_BAC.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability for BAC-UK Version 2 | (* 3 | BAC-UK Version 4 | Reader -> Tag: getChallenge 5 | Tag -> Reader: nT 6 | Reader -> Tag: senc((nR, nT, kR), kE), mac(senc((nR, nT, kR), kE), kM) 7 | Tag -> Reader: senc((nT, nR, kT), kE), mac(senc((nT, nR, kT), kE), kM) 8 | *) 9 | 10 | free c. 11 | free error. 12 | free getChallenge. 13 | 14 | fun senc/2. 15 | fun mac/2. 16 | 17 | reduc sdec(senc(x,y),y) -> x. 18 | 19 | 20 | let reader(ke, km) = 21 | out(c,getChallenge); 22 | in(c, x); 23 | new nr; 24 | new kr; 25 | let m = senc((nr, x, kr), ke) in 26 | out(c, (m, mac(m, km))); 27 | in(c, y). 28 | 29 | 30 | let tag(ke, km) = 31 | in(c,x); 32 | if x = getChallenge 33 | then 34 | new nt; 35 | new kt; 36 | out(c,nt); 37 | in(c,y); 38 | let (xe, xm) = y in 39 | if xm = mac(xe, km) 40 | then 41 | let (nr, =nt, kr) = sdec(xe, ke) in 42 | let m = senc((nt, nr, kt), ke) in 43 | out(c, (m, mac(m, km))) 44 | else 45 | out(c, error) 46 | else out(c, error) 47 | else out(c, error). 48 | 49 | let system(ke,km) = 50 | reader(ke,km) | tag(ke,km). 51 | 52 | let system1 = 53 | !^2 new ke; new km; system(ke,km). 54 | 55 | let system2 = 56 | new ke; new km; !^2 system(ke,km). 57 | 58 | query trace_equiv(system1,system2). -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_itsaka.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | 4 | let A = 5 | new n_t; 6 | out(c,n_t). 7 | 8 | let B(k) = 9 | in(c,n_t); 10 | out(c,mac(n_t,k)). 11 | 12 | let sys = !^2 A | new k; !^2 B(k). 13 | 14 | query trace_equiv(sys,sys). 15 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_itsaka2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | 4 | let A = 5 | new n_t; 6 | out(c,n_t). 7 | 8 | let B(k) = 9 | in(c,n_t); 10 | out(c,mac(n_t,k)). 11 | 12 | let sys = A | A | new k; (B(k) | B(k)). 13 | 14 | query trace_equiv(sys,sys). 15 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/bug_itsaka3.dps: -------------------------------------------------------------------------------- 1 | // symmetric encryption. 2 | fun aenc/3. 3 | fun pk/1. 4 | reduc adec(aenc(x,y,pk(z)),z) -> x. 5 | 6 | free s [private]. 7 | free ca,cb,err. 8 | 9 | let A(err_ch) = 10 | new r; out(ca,aenc(s,r,pk(s))); 11 | in(ca,x); // no internal error with cb instead of ca 12 | let y = adec(x,s) in out(err_ch,ca). // no internal error with ca instead of err_ch 13 | 14 | let B = 15 | in(cb,x); 16 | new r; 17 | out(cb,aenc(adec(x,s),r,pk(s))). 18 | 19 | 20 | let P = A(err) | B. 21 | let Q = A(ca) | B. 22 | 23 | query trace_equiv(P,Q). 24 | query trace_equiv(Q,P). 25 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/choice.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free c1,c2,ok,ko,ok1,ko1. 3 |            4 | fun h/2. 5 | 6 | let P = 7 | ( out(c,ok); out(c,ok)) + (new k; out(c,ko); out(c,ko) + new k'; out(c,ko); out(c,ok)). 8 | 9 | let Q = 10 | ( out(c,ok) + (new k; out(c,ko) + new k'; out(c,ko))). 11 | 12 | 13 | query trace_equiv(P,Q). 14 | 15 | (* Should not be equivalent *) 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/choice2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free c1,c2,ok,ko,ok1,ko1. 3 |            4 | fun h/2. 5 | 6 | let P = 7 | ( out(c,ok); out(c,ok)) + (new k; out(c,ok); out(c,ko) + new k'; out(c,ok); out(c,ok)). 8 | 9 | let Q = 10 | ( out(c,ok);new k';0 + (new k; out(c,ok); new k';0 + new k'; out(c,ok); new k';0)). 11 | 12 | 13 | query trace_equiv(P,Q). 14 | 15 | (* Should not be equivalent *) 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/determinate_else.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free c1,c2,ok,ko,ok1,ko1. 3 |            4 | fun h/2. 5 | 6 | let P = new a; in(c,x); ( 7 | (if x = a then out(c1,ok)) 8 | | out(c2,ok)). 9 | 10 | let Q = new a; in(c,x); ( 11 | (if x = a then out(c1,ok)) 12 | | out(c2,ko)). 13 | 14 | query trace_equiv(P,Q). 15 | 16 | (* Should not be equivalent *) 17 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/elsebranchdisplay.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free ok,ko. 3 |            4 | fun h/2. 5 | 6 | let P = 7 | in(c,x); 8 | if x = ok 9 | then out(c,ok) 10 | else out(c,ko). 11 | 12 | 13 | 14 | query trace_equiv(P|P,P|P). 15 | 16 | (* Should be equivalent *) 17 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/equality_constructor.dps: -------------------------------------------------------------------------------- 1 | free c. 2 |            3 | fun h/2. 4 | 5 | let P = new a; new b; out(c,h(a,b)); out(c,a); out(c,b). 6 | let Q = new a; new b; new d; out(c,h(a,b)); out(c,a); out(c,d). 7 | 8 | query trace_equiv(P,Q). 9 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/equivalent.dps: -------------------------------------------------------------------------------- 1 | free i. 2 | free kis. 3 | free cb, cs. 4 | 5 | fun senc/2. 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | let processS(cs,kbs) = 9 | in(cs,x); 10 | out(cs, senc(i,kbs)). 11 | 12 | 13 | let processB1(cb,kbs) = 14 | in(cb,y); 15 | let yk = sdec(y,kbs) in 16 | out(cb,yk). 17 | 18 | let processB2(cb,kbs) = 19 | in(cb,y); 20 | let yk = sdec(y,kbs) in 21 | new k; out(cb,k). 22 | 23 | 24 | let P = 25 | new kbs; 26 | ( processS(cs,kbs) 27 | | processB1(cb,kbs)). 28 | 29 | 30 | let Q = 31 | new kbs; 32 | ( processS(cs,kbs) 33 | | processB2(cb,kbs)). 34 | 35 | 36 | query trace_equiv(P,Q). 37 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/equivalent2.dps: -------------------------------------------------------------------------------- 1 | free i. 2 | free kis. 3 | free cb, cs. 4 | 5 | fun senc/2. 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | let processS(cs,kbs) = 9 | in(cs,x); 10 | out(cs, senc(i,kbs)). 11 | 12 | 13 | let processB1(cb,kbs) = 14 | in(cb,y); 15 | out(cb,y). 16 | 17 | let processB2(cb,kbs) = 18 | in(cb,y); 19 | new k; out(cb,k). 20 | 21 | 22 | let P = 23 | new kbs ; 24 | ( processS(cs,kbs) 25 | | processB1(cb,kbs)). 26 | 27 | 28 | let Q = 29 | new kbs ; 30 | ( processS(cs,kbs) 31 | | processB2(cb,kbs)). 32 | 33 | 34 | query trace_equiv(P,Q). 35 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/equivalent3.dps: -------------------------------------------------------------------------------- 1 | free i. 2 | free kis, kis1. 3 | free cb, cs, c. 4 | 5 | 6 | let P = in(cs,x); (in(c,y); out(c,i) | in(cs,z); out(cs,kis)). 7 | 8 | let Q = in(cs,x); (in(c,y); out(c,i) | in(cs,z); out(cs,kis1)). 9 | 10 | 11 | query trace_equiv(P,Q). 12 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/example_0.dps: -------------------------------------------------------------------------------- 1 | free c. 2 |            3 | fun sign/2. 4 | fun vk/1. 5 | reduc check(sign(x,y),vk(y)) -> x. 6 | 7 | let P_1 = new a; new b; new k; out(c,a); out(c,b); out(c,vk(k)); out(c,sign(a,k)). 8 | 9 | let P_2 = new a; new b; new k; out(c,a); out(c,b); out(c,vk(k)); out(c,sign(b,k)). 10 | 11 | query trace_equiv(P_1,P_2). 12 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/example_1.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free a. 3 | 4 | let P_1 = in(c,x); out(c,a) ; in(c,y); out(c,a). 5 | 6 | let P_2 = in(c,x);out(c,a) | in(c,x); out(c,a). 7 | 8 | query trace_equiv(P_1,P_2). 9 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/example_2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free a. 3 | 4 | let P_1 = in(c,x); out(c,a)| in(c,y); out(c,a). 5 | 6 | let P_2 = in(c,x);out(c,a) | in(c,x); out(c,a). 7 | 8 | query trace_equiv(P_1,P_2). 9 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/example_3.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | fun senc/2. 4 | fun pk/1. 5 | 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | let process_1 = 9 | new k_ab; 10 | ( 11 | (new x; out(c,senc(x,k_ab)); in(c,y); if sdec(y,k_ab) = pk(x) then out(c,c)) 12 | | 13 | (in(c,z); 14 | let x = sdec(z,k_ab) in 15 | out(c,senc(pk(x),k_ab))) 16 | | 17 | out(c,k_ab) 18 | ). 19 | 20 | let process_2 = 21 | new k_ab; 22 | ( 23 | (new x; out(c,senc(x,k_ab)); in(c,y); if sdec(y,k_ab) = pk(x) then out(c,c)) 24 | | 25 | in(c,z); 26 | let x = sdec(z,k_ab) in 27 | out(c,senc(pk(x),k_ab)) 28 | | 29 | new m; out(c,m) 30 | ). 31 | 32 | query trace_equiv(process_1,process_2). 33 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/example_constant.dps: -------------------------------------------------------------------------------- 1 | free c. 2 |            3 | fun sign/2. 4 | fun vk/1. 5 | const true. 6 | reduc check(sign(x,y),vk(y)) -> true. 7 | 8 | fun h/2. 9 | reduc test(x,h(y,y)) -> x. 10 | 11 | let P_1 = new a; new b; new k; out(c,a); out(c,b); out(c,vk(k)); out(c,sign(a,k)). 12 | 13 | let P_2 = new a; new b; new k; out(c,a); out(c,b); out(c,vk(k)); out(c,sign(b,(k,k))). 14 | 15 | query trace_equiv(P_1,P_2). 16 | 17 | let P_3 = new a; new b; new k; out(c,a); out(c,h(b,b)). 18 | 19 | let P_4 = new a; new b; new k; out(c,a); out(c,k). 20 | 21 | let P_5 = new a; new b; new k; out(c,a); out(c,h(a,b)). 22 | 23 | let P_6 = new a; new b; new k; out(c,a); out(c,h(a,k)). 24 | 25 | query trace_equiv(P_3,P_4). 26 | 27 | query trace_equiv(P_3,P_5). 28 | 29 | query trace_equiv(P_4,P_5). 30 | 31 | query trace_equiv(P_6,P_5). 32 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/get_public_key_bug.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | fun f/2. 4 | fun g/1. 5 | reduc h(f(x,g(y))) -> g(y). 6 | 7 | let P = new k; out(c,f(c,g(k))). 8 | 9 | query trace_equiv(P,P). 10 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/history_skeletons.dps: -------------------------------------------------------------------------------- 1 | free c. 2 |            3 | fun sign/2. 4 | fun vk/1. 5 | reduc check(sign(x,y),vk(y)) -> x. 6 | 7 | let P_1 = !^4 new a; new b; new k; out(c,a); out(c,b); out(c,vk(k)); out(c,sign(a,k)). 8 | 9 | query trace_equiv(P_1,P_1). 10 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/loli_destroyer.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun h/2. 3 | 4 | let P = in(c,x); in(c,y); out(c,h(x,y)). 5 | 6 | let Q = !^4 P. 7 | 8 | query trace_equiv(Q,Q). 9 | 10 | /* Experiments (4 sessions) 11 | DEEPSEC: 11min 12 | Akiss: instant 13 | ProVerif: instant */ 14 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/loli_destroyer2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun h/2. 3 | 4 | let P = in(c,x); out(c,x). 5 | 6 | let Q = !^2 P. 7 | 8 | query trace_equiv(Q,Q). 9 | 10 | /* Experiments (4 sessions) 11 | DEEPSEC: 11min 12 | Akiss: instant 13 | ProVerif: instant */ 14 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/non-equivalent.dps: -------------------------------------------------------------------------------- 1 | free i. 2 | free kis. 3 | free cb, cs. 4 | 5 | fun senc/2. 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | let processS(cs,kbs) = 9 | out(cs, senc(i,kbs)). 10 | 11 | 12 | let processB1(cb,kbs) = 13 | in(cb,y); 14 | let yk = sdec(y,kbs) in 15 | out(cb,yk). 16 | 17 | let processB2(cb,kbs) = 18 | in(cb,y); 19 | let yk = sdec(y,kbs) in 20 | new k; out(cb,k). 21 | 22 | 23 | let P = 24 | new kbs; 25 | ( processS(cs,kbs) 26 | | processB1(cb,kbs)). 27 | 28 | 29 | let Q = 30 | new kbs; 31 | ( processS(cs,kbs) 32 | | processB2(cb,kbs)). 33 | 34 | 35 | query trace_equiv(P,Q). 36 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/nonequivalentnoaction.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free c1,c2,ok,ko,ok1,ko1. 3 |            4 | fun h/2. 5 | 6 | let P = out(c,ok); out(c,ok). 7 | 8 | let Q = out(c,ok); new k; 0. 9 | 10 | 11 | query trace_equiv(P,Q). 12 | query trace_equiv(Q,P). 13 | 14 | (* Should not be equivalent *) 15 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/nonequivalentnoaction2.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free c1,c2,ok,ko,ok1,ko1. 3 |            4 | fun h/2. 5 | 6 | let P = out(c,ok); out(c,ok). 7 | 8 | let Q = out(c,ok); new d; (in(d,x); new k; in(c,y) | out(d,ko)). 9 | 10 | 11 | query trace_equiv(P,Q). 12 | 13 | (* Should not be equivalent *) 14 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/not_static_message.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | fun enc/2. 4 | 5 | reduc 6 | dec(enc(x,y),y) -> x. 7 | 8 | 9 | let P = new k; new a; out(c,enc(a,k)); out(c,k). 10 | 11 | let Q = new k; new k'; new a; out(c,enc(a,k)); out(c,k'). 12 | 13 | 14 | query trace_equiv(P,Q). 15 | 16 | (* Should not be equivalent *) 17 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/pap-1-session.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | reduc getpk(aenc(x,pk(y))) -> pk(y). 17 | 18 | /* 19 | Description of role A played: 20 | - by the agent with private key ska 21 | - with the agent with public key pkb 22 | */ 23 | 24 | let processA(ska,pkb) = 25 | new na; 26 | out(c,aenc((na,pk(ska)),pkb)); 27 | in(c,x). 28 | 29 | 30 | /* 31 | Description of role B played: 32 | - by the agent with private key skb 33 | - with the agent with public key pka 34 | */ 35 | 36 | let processB(skb,pka) = 37 | in(c,yb); 38 | new nb; 39 | let (yna,xpka) = adec(yb,skb) in 40 | if xpka=pka then 41 | out(c,aenc((yna,nb,pk(skb)),pka)) 42 | else out(c,aenc(nb,xpka)). 43 | 44 | /* 45 | Main 46 | */ 47 | 48 | let ProcessAB = 49 | out(c,pk(ska)); 50 | out(c,pk(skb)); 51 | out(c,pk(skc)); 52 | ( 53 | processA(ska,pk(skb)) | processB(skb,pk(ska)) 54 | ). 55 | 56 | let ProcessCB = 57 | out(c,pk(ska)); 58 | out(c,pk(skb)); 59 | out(c,pk(skc)); 60 | ( 61 | processA(skc,pk(skb)) | processB(skb,pk(skc)) 62 | ). 63 | 64 | 65 | query trace_equiv(ProcessAB,ProcessCB). 66 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/private_function1.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free k [private]. 3 | fun h/1 [private]. 4 | fun g/1 [private]. 5 | free a. 6 | 7 | reduc get_inside(h(x)) -> x. 8 | reduc get_inside_priv(g(x)) -> x [private]. 9 | 10 | let P_1 = new b; out(c,b). 11 | 12 | let P_2 = out(c,k). 13 | 14 | let P_3 = out(c,h(a)). 15 | 16 | let P_4 = out(c,g(a)). 17 | 18 | query trace_equiv(P_1,P_2). 19 | 20 | query trace_equiv(P_1,P_3). 21 | 22 | query trace_equiv(P_1,P_4). 23 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/private_names.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | fun enc/2. 4 | 5 | reduc 6 | dec(enc(x,y),y) -> x. 7 | 8 | 9 | let P = new k; new k'; new a; out(c,enc(a,k)); out(c,k'). 10 | 11 | let Q = new k; new k'; new a; 12 | new a1; 13 | new a2; 14 | new a3; 15 | new a4; 16 | new a5; 17 | new a6; 18 | new adzf1; 19 | new azadza2; 20 | new adaed3; 21 | new aada4; 22 | new aade5; 23 | new aad6; 24 | out(c,enc(a,k)); out(c,k'); out(c,a1); out(c,a2); out(c,a3); out(c,a4); out(c,a5); out(c,a6); 25 | out(c,adzf1); out(c,azadza2); out(c,adaed3); out(c,aada4); out(c,aade5); out(c,aad6). 26 | 27 | 28 | query trace_equiv(P,Q). 29 | 30 | (* Should not be equivalent *) 31 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_mergin_branch1.dps: -------------------------------------------------------------------------------- 1 | free c,a,b,ok,ko. 2 | 3 | fun senc/2. 4 | fun pk/1. 5 | 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | fun h/2. 9 | 10 | let process_1 = 11 | in(c,x); 12 | if x = a 13 | then 14 | if x = b 15 | then out(c,ok) 16 | else out(c,ko) 17 | else out(c,ko). 18 | 19 | let process_2 = 20 | in(c,x); 21 | out(c,ok). 22 | 23 | query trace_equiv(process_1,process_2). 24 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_mergin_branch2.dps: -------------------------------------------------------------------------------- 1 | free c,a,b,ok,ko. 2 | 3 | fun senc/2. 4 | fun pk/1. 5 | 6 | reduc sdec(senc(x,y),y) -> x. 7 | 8 | fun h/2. 9 | 10 | let process_1 = 11 | in(c,x); 12 | if x = a 13 | then 14 | if x = b 15 | then 0 16 | else out(c,ko) 17 | else out(c,ko). 18 | 19 | let process_2 = 20 | in(c,x); 21 | out(c,ok). 22 | 23 | query trace_equiv(process_1,process_2). 24 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_subterm1.dps: -------------------------------------------------------------------------------- 1 | /* the rewrite system is not subterm, Deepsec should return an error. */ 2 | 3 | free a,b,c. 4 | fun f/1. 5 | fun h/1. 6 | 7 | reduc 8 | dec(h(x),y) -> f(x); 9 | dec(x,y) -> y. -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_subterm2.dps: -------------------------------------------------------------------------------- 1 | /* the rewrite system is convergent, Deepsec should say nothing. */ 2 | 3 | free a,b,c. 4 | fun f/1. 5 | fun h/1. 6 | 7 | reduc 8 | dec(h(x),y) -> h(x); 9 | dec(x,y) -> x. -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_subterm3.dps: -------------------------------------------------------------------------------- 1 | /* the rewrite system is not convergent, Deepsec should return an error. */ 2 | 3 | free a,b,c. 4 | fun f/1. 5 | fun h/1. 6 | 7 | reduc 8 | dec(h(x),y) -> h(x); 9 | dec(x,y) -> x. -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/test_subterm4.dps: -------------------------------------------------------------------------------- 1 | /* the rewrite system is not convergent, Deepsec should return an error. */ 2 | 3 | free a,b,c. 4 | fun f/1. 5 | fun h/1. 6 | 7 | reduc 8 | dec(h(x),y) -> h(x); 9 | dec(x,y) -> y. -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/trace_inclusion.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free a. 3 | free k [private]. 4 | fun h/1. 5 | fun g/1. 6 | 7 | let P_1 = new b; out(c,b) | out(c,a). 8 | 9 | let P_2 = out(c,k). 10 | 11 | let P_3 = out(c,h(a)). 12 | 13 | let P_4 = out(c,g(a)). 14 | 15 | query trace_equiv(P_1,P_2). 16 | 17 | query trace_incl(P_1,P_3). 18 | 19 | query trace_equiv(P_1,P_4). 20 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/tuple.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | free a,b. 3 | 4 | let P = in(c,x); out(c,x); if x = (a,b) then out(c,a). 5 | 6 | let Q = in(c,x); out(c,(a,b)). 7 | 8 | let Q1 = in(c,x); out(c,(a,b)); if x = (a,b) then out(c,a). 9 | 10 | query trace_equiv(P+Q,Q1+P). 11 | 12 | (* Should be equivalent ! *) 13 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/warning.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | free a,b. 4 | 5 | let A = 6 | in(c,x); 7 | ( 8 | new k; 9 | new k; 10 | new kb; 11 | new kb; 12 | !^2 in(c,y); if y = x then out(c,k) else out(c,b) 13 | ). 14 | 15 | let sys = A. 16 | 17 | query session_equiv(sys,sys). // equivalent 18 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/warning_and_error.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | fun mac/2. 3 | free a,b. 4 | 5 | let A = 6 | in(c,x); 7 | ( 8 | new k; 9 | new k; 10 | !^2 in(c,y); if y = x then out(c,ka) else out(c,b) 11 | ). 12 | 13 | let sys = A. 14 | 15 | query session_equiv(sys,sys). // equivalent 16 | -------------------------------------------------------------------------------- /Examples/toys_and_tests/trace_equivalence/yahalom-paulson-bug.dps: -------------------------------------------------------------------------------- 1 | 2 | free ca. 3 | free cb. 4 | free cs. 5 | 6 | free a. 7 | free b. 8 | free i. 9 | free s. 10 | free m1. 11 | free m2. 12 | 13 | free kis. 14 | 15 | free c1. 16 | free c2. 17 | free c3. 18 | free c4. 19 | 20 | fun senc/2. 21 | reduc sdec(senc(x,y),y) -> x. 22 | 23 | let A(ca,a,b,kas)= 24 | in(ca,xinit); 25 | new na; 26 | out(ca,(a,na)); 27 | in(ca,x0); 28 | let (xnb,x1,x2) = x0 in 29 | let (xc2,xb,xkab,xna) = sdec(x1,kas) in 30 | if (xc2,xb,xna) = (c2,b,na) then 31 | out(ca,(x2,senc((c4,xnb),xkab))). 32 | 33 | 34 | let BP(cb,b,a,kbs)= 35 | in(cb,y0); 36 | let (ya,yna) = y0 in 37 | if ya = a then 38 | new nb; 39 | out(cb,(b,nb,senc((c1,a,yna),kbs))); 40 | in(cb,y1); 41 | let (y2,y3) = y1 in 42 | let (yc3,yaa,ybb,ykab,ynb) = sdec(y2,kbs) in 43 | if (yc3,yaa,ybb,ynb) = (c3,a,b,nb) then 44 | let (yc4,yynb) = sdec(y3,ykab) in 45 | if (yc4,yynb) = (c4,nb) then 46 | out(cb,senc(m1,ykab)). 47 | 48 | let BQ(cb,b,a,kbs)= 49 | in(cb,y0); 50 | let (ya,yna) = y0 in 51 | if ya = a then 52 | new nb; 53 | out(cb,(b,nb,senc((c1,a,yna),kbs))); 54 | in(cb,y1); 55 | let (y2,y3) = y1 in 56 | let (yc3,yaa,ybb,ykab,ynb) = sdec(y2,kbs) in 57 | if (yc3,yaa,ybb,ynb) = (c3,a,b,nb) then 58 | let (yc4,yynb) = sdec(y3,ykab) in 59 | if (yc4,yynb) = (c4,nb) then 60 | new k; 61 | out(cb,senc(m2,k)). 62 | 63 | let S(cs,a,b,kas,kbs)= 64 | in(cs,z0); 65 | let (zb,znb,z1) = z0 in 66 | let (zc1,za,zna) = sdec(z1,kbs) in 67 | if (zc1,za,zb) = (c1,a,b) then 68 | new kab; 69 | out(cs,(znb, senc((c2,b,kab,zna),kas),senc((c3,a,b,kab,znb),kbs)) ). 70 | 71 | 72 | 73 | let P = 74 | new kas; new kbs; 75 | ( S(cs,i,b,kis,kbs) | BP(cb,b,i,kbs)). 76 | 77 | 78 | let Q = 79 | new kas; new kbs; 80 | ( S(cs,i,b,kis,kbs) | BQ(cb,b,i,kbs)). 81 | 82 | 83 | query trace_equiv(P,Q). 84 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-1session.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ca1, ca2. 14 | free cb1, cb2. 15 | free cs1, cs2. 16 | 17 | free ok. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let processA(ca,a,kas,b) = 23 | out(ca,(a,b)); 24 | in(ca,xa); 25 | let (=b,xab,xmb) = sdec(xa,kas) in 26 | out(ca,xmb). 27 | 28 | let processB(cb,b,kbs,a) = 29 | in(cb,yb); 30 | let (yab,=a)= sdec(yb,kbs) in 31 | 0. 32 | 33 | let processS(cs,a,kas,b,kbs) = 34 | in(cs,zs); 35 | if zs = (a,b) then 36 | new kab; 37 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 38 | 39 | let processSProp(cs,a,kas,b,kbs,s) = 40 | in(cs,zs); 41 | if zs = (a,b) then 42 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 43 | 44 | // Main 45 | 46 | let Preal = 47 | new kas; new kbs; 48 | ( 49 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) 50 | ). 51 | 52 | 53 | let Pideal = 54 | new kas; new kbs; 55 | ( 56 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) 57 | ). 58 | 59 | query trace_equiv(Preal,Pideal). 60 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | 11 | free a, b, c, s1, s2. 12 | 13 | free ca1, ca2. 14 | free cb1, cb2. 15 | free cs1, cs2. 16 | 17 | free ok. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let processA(ca,a,kas,b) = 23 | out(ca,(a,b)); 24 | in(ca,xa); 25 | let (=b,xab,xmb) = sdec(xa,kas) in 26 | out(ca,xmb). 27 | 28 | let processB(cb,b,kbs,a) = 29 | in(cb,yb); 30 | let (yab,=a)= sdec(yb,kbs) in 31 | 0. 32 | 33 | let processS(cs,a,kas,b,kbs) = 34 | in(cs,zs); 35 | if zs = (a,b) then 36 | new kab; 37 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 38 | 39 | let processSProp(cs,a,kas,b,kbs,s) = 40 | in(cs,zs); 41 | if zs = (a,b) then 42 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 43 | 44 | // Main 45 | 46 | let Preal = 47 | new kas; new kbs; 48 | ( 49 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 50 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 51 | ). 52 | 53 | 54 | let Pideal = 55 | new kas; new kbs; 56 | ( 57 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 58 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) 59 | ). 60 | 61 | query trace_equiv(Preal,Pideal). 62 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-3sessions-2dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4. 17 | free cs1, cs2, cs3, cs4. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) 54 | ). 55 | 56 | 57 | let Pideal = 58 | new kas; new kbs; 59 | ( 60 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 61 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 62 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) 63 | ). 64 | 65 | query trace_equiv(Preal,Pideal). 66 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c, s1, s2. 11 | 12 | free ca1, ca2, ca3. 13 | free cb1, cb2, cb3. 14 | free cs1, cs2, cs3. 15 | 16 | free ok. 17 | 18 | fun senc/2. 19 | reduc sdec(senc(x,y),y) -> x. 20 | 21 | let processA(ca,a,kas,b) = 22 | out(ca,(a,b)); 23 | in(ca,xa); 24 | let (=b,xab,xmb) = sdec(xa,kas) in 25 | out(ca,xmb). 26 | 27 | let processB(cb,b,kbs,a) = 28 | in(cb,yb); 29 | let (yab,=a)= sdec(yb,kbs) in 30 | 0. 31 | 32 | let processS(cs,a,kas,b,kbs) = 33 | in(cs,zs); 34 | if zs = (a,b) then 35 | new kab; 36 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 37 | 38 | let processSProp(cs,a,kas,b,kbs,s) = 39 | in(cs,zs); 40 | if zs = (a,b) then 41 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 42 | 43 | // Main 44 | 45 | let Preal = 46 | new kas; new kbs; 47 | ( 48 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 49 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) | 50 | processA(ca3,a,kas,b) | processB(cb3,b,kbs,a) | processS(cs3,a,kas,b,kbs) 51 | ). 52 | 53 | 54 | let Pideal = 55 | new kas; new kbs; 56 | ( 57 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 58 | processA(ca2,a,kas,b) | processB(cb2,b,kbs,a) | processS(cs2,a,kas,b,kbs) | 59 | processA(ca3,a,kas,b) | processB(cb3,b,kbs,a) | processS(cs3,a,kas,b,kbs) 60 | ). 61 | 62 | query trace_equiv(Preal,Pideal). 63 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-4sessions-2dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4. 17 | free cs1, cs2, cs3, cs4. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) 55 | ). 56 | 57 | 58 | let Pideal = 59 | new kas; new kbs; 60 | ( 61 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 62 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 63 | processS(cs3,c,kcs,b,kbs) | processB(cb3,b,kbs,c) | 64 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) 65 | ). 66 | 67 | query trace_equiv(Preal,Pideal). 68 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-5sessions-3dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | # 3 | # 1. A -> S: A, B 4 | # 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | # 3. A -> B: {Kab,A}Kbs 6 | # Strong secrecy of Kab 7 | # 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4, cb5. 17 | free cs1, cs2, cs3, cs4, cs5. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processB(cb3,c,kcs,b) | processS(cs3,c,kcs,b,kbs) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 55 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) 56 | ). 57 | 58 | 59 | let Pideal = 60 | new kas; new kbs; 61 | ( 62 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 63 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 64 | processB(cb3,a,kbs,c) | processS(cs3,c,kcs,b,kbs) | 65 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 66 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) 67 | ). 68 | 69 | query trace_equiv(Preal,Pideal). 70 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Denning_sacco/DenningSacco-6sessions-4dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Denning Sacco Symmetric Key 2 | 3 | 1. A -> S: A, B 4 | 2. S -> A: {B, Kab, {Kab, A}Kbs}Kas 5 | 3. A -> B: {Kab,A}Kbs 6 | Strong secrecy of Kab 7 | 6. B -> : {m}Kab versus {m}K with K fresh 8 | *) 9 | 10 | free a, b, c. 11 | 12 | free s1, s2. 13 | free kcs. 14 | 15 | free ca1, ca2, ca4. 16 | free cb1, cb3, cb4, cb5, cb6. 17 | free cs1, cs2, cs3, cs4, cs5, cs6. 18 | 19 | free ok, req, rep. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let processA(ca,a,kas,b) = 25 | out(ca,(a,b)); 26 | in(ca,xa); 27 | let (=b,xab,xmb) = sdec(xa,kas) in 28 | out(ca,xmb). 29 | 30 | let processB(cb,b,kbs,a) = 31 | in(cb,yb); 32 | let (yab,=a)= sdec(yb,kbs) in 33 | 0. 34 | 35 | let processS(cs,a,kas,b,kbs) = 36 | in(cs,zs); 37 | if zs = (a,b) then 38 | new kab; 39 | out(cs,senc((b,kab,senc((kab,a),kbs)),kas)). 40 | 41 | let processSProp(cs,a,kas,b,kbs,s) = 42 | in(cs,zs); 43 | if zs = (a,b) then 44 | out(cs,senc((b,s,senc((s,a),kbs)),kas)). 45 | 46 | // Main 47 | 48 | let Preal = 49 | new kas; new kbs; 50 | ( 51 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s1) | 52 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 53 | processB(cb3,b,kbs,b) | processS(cs3,c,kcs,b,kbs) | 54 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 55 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 56 | processB(cb6,a,kbs,c) | processS(cs6,c,kcs,a,kas) 57 | ). 58 | 59 | 60 | let Pideal = 61 | new kas; new kbs; 62 | ( 63 | processA(ca1,a,kas,b) | processB(cb1,b,kbs,a) | processSProp(cs1,a,kas,b,kbs,s2) | 64 | processA(ca2,a,kas,c) | processS(cs2,a,kas,c,kcs) | 65 | processB(cb3,b,kbs,c) | processS(cs3,c,kcs,b,kbs) | 66 | processA(cb4,b,kbs,a) | processB(ca4,a,kas,b) | processS(cs4,b,kbs,a,kas) | 67 | processA(cb5,b,kbs,c) | processS(cs5,b,kbs,c,kcs) | 68 | processB(cb6,a,kbs,c) | processS(cs6,c,kcs,a,kas) 69 | ). 70 | 71 | query trace_equiv(Preal,Pideal). 72 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Electronic_passport/Basic-access-control/BAC-2sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | if xm_m = mac(xm_e,k_m) 36 | then 37 | let (xn_r,xn_t,xk_r) = sdec(xm_e,k_e) in 38 | if xn_t = n_t 39 | then ( 40 | new k_t; 41 | let z = senc((n_t,xn_r,k_t),k_e) in 42 | out(c,(z,mac(z,k_m))) 43 | ) else out(c,Error_6300) 44 | else out(c,Error_6300) 45 | else out(c,Error_6300). 46 | 47 | // Unlinkability 48 | 49 | let system1 = 50 | (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))) | 51 | (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))). 52 | 53 | let system2 = 54 | new k_e; new k_m; 55 | ( 56 | passport(k_e,k_m) | reader(k_e,k_m) | 57 | passport(k_e,k_m) | reader(k_e,k_m) 58 | ). 59 | 60 | 61 | query trace_equiv(system1,system2). 62 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Electronic_passport/Basic-access-control/BAC-3sessions.dps: -------------------------------------------------------------------------------- 1 | // Unlinkability 2 | 3 | fun mac/2. 4 | 5 | free c. 6 | 7 | free Error_6300. 8 | free get_challenge. 9 | 10 | fun senc/2. 11 | 12 | reduc sdec(senc(x,y),y) -> x. 13 | 14 | // Description of the reader role 15 | 16 | let reader(k_e,k_m) = 17 | out(c,get_challenge); 18 | in(c,xn_t); 19 | new n_r; 20 | new k_r; 21 | let xm = senc((n_r,xn_t,k_r),k_e) in 22 | out(c,(xm,mac(xm,k_m))); 23 | in(c,y). 24 | 25 | // Description of the passport role 26 | 27 | let passport(k_e,k_m) = 28 | in(c,x); 29 | if x = get_challenge 30 | then 31 | new n_t; 32 | out(c,n_t); 33 | in(c,y); 34 | let (xm_e,xm_m) = y in 35 | let (=xm_m,(xn_r,=n_t,xk_r)) = (mac(xm_e,k_m),sdec(xm_e,k_e)) in 36 | new k_t; 37 | let z = senc((n_t,xn_r,k_t),k_e) in 38 | out(c,(z,mac(z,k_m))) 39 | else 0 40 | else out(c,Error_6300). 41 | 42 | // Unlinkability 43 | 44 | let system1 = 45 | !^3 (new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m))). 46 | 47 | let system2 = 48 | new k_e; new k_m; (!^2 passport(k_e,k_m) | !^2 reader(k_e,k_m)) 49 | | new k_e; new k_m; (passport(k_e,k_m) | reader(k_e,k_m)). 50 | 51 | 52 | query trace_equiv(system1,system2). 53 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Electronic_passport/Passive-authentication-anonymity/PA-anonimity-1session.dps: -------------------------------------------------------------------------------- 1 | // Passive Authentication Protocol between a passport (P) and a reader (R) 2 | // We test the anonymity of the passport 3 | // SHOULD BE TRUE 4 | 5 | // Pieces of data stored in the different passports 6 | free dgA, dgB. 7 | 8 | // channels 9 | free c. 10 | free chP1,chR1. 11 | 12 | // constants 13 | free ok. 14 | free read. 15 | 16 | // functions 17 | fun h/1. 18 | fun mac/2. 19 | fun senc/2. 20 | fun sign/2. 21 | fun vk/1. 22 | 23 | reduc sdec(senc(x,y),y) -> x. 24 | reduc checksign(sign(x,y),vk(y)) -> x. 25 | 26 | /* 27 | Description of the passport role: 28 | - it plays on channel c 29 | - it uses encryption/mac keys ksenc/ksmac 30 | - it stores data dg and the signed version sod 31 | */ 32 | 33 | let passport(ksenc,ksmac,dg,sod,ch) = 34 | in(ch, x); 35 | let (xenc, xmac) = x in 36 | if xmac = mac(xenc, ksmac) then 37 | if read = sdec(xenc,ksenc) then 38 | let menc = senc((dg, sod),ksenc) in 39 | let mmac = mac(menc,ksmac) in 40 | out(ch, (menc,mmac)). 41 | 42 | /* 43 | Description of the Reader role: 44 | - it plays on channel c 45 | - it uses encryption/mac keys ksenc/ksmac 46 | - it has the signature key KPrDS 47 | */ 48 | 49 | let reader(KPrDS,ksenc,ksmac,ch) = 50 | let menc = senc(read,ksenc) in 51 | let mmac = mac(menc,ksmac) in 52 | out(ch, (menc, mmac)); 53 | in(ch,x); 54 | let (xenc, xmac) = x in 55 | if xmac = mac(xenc, ksmac) then 56 | let (xdg,(xhdg, xshdg)) = sdec(xenc,ksenc) in 57 | if xhdg = checksign(xshdg, vk(KPrDS)) then 58 | if xhdg = h(xdg) then 59 | out(ch, ok). 60 | 61 | /* 62 | Passport and Reader in parallel 63 | */ 64 | 65 | let OneSessionPassport(KPrDS,dg,chP,chR) = 66 | new ksenc; 67 | new ksmac; 68 | let sod = (h(dg), sign(h(dg),KPrDS)) in 69 | (reader(KPrDS,ksenc,ksmac,chR) | passport(ksenc,ksmac,dg,sod,chP)). 70 | 71 | let Process1 = 72 | new KPrDS; 73 | out(c, vk(KPrDS)); 74 | OneSessionPassport(KPrDS,dgA,chP1,chR1). // Passport of A 75 | 76 | let Process2 = 77 | new KPrDS; 78 | out(c, vk(KPrDS)); 79 | OneSessionPassport(KPrDS,dgB,chP1,chR1). // Passport of B 80 | 81 | query trace_equiv(Process1,Process2). 82 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Helios/Helios_vanilla_attack.dps: -------------------------------------------------------------------------------- 1 | // helios protocol with identities and mixnet - no privacy because of ballot replay attack 2 | 3 | fun aenc/3. 4 | fun pk/1. 5 | 6 | reduc adec(aenc(x,r,pk(y)),y) -> x. 7 | 8 | free ch. 9 | free bb, mn [private]. 10 | free a,b,c. 11 | free yes,no. 12 | 13 | let V(id, v, pkT, bb) = 14 | new r; 15 | let ballot = aenc(v,r,pkT) in 16 | out(bb, (id,ballot)); // sending on authenticated channel 17 | out(ch, (id,ballot)). // modelled by both sending on private and public channel 18 | // NB: If the channels are anonymous, i.e. if we remove the identifier `id', then the attack does not work anymore. 19 | 20 | 21 | let BB(bb, mn) = 22 | (in(bb, b1); let (=a,v1) = b1 in out(mn,v1)) | 23 | (in(bb, b2); let (=b,v2) = b2 in out(mn,v2)) | 24 | (in(ch, b3); let (=c,v3) = b3 in out(mn,v3)). 25 | 26 | 27 | let T(skT,mn) = 28 | in(mn,x1); 29 | in(mn,x2); 30 | in(mn,x3); 31 | ( 32 | out(ch, adec(x1,skT)) | out(ch, adec(x2,skT)) | out(ch, adec(x3,skT)) 33 | ). 34 | 35 | 36 | let AyBn = 37 | new skT; 38 | let pkT = pk(skT) in 39 | out(ch,pkT); 40 | ( 41 | V(a,yes,pkT,bb) | V(b,no,pkT,bb) | BB(bb,mn) | T(skT,mn) 42 | ). 43 | 44 | let AnBy = 45 | new skT; 46 | let pkT = pk(skT) in 47 | out(ch, pkT); 48 | ( 49 | V(a,no,pkT,bb) | V(b,yes,pkT,bb) | BB(bb,mn) | T(skT,mn) 50 | ). 51 | 52 | 53 | query trace_equiv(AyBn,AnBy). 54 | 55 | // privacy cannot be proven because of vote replay attack 56 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Needham_schroeder/NSL-1session.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ca1,ca2. 14 | free cb1,cb2. 15 | 16 | free cd. 17 | 18 | free kc. 19 | 20 | fun pk/1. 21 | fun aenc/3. 22 | reduc adec(aenc(x,r,pk(k)),k) -> x. 23 | 24 | // Alice 25 | let A(ca,a,b,ka,pkb) = 26 | new na; 27 | new r1; 28 | new r3; 29 | out(ca,aenc((a,na),r1,pkb)); 30 | in(ca,xenc); 31 | let (=b,=na,x3) = adec(xenc,ka) in 32 | out(ca, aenc(x3,r3,pkb)). 33 | 34 | // Bob (+property) 35 | let B1(cb,b,a,kb,pka) = 36 | new r2; 37 | in(cb,z); 38 | let (=a,z2) = adec(z,kb) in 39 | out(cb,aenc((b,z2,s1),r2,pka)); 40 | in(cb,x). 41 | 42 | let B2(cb,b,a,kb,pka) = 43 | new r2; 44 | in(cb,z); 45 | let (=a,z2) = adec(z,kb) in 46 | out(cb,aenc((b,z2,s2),r2,pka)); 47 | in(cb,x). 48 | 49 | 50 | // Bob 51 | let B(cb,b,a,kb,pka) = 52 | new nb; 53 | new r2; 54 | in(cb,z); 55 | let (=a,z2) = adec(z,kb) in 56 | out(cb,aenc((b,z2,nb),r2,pka)); 57 | in(cb,x). 58 | 59 | let P = 60 | new ka; new kb; 61 | out(cd,pk(ka)); 62 | out(cd,pk(kb)); 63 | ( 64 | A(ca1,a,b,ka,pk(kb)) | B1(cb1,b,a,kb,pk(ka)) 65 | ). 66 | 67 | 68 | let Q = 69 | new ka; new kb; 70 | out(cd,pk(ka)); 71 | out(cd,pk(kb)); 72 | ( 73 | A(ca1,a,b,ka,pk(kb)) | B2(cb1,b,a,kb,pk(ka)) 74 | ). 75 | 76 | 77 | query trace_equiv(P,Q). 78 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Needham_schroeder/NSL-3sessions-2dishonest.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ca1,ca2. 14 | free cb1,cb2. 15 | 16 | free cd. 17 | 18 | free kc. 19 | 20 | fun pk/1. 21 | fun aenc/3. 22 | reduc adec(aenc(x,r,pk(k)),k) -> x. 23 | 24 | // Alice 25 | let A(ca,a,b,ka,pkb) = 26 | new na; 27 | new r1; 28 | new r3; 29 | out(ca,aenc((a,na),r1,pkb)); 30 | in(ca,xenc); 31 | let (=b,=na,x3) = adec(xenc,ka) in 32 | out(ca, aenc(x3,r3,pkb)). 33 | 34 | // Bob (+property) 35 | let B1(cb,b,a,kb,pka) = 36 | new r2; 37 | in(cb,z); 38 | let (=a,z2) = adec(z,kb) in 39 | out(cb,aenc((b,z2,s1),r2,pka)); 40 | in(cb,x). 41 | 42 | let B2(cb,b,a,kb,pka) = 43 | new r2; 44 | in(cb,z); 45 | let (=a,z2) = adec(z,kb) in 46 | out(cb,aenc((b,z2,s2),r2,pka)); 47 | in(cb,x). 48 | 49 | 50 | // Bob 51 | let B(cb,b,a,kb,pka) = 52 | new nb; 53 | new r2; 54 | in(cb,z); 55 | let (=a,z2) = adec(z,kb) in 56 | out(cb,aenc((b,z2,nb),r2,pka)); 57 | in(cb,x). 58 | 59 | let P = 60 | new ka; new kb; 61 | out(cd,pk(ka)); 62 | out(cd,pk(kb)); 63 | ( 64 | A(ca1,a,b,ka,pk(kb)) | B1(cb1,b,a,kb,pk(ka)) | 65 | A(ca2,a,c,ka,pk(kc)) | 66 | B(cb2,b,c,kb,pk(kc)) 67 | ). 68 | 69 | 70 | let Q = 71 | new ka; new kb; 72 | out(cd,pk(ka)); 73 | out(cd,pk(kb)); 74 | ( 75 | A(ca1,a,b,ka,pk(kb)) | B2(cb1,b,a,kb,pk(ka)) | 76 | A(ca2,a,c,ka,pk(kc)) | 77 | B(cb2,b,c,kb,pk(kc)) 78 | ). 79 | 80 | query trace_equiv(P,Q). 81 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Needham_schroeder/NSL-6sessions-4dishonest.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ca1,ca2,ca3,ca4,ca5,ca6. 14 | free cb1,cb2,cb3,cb4,cb5,cb6. 15 | 16 | free cd. 17 | 18 | free kc. 19 | 20 | fun pk/1. 21 | fun aenc/3. 22 | reduc adec(aenc(x,r,pk(k)),k) -> x. 23 | 24 | // Alice 25 | let A(ca,a,b,ka,pkb) = 26 | new na; 27 | new r1; 28 | new r3; 29 | out(ca,aenc((a,na),r1,pkb)); 30 | in(ca,xenc); 31 | let (=b,=na,x3) = adec(xenc,ka) in 32 | out(ca, aenc(x3,r3,pkb)). 33 | 34 | // Bob (+property) 35 | let B1(cb,b,a,kb,pka) = 36 | new r2; 37 | in(cb,z); 38 | let (=a,z2) = adec(z,kb) in 39 | out(cb,aenc((b,z2,s1),r2,pka)); 40 | in(cb,x). 41 | 42 | let B2(cb,b,a,kb,pka) = 43 | new r2; 44 | in(cb,z); 45 | let (=a,z2) = adec(z,kb) in 46 | out(cb,aenc((b,z2,s2),r2,pka)); 47 | in(cb,x). 48 | 49 | 50 | // Bob 51 | let B(cb,b,a,kb,pka) = 52 | new nb; 53 | new r2; 54 | in(cb,z); 55 | let (=a,z2) = adec(z,kb) in 56 | out(cb,aenc((b,z2,nb),r2,pka)); 57 | in(cb,x). 58 | 59 | let P = 60 | new ka; new kb; 61 | out(cd,pk(ka)); 62 | out(cd,pk(kb)); 63 | ( 64 | A(ca1,a,b,ka,pk(kb)) | B1(cb1,b,a,kb,pk(ka)) | 65 | A(ca2,a,c,ka,pk(kc)) | 66 | B(cb3,b,c,kb,pk(kc)) | 67 | A(ca4,b,a,kb,pk(ka)) | B(cb4,a,b,ka,pk(kb)) | 68 | A(ca5,b,c,kb,pk(kc)) | 69 | B(ca6,a,c,ka,pk(kc)) 70 | ). 71 | 72 | 73 | let Q = 74 | new ka; new kb; 75 | out(cd,pk(ka)); 76 | out(cd,pk(kb)); 77 | ( 78 | A(ca1,a,b,ka,pk(kb)) | B2(cb1,b,a,kb,pk(ka)) | 79 | A(ca2,a,c,ka,pk(kc)) | 80 | B(cb3,b,c,kb,pk(kc)) | 81 | A(ca4,b,a,kb,pk(ka)) | B(cb4,a,b,ka,pk(kb)) | 82 | A(ca5,b,c,kb,pk(kc)) | 83 | B(ca6,a,c,ka,pk(kc)) 84 | ). 85 | 86 | 87 | query trace_equiv(P,Q). 88 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Needham_schroeder/NSL-8sessions-4dishonest.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Needham-Schroeder-Lowe asymmetric protocol 3 | A -> B: {A,nA,r1}_pkB 4 | B -> A: {B,nA,nB,r2}_pkA 5 | A -> B: {nB,r3}_pkB 6 | *) 7 | 8 | 9 | free a,b,c. 10 | 11 | free s1,s2. 12 | 13 | free ca1,ca2,ca3,ca4,ca5,ca6,ca7,ca8. 14 | free cb1,cb2,cb3,cb4,cb5,cb6,cb7,cb8. 15 | 16 | free cd. 17 | 18 | free kc. 19 | 20 | fun pk/1. 21 | fun aenc/3. 22 | reduc adec(aenc(x,r,pk(k)),k) -> x. 23 | 24 | // Alice 25 | let A(ca,a,b,ka,pkb) = 26 | new na; 27 | new r1; 28 | new r3; 29 | out(ca,aenc((a,na),r1,pkb)); 30 | in(ca,xenc); 31 | let (=b,=na,x3) = adec(xenc,ka) in 32 | out(ca, aenc(x3,r3,pkb)). 33 | 34 | // Bob (+property) 35 | let B1(cb,b,a,kb,pka) = 36 | new r2; 37 | in(cb,z); 38 | let (=a,z2) = adec(z,kb) in 39 | out(cb,aenc((b,z2,s1),r2,pka)); 40 | in(cb,x). 41 | 42 | let B2(cb,b,a,kb,pka) = 43 | new r2; 44 | in(cb,z); 45 | let (=a,z2) = adec(z,kb) in 46 | out(cb,aenc((b,z2,s2),r2,pka)); 47 | in(cb,x). 48 | 49 | 50 | // Bob 51 | let B(cb,b,a,kb,pka) = 52 | new nb; 53 | new r2; 54 | in(cb,z); 55 | let (=a,z2) = adec(z,kb) in 56 | out(cb,aenc((b,z2,nb),r2,pka)); 57 | in(cb,x). 58 | 59 | let P = 60 | new ka; new kb; 61 | out(cd,pk(ka)); 62 | out(cd,pk(kb)); 63 | ( 64 | A(ca1,a,b,ka,pk(kb)) | B1(cb1,b,a,kb,pk(ka)) | 65 | A(ca2,a,c,ka,pk(kc)) | 66 | B(cb3,b,c,kb,pk(kc)) | 67 | A(ca4,b,a,kb,pk(ka)) | B(cb4,a,b,ka,pk(kb)) | 68 | A(ca5,b,c,kb,pk(kc)) | 69 | B(ca6,a,c,ka,pk(kc)) | 70 | A(ca7,a,b,ka,pk(kb)) | B(cb7,b,a,kb,pk(ka)) | 71 | A(ca8,b,a,kb,pk(ka)) | B(cb8,a,b,ka,pk(kb)) 72 | ). 73 | 74 | 75 | let Q = 76 | new ka; new kb; 77 | out(cd,pk(ka)); 78 | out(cd,pk(kb)); 79 | ( 80 | A(ca1,a,b,ka,pk(kb)) | B2(cb1,b,a,kb,pk(ka)) | 81 | A(ca2,a,c,ka,pk(kc)) | 82 | B(cb3,b,c,kb,pk(kc)) | 83 | A(ca4,b,a,kb,pk(ka)) | B(cb4,a,b,ka,pk(kb)) | 84 | A(ca5,b,c,kb,pk(kc)) | 85 | B(ca6,a,c,ka,pk(kc)) | 86 | A(ca7,a,b,ka,pk(kb)) | B(cb7,b,a,kb,pk(ka)) | 87 | A(ca8,b,a,kb,pk(ka)) | B(cb8,a,b,ka,pk(kb)) 88 | ). 89 | 90 | 91 | query trace_equiv(P,Q). 92 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Otway-rees/Otway-Rees-1session.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Otway Rees symmetric key 3 | A -> B : M,A,B,{Na,M,A,B}Kas 4 | B -> S : M,A,B,{Na,M,A,B}Kas,{Nb,M,A,B}Kbs 5 | S -> B : M, {Na,Kab}Kas, {Nb,Kab}Kbs 6 | B -> A : M,{Na,Kab}Kas 7 | *) 8 | 9 | //Channels : 10 | free ca,cb,cs. 11 | 12 | //Constants: 13 | free a,b. 14 | free s1,s2. 15 | 16 | // Encryption 17 | fun senc/2. 18 | reduc sdec(senc(x,y),y) = x. 19 | 20 | // Alice 21 | let A(ca,a,b,kas) = 22 | new m ; 23 | new na ; 24 | out(ca,(m,a,b,senc((na,m,a,b),kas))); 25 | in(ca,x0); 26 | let (xmm,xsenc) = x0 in 27 | let (xna,xkab) = sdec(xsenc,kas) in 28 | if (xmm,xna) = (m,na) then 29 | 0. 30 | 31 | 32 | // Bob 33 | let B(cb,b,a,kbs) = 34 | in(cb,yinit); 35 | let (ym,=a,=b,yza1) = yinit in 36 | new nb; 37 | out(cb,(ym,a,b,yza1,senc((nb,ym,a,b),kbs))); 38 | in(cb,y1); 39 | let (=ym,yza2,y2) = y1 in 40 | let (=nb,ykab) = sdec(y2,kbs) in 41 | out(cb,(ym,yza2)). 42 | 43 | 44 | // Server (+property) 45 | let S1a(cs,a,b,kas,kbs) = 46 | in(cs,z0); 47 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 48 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 49 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 50 | out(cs,(zm,senc((zna,s1),kas),senc((znb,s1),kbs))). 51 | 52 | let S1b(cs,a,b,kas,kbs) = 53 | in(cs,z0); 54 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 55 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 56 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 57 | out(cs,(zm,senc((zna,s2),kas),senc((znb,s2),kbs))). 58 | 59 | 60 | // Server 61 | let S(cs,a,b,kas,kbs) = 62 | in(cs,z0); 63 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 64 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 65 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 66 | new kab; 67 | out(cs,(zm,senc((zna,kab),kas),senc((znb,kab),kbs))). 68 | 69 | let P = 70 | new kas; new kbs ; 71 | ( 72 | A(ca,a,b,kas) | S1a(cs,a,b,kas,kbs) | B(cb,b,a,kbs) 73 | ). 74 | 75 | let Q = 76 | new kas; new kbs ; 77 | ( 78 | A(ca,a,b,kas) | S1b(cs,a,b,kas,kbs) | B(cb,b,a,kbs) 79 | ). 80 | 81 | query trace_equiv(P,Q). 82 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Otway-rees/Otway-Rees-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Otway Rees symmetric key 3 | A -> B : M,A,B,{Na,M,A,B}Kas 4 | B -> S : M,A,B,{Na,M,A,B}Kas,{Nb,M,A,B}Kbs 5 | S -> B : M, {Na,Kab}Kas, {Nb,Kab}Kbs 6 | B -> A : M,{Na,Kab}Kas 7 | *) 8 | 9 | //Channels : 10 | free ca1,cb1,cs1. 11 | free ca2,cb2,cs2. 12 | 13 | //Constants: 14 | free a,b. 15 | free s1,s2. 16 | 17 | // Encryption 18 | fun senc/2. 19 | reduc sdec(senc(x,y),y) = x. 20 | 21 | // Alice 22 | let A(ca,a,b,kas) = 23 | new m ; 24 | new na ; 25 | out(ca,(m,a,b,senc((na,m,a,b),kas))); 26 | in(ca,x0); 27 | let (xmm,xsenc) = x0 in 28 | let (xna,xkab) = sdec(xsenc,kas) in 29 | if (xmm,xna) = (m,na) then 30 | 0. 31 | 32 | 33 | // Bob 34 | let B(cb,b,a,kbs) = 35 | in(cb,yinit); 36 | let (ym,=a,=b,yza1) = yinit in 37 | new nb; 38 | out(cb,(ym,a,b,yza1,senc((nb,ym,a,b),kbs))); 39 | in(cb,y1); 40 | let (=ym,yza2,y2) = y1 in 41 | let (=nb,ykab) = sdec(y2,kbs) in 42 | out(cb,(ym,yza2)). 43 | 44 | 45 | // Server (+property) 46 | let S1a(cs,a,b,kas,kbs) = 47 | in(cs,z0); 48 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 49 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 50 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 51 | out(cs,(zm,senc((zna,s1),kas),senc((znb,s1),kbs))). 52 | 53 | let S1b(cs,a,b,kas,kbs) = 54 | in(cs,z0); 55 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 56 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 57 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 58 | out(cs,(zm,senc((zna,s2),kas),senc((znb,s2),kbs))). 59 | 60 | 61 | // Server 62 | let S(cs,a,b,kas,kbs) = 63 | in(cs,z0); 64 | let (zm,=a,=b,zsenc1,zsenc2) = z0 in 65 | let (zna,=zm,=a,=b) = sdec(zsenc1,kas) in 66 | let (znb,=zm,=a,=b) = sdec(zsenc2,kbs) in 67 | new kab; 68 | out(cs,(zm,senc((zna,kab),kas),senc((znb,kab),kbs))). 69 | 70 | let P = 71 | new kas; new kbs ; 72 | ( 73 | A(ca1,a,b,kas) | S1a(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 74 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 75 | ). 76 | 77 | let Q = 78 | new kas; new kbs ; 79 | ( 80 | A(ca1,a,b,kas) | S1b(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 81 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 82 | ). 83 | 84 | query trace_equiv(P,Q). 85 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Private_authentication/PrivateAuthentication-1session-attack.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca. 9 | free cb. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) = x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else 0. 45 | 46 | /* 47 | Main 48 | */ 49 | 50 | let ProcessAB = 51 | out(c,pk(ska)); 52 | out(c,pk(skb)); 53 | out(c,pk(skc)); 54 | ( 55 | processA(ca,ska,pk(skb)) | processB(cb,skb,pk(ska)) 56 | ). 57 | 58 | let ProcessCB = 59 | out(c,pk(ska)); 60 | out(c,pk(skb)); 61 | out(c,pk(skc)); 62 | ( 63 | processA(ca,skc,pk(skb)) | processB(cb,skb,pk(skc)) 64 | ). 65 | 66 | 67 | query trace_equiv(ProcessAB,ProcessCB). 68 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Private_authentication/PrivateAuthentication-1session.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca. 9 | free cb. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) -> x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else out(cb,aenc(nb,pk(skb))). 45 | 46 | /* 47 | Main 48 | */ 49 | 50 | let ProcessAB = 51 | out(c,pk(ska)); 52 | out(c,pk(skb)); 53 | out(c,pk(skc)); 54 | ( 55 | processA(ca,ska,pk(skb)) | processB(cb,skb,pk(ska)) 56 | ). 57 | 58 | let ProcessCB = 59 | out(c,pk(ska)); 60 | out(c,pk(skb)); 61 | out(c,pk(skc)); 62 | ( 63 | processA(ca,skc,pk(skb)) | processB(cb,skb,pk(ska)) 64 | ). 65 | 66 | 67 | query trace_equiv(ProcessAB,ProcessCB). 68 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Private_authentication/PrivateAuthentication-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca1,ca2. 9 | free cb1,cb2. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) -> x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else out(cb,aenc(nb,pk(skb))). 45 | 46 | /* 47 | Main 48 | */ 49 | 50 | let ProcessAB = 51 | out(c,pk(ska)); 52 | out(c,pk(skb)); 53 | out(c,pk(skc)); 54 | ( 55 | processA(ca1,ska,pk(skb)) | processB(cb1,skb,pk(ska)) | // B expect to talk to A 56 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) // B expect to talk to A 57 | ). 58 | 59 | let ProcessCB = 60 | out(c,pk(ska)); 61 | out(c,pk(skb)); 62 | out(c,pk(skc)); 63 | ( 64 | processA(ca1,skc,pk(skb)) | processB(cb1,skb,pk(skc)) | // B expect to talk to C 65 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) // B expect to talk to A 66 | ). 67 | 68 | 69 | query trace_equiv(ProcessAB,ProcessCB). 70 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Private_authentication/PrivateAuthentication-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free ca1,ca2,ca3. 9 | free cb1,cb2,cb3. 10 | free c. 11 | 12 | free ska, skb, skc [private]. 13 | 14 | fun aenc/2. 15 | fun pk/1. 16 | 17 | reduc adec(aenc(x,pk(y)),y) -> x. 18 | 19 | /* 20 | Description of role A played: 21 | - on channel ca 22 | - by the agent with private key ska 23 | - with the agent with public key pkb 24 | */ 25 | 26 | let processA(ca,ska,pkb) = 27 | new na; 28 | out(ca,aenc((na,pk(ska)),pkb)); 29 | in(ca,x). 30 | 31 | 32 | /* 33 | Description of role B played: 34 | - on channel cb 35 | - by the agent with private key skb 36 | - with the agent with public key pka 37 | */ 38 | 39 | let processB(cb,skb,pka) = 40 | in(cb,yb); 41 | new nb; 42 | let (yna,=pka) = adec(yb,skb) in 43 | out(cb,aenc((yna,nb,pk(skb)),pka)) 44 | else out(cb,aenc(nb,pk(skb))). 45 | 46 | /* 47 | Main 48 | */ 49 | 50 | let ProcessAB = 51 | out(c,pk(ska)); 52 | out(c,pk(skb)); 53 | out(c,pk(skc)); 54 | ( 55 | processA(ca1,ska,pk(skb)) | processB(cb1,skb,pk(ska)) | // B expects to talk to A 56 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) | // B expects to talk to A 57 | processA(ca3,skc,pk(ska)) | processB(cb3,ska,pk(skc)) // A expects to talk to C (C is not an intruder) 58 | ). 59 | 60 | let ProcessCB = 61 | out(c,pk(ska)); 62 | out(c,pk(skb)); 63 | out(c,pk(skc)); 64 | ( 65 | processA(ca1,skc,pk(skb)) | processB(cb1,skb,pk(skc)) | // B expects to talk to C 66 | processA(ca2,ska,pk(skb)) | processB(cb2,skb,pk(ska)) | // B expects to talk to A 67 | processA(ca3,skc,pk(ska)) | processB(cb3,ska,pk(skc)) // A expects to talk to C (C is not an intruder) 68 | ). 69 | 70 | 71 | query trace_equiv(ProcessAB,ProcessCB). 72 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-1session.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | 13 | 14 | fun senc/2. 15 | reduc sdec(senc(x,y),y) -> x. 16 | 17 | let A1(ca,a,b,kas) = 18 | out(ca, (a, senc((b,s1),kas))). 19 | 20 | let A2(ca,a,b,kas) = 21 | out(ca, (a, senc((b,s2),kas))). 22 | 23 | let A(ca,a,b,kas) = 24 | new kab; 25 | out(ca, (a, senc((b,kab),kas))). 26 | 27 | let S(cs,a,b,kas,kbs) = 28 | in(cs, x); 29 | let (=a,xenc) = x in 30 | let (=b,xk) = sdec(xenc,kas) in 31 | out(cs, senc((a,xk),kbs)). 32 | 33 | let B(cb,b,a,kbs) = 34 | in(cb,y); 35 | let (ya,yk) = sdec(y,kbs) in 0. 36 | 37 | 38 | let P = 39 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs). 40 | 41 | let Q = 42 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs). 43 | 44 | query trace_equiv(P,Q). 45 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | 14 | fun senc/2. 15 | reduc sdec(senc(x,y),y) -> x. 16 | 17 | let A1(ca,a,b,kas) = 18 | out(ca, (a, senc((b,s1),kas))). 19 | 20 | let A2(ca,a,b,kas) = 21 | out(ca, (a, senc((b,s2),kas))). 22 | 23 | let A(ca,a,b,kas) = 24 | new kab; 25 | out(ca, (a, senc((b,kab),kas))). 26 | 27 | let S(cs,a,b,kas,kbs) = 28 | in(cs, x); 29 | let (=a,xenc) = x in 30 | let (=b,xk) = sdec(xenc,kas) in 31 | out(cs, senc((a,xk),kbs)). 32 | 33 | let B(cb,b,a,kbs) = 34 | in(cb,y); 35 | let (ya,yk) = sdec(y,kbs) in 0. 36 | 37 | 38 | let P = 39 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 40 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs). 41 | 42 | let Q = 43 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 44 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs). 45 | 46 | query trace_equiv(P,Q). 47 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-3sessions-2dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | 15 | fun senc/2. 16 | reduc sdec(senc(x,y),y) -> x. 17 | 18 | let A1(ca,a,b,kas) = 19 | out(ca, (a, senc((b,s1),kas))). 20 | 21 | let A2(ca,a,b,kas) = 22 | out(ca, (a, senc((b,s2),kas))). 23 | 24 | let A(ca,a,b,kas) = 25 | new kab; 26 | out(ca, (a, senc((b,kab),kas))). 27 | 28 | let S(cs,a,b,kas,kbs) = 29 | in(cs, x); 30 | let (=a,xenc) = x in 31 | let (=b,xk) = sdec(xenc,kas) in 32 | out(cs, senc((a,xk),kbs)). 33 | 34 | let B(cb,b,a,kbs) = 35 | in(cb,y); 36 | let (ya,yk) = sdec(y,kbs) in 0. 37 | 38 | let P = 39 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 40 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 41 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs). 42 | 43 | let Q = 44 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 45 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 46 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs). 47 | 48 | query trace_equiv(P,Q). 49 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | 15 | fun senc/2. 16 | reduc sdec(senc(x,y),y) -> x. 17 | 18 | let A1(ca,a,b,kas) = 19 | out(ca, (a, senc((b,s1),kas))). 20 | 21 | let A2(ca,a,b,kas) = 22 | out(ca, (a, senc((b,s2),kas))). 23 | 24 | let A(ca,a,b,kas) = 25 | new kab; 26 | out(ca, (a, senc((b,kab),kas))). 27 | 28 | let S(cs,a,b,kas,kbs) = 29 | in(cs, x); 30 | let (=a,xenc) = x in 31 | let (=b,xk) = sdec(xenc,kas) in 32 | out(cs, senc((a,xk),kbs)). 33 | 34 | let B(cb,b,a,kbs) = 35 | in(cb,y); 36 | let (ya,yk) = sdec(y,kbs) in 0. 37 | 38 | let P = 39 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 40 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 41 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs). 42 | 43 | let Q = 44 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 45 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 46 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs). 47 | 48 | query trace_equiv(P,Q). 49 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-4sessions-2dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | free ca4,cs4,cb4. 15 | 16 | fun senc/2. 17 | reduc sdec(senc(x,y),y) -> x. 18 | 19 | let A1(ca,a,b,kas) = 20 | out(ca, (a, senc((b,s1),kas))). 21 | 22 | let A2(ca,a,b,kas) = 23 | out(ca, (a, senc((b,s2),kas))). 24 | 25 | let A(ca,a,b,kas) = 26 | new kab; 27 | out(ca, (a, senc((b,kab),kas))). 28 | 29 | let S(cs,a,b,kas,kbs) = 30 | in(cs, x); 31 | let (=a,xenc) = x in 32 | let (=b,xk) = sdec(xenc,kas) in 33 | out(cs, senc((a,xk),kbs)). 34 | 35 | let B(cb,b,a,kbs) = 36 | in(cb,y); 37 | let (ya,yk) = sdec(y,kbs) in 0. 38 | 39 | let P = 40 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 41 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 42 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 43 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas). 44 | 45 | let Q = 46 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 47 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 48 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 49 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas). 50 | 51 | query trace_equiv(P,Q). 52 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-5sessions-3dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | free ca4,cs4,cb4. 15 | free ca5,cs5,cb5. 16 | 17 | fun senc/2. 18 | reduc sdec(senc(x,y),y) -> x. 19 | 20 | let A1(ca,a,b,kas) = 21 | out(ca, (a, senc((b,s1),kas))). 22 | 23 | let A2(ca,a,b,kas) = 24 | out(ca, (a, senc((b,s2),kas))). 25 | 26 | let A(ca,a,b,kas) = 27 | new kab; 28 | out(ca, (a, senc((b,kab),kas))). 29 | 30 | let S(cs,a,b,kas,kbs) = 31 | in(cs, x); 32 | let (=a,xenc) = x in 33 | let (=b,xk) = sdec(xenc,kas) in 34 | out(cs, senc((a,xk),kbs)). 35 | 36 | let B(cb,b,a,kbs) = 37 | in(cb,y); 38 | let (ya,yk) = sdec(y,kbs) in 0. 39 | 40 | let P = 41 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 42 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 43 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 44 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 45 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs). 46 | 47 | let Q = 48 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 49 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 50 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 51 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 52 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs). 53 | 54 | query trace_equiv(P,Q). 55 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-6sessions-4dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | free ca4,cs4,cb4. 15 | free ca5,cs5,cb5. 16 | free ca6,cs6,cb6. 17 | 18 | fun senc/2. 19 | reduc sdec(senc(x,y),y) -> x. 20 | 21 | let A1(ca,a,b,kas) = 22 | out(ca, (a, senc((b,s1),kas))). 23 | 24 | let A2(ca,a,b,kas) = 25 | out(ca, (a, senc((b,s2),kas))). 26 | 27 | let A(ca,a,b,kas) = 28 | new kab; 29 | out(ca, (a, senc((b,kab),kas))). 30 | 31 | let S(cs,a,b,kas,kbs) = 32 | in(cs, x); 33 | let (=a,xenc) = x in 34 | let (=b,xk) = sdec(xenc,kas) in 35 | out(cs, senc((a,xk),kbs)). 36 | 37 | let B(cb,b,a,kbs) = 38 | in(cb,y); 39 | let (ya,yk) = sdec(y,kbs) in 0. 40 | 41 | let P = 42 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 43 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 44 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 45 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 46 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 47 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas). 48 | 49 | let Q = 50 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 51 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 52 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 53 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 54 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 55 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas). 56 | 57 | query trace_equiv(P,Q). 58 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-7sessions-4dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c,d. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs, kds [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | free ca4,cs4,cb4. 15 | free ca5,cs5,cb5. 16 | free ca6,cs6,cb6. 17 | free ca7,cs7,cb7. 18 | 19 | fun senc/2. 20 | reduc sdec(senc(x,y),y) -> x. 21 | 22 | let A1(ca,a,b,kas) = 23 | out(ca, (a, senc((b,s1),kas))). 24 | 25 | let A2(ca,a,b,kas) = 26 | out(ca, (a, senc((b,s2),kas))). 27 | 28 | let A(ca,a,b,kas) = 29 | new kab; 30 | out(ca, (a, senc((b,kab),kas))). 31 | 32 | let S(cs,a,b,kas,kbs) = 33 | in(cs, x); 34 | let (=a,xenc) = x in 35 | let (=b,xk) = sdec(xenc,kas) in 36 | out(cs, senc((a,xk),kbs)). 37 | 38 | let B(cb,b,a,kbs) = 39 | in(cb,y); 40 | let (ya,yk) = sdec(y,kbs) in 0. 41 | 42 | let P = 43 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 44 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 45 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 46 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 47 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 48 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas) | 49 | A(ca7,a,d,kas) | S(cs7,a,d,kas,kds) | B(cb7,d,a,kds). 50 | 51 | let Q = 52 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 53 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 54 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 55 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 56 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 57 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas) | 58 | A(ca7,a,d,kas) | S(cs7,a,d,kas,kds) | B(cb7,d,a,kds). 59 | 60 | query trace_equiv(P,Q). 61 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Wide-mouth-frog/WMF-9sessions-4dishonests.dps: -------------------------------------------------------------------------------- 1 | (* Wide Mouthed Frog protocol (without timestamps) 2 | # A -> S: A, {B,Kab}Kas 3 | # S -> B: {A,Kab}Kbs 4 | *) 5 | 6 | free a,b,c,d. 7 | 8 | free s1,s2, kcs. 9 | free kas, kbs, kds [private]. 10 | 11 | free ca1,cs1,cb1. 12 | free ca2,cs2,cb2. 13 | free ca3,cs3,cb3. 14 | free ca4,cs4,cb4. 15 | free ca5,cs5,cb5. 16 | free ca6,cs6,cb6. 17 | free ca7,cs7,cb7. 18 | free ca8,cs8,cb8. 19 | free ca9,cs9,cb9. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | let A1(ca,a,b,kas) = 25 | out(ca, (a, senc((b,s1),kas))). 26 | 27 | let A2(ca,a,b,kas) = 28 | out(ca, (a, senc((b,s2),kas))). 29 | 30 | let A(ca,a,b,kas) = 31 | new kab; 32 | out(ca, (a, senc((b,kab),kas))). 33 | 34 | let S(cs,a,b,kas,kbs) = 35 | in(cs, x); 36 | let (=a,xenc) = x in 37 | let (=b,xk) = sdec(xenc,kas) in 38 | out(cs, senc((a,xk),kbs)). 39 | 40 | let B(cb,b,a,kbs) = 41 | in(cb,y); 42 | let (ya,yk) = sdec(y,kbs) in 0. 43 | 44 | let P = 45 | A1(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 46 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 47 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 48 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 49 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 50 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas) | 51 | A(ca7,a,d,kas) | S(cs7,a,d,kas,kds) | B(cb7,d,a,kds) | 52 | A(ca8,a,b,kas) | S(cs8,a,b,kas,kbs) | B(cb8,b,a,kbs) | 53 | A(ca9,a,b,kas) | S(cs9,a,b,kas,kbs) | B(cb9,b,a,kbs). 54 | 55 | let Q = 56 | A2(ca1,a,b,kas) | S(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 57 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 58 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 59 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) | 60 | A(ca5,b,c,kbs) | S(cs5,b,c,kbs,kcs) | 61 | S(cs6,c,a,kcs,kas) | B(cb6,c,a,kas) | 62 | A(ca7,a,d,kas) | S(cs7,a,d,kas,kds) | B(cb7,d,a,kds) | 63 | A(ca8,a,b,kas) | S(cs8,a,b,kas,kbs) | B(cb8,b,a,kbs) | 64 | A(ca9,a,b,kas) | S(cs9,a,b,kas,kbs) | B(cb9,b,a,kbs). 65 | 66 | query trace_equiv(P,Q). 67 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Yahalom-Lowe/YahalomLowe-1session.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | 17 | //Public data : 18 | free a,b,s. 19 | free s1,s2. 20 | 21 | fun senc/2. 22 | reduc sdec(senc(x,y),y) -> x. 23 | 24 | // Alice: 25 | let A(ca,a,b,kas) = 26 | new na; 27 | out(ca,(a,na)); 28 | in(ca,x0); 29 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 30 | 0. 31 | 32 | // Bob : 33 | let B(cb,b,a,kbs) = 34 | in(cb,y0); 35 | let (=a,yna) = y0 in 36 | new nb; 37 | out(cb,senc((a,yna,nb),kbs)); 38 | in(cb,y1); 39 | let (=a,ykab) = sdec(y1,kbs) in 40 | 0. 41 | 42 | // Server (+ property): 43 | let S1(cs,a,b,kas,kbs) = 44 | in(cs,z0); 45 | let (=a,zna,znb) = sdec(z0,kbs) in 46 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 47 | 48 | let S2(cs,a,b,kas,kbs) = 49 | in(cs,z0); 50 | let (=a,zna,znb) = sdec(z0,kbs) in 51 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 52 | 53 | //Server: 54 | let S(cs,a,b,kas,kbs) = 55 | in(cs,z0); 56 | new kab; 57 | let (=a,zna,znb) = sdec(z0,kbs) in 58 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs)) ). 59 | 60 | 61 | // Protocols : 62 | let P = 63 | new kas; new kbs; 64 | ( 65 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) 66 | ). 67 | 68 | 69 | let Q = 70 | new kas; new kbs; 71 | ( 72 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) 73 | ). 74 | 75 | 76 | query trace_equiv(P,Q). 77 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Yahalom-Lowe/YahalomLowe-2sessions.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | free ca2,cs2,cb2. 17 | 18 | //Public data : 19 | free a,b,s. 20 | free s1,s2. 21 | 22 | fun senc/2. 23 | reduc sdec(senc(x,y),y) -> x. 24 | 25 | // Alice: 26 | let A(ca,a,b,kas) = 27 | new na; 28 | out(ca,(a,na)); 29 | in(ca,x0); 30 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 31 | 0. 32 | 33 | // Bob : 34 | let B(cb,b,a,kbs) = 35 | in(cb,y0); 36 | let (=a,yna) = y0 in 37 | new nb; 38 | out(cb,senc((a,yna,nb),kbs)); 39 | in(cb,y1); 40 | let (=a,ykab) = sdec(y1,kbs) in 41 | 0. 42 | 43 | // Server (+ property): 44 | let S1(cs,a,b,kas,kbs) = 45 | in(cs,z0); 46 | let (=a,zna,znb) = sdec(z0,kbs) in 47 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 48 | 49 | let S2(cs,a,b,kas,kbs) = 50 | in(cs,z0); 51 | let (=a,zna,znb) = sdec(z0,kbs) in 52 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 53 | 54 | //Server: 55 | let S(cs,a,b,kas,kbs) = 56 | in(cs,z0); 57 | new kab; 58 | let (=a,zna,znb) = sdec(z0,kbs) in 59 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs))). 60 | 61 | 62 | // Protocols : 63 | let P = 64 | new kas; new kbs; 65 | ( 66 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 67 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 68 | ). 69 | 70 | 71 | let Q = 72 | new kas; new kbs; 73 | ( 74 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 75 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) 76 | ). 77 | 78 | 79 | query trace_equiv(P,Q). 80 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Yahalom-Lowe/YahalomLowe-3sessions-2dishonest.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | free ca2,cs2,cb2. 17 | free ca3,cs3,cb3. 18 | 19 | //Public data : 20 | free a,b,c,s. 21 | free s1,s2,kcs. 22 | 23 | fun senc/2. 24 | reduc sdec(senc(x,y),y) -> x. 25 | 26 | // Alice: 27 | let A(ca,a,b,kas) = 28 | new na; 29 | out(ca,(a,na)); 30 | in(ca,x0); 31 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 32 | 0. 33 | 34 | // Bob : 35 | let B(cb,b,a,kbs) = 36 | in(cb,y0); 37 | let (=a,yna) = y0 in 38 | new nb; 39 | out(cb,senc((a,yna,nb),kbs)); 40 | in(cb,y1); 41 | let (=a,ykab) = sdec(y1,kbs) in 42 | 0. 43 | 44 | // Server (+ property): 45 | let S1(cs,a,b,kas,kbs) = 46 | in(cs,z0); 47 | let (=a,zna,znb) = sdec(z0,kbs) in 48 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 49 | 50 | let S2(cs,a,b,kas,kbs) = 51 | in(cs,z0); 52 | let (=a,zna,znb) = sdec(z0,kbs) in 53 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 54 | 55 | //Server: 56 | let S(cs,a,b,kas,kbs) = 57 | in(cs,z0); 58 | new kab; 59 | let (=a,zna,znb) = sdec(z0,kbs) in 60 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs)) ). 61 | 62 | 63 | // Protocols : 64 | let P = 65 | new kas; new kbs; 66 | ( 67 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 68 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 69 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) 70 | ). 71 | 72 | 73 | let Q = 74 | new kas; new kbs; 75 | ( 76 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 77 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 78 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) 79 | ). 80 | 81 | 82 | query trace_equiv(P,Q). 83 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Yahalom-Lowe/YahalomLowe-3sessions.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | free ca2,cs2,cb2. 17 | free ca3,cs3,cb3. 18 | 19 | //Public data : 20 | free a,b,c,s. 21 | free s1,s2,kcs. 22 | 23 | fun senc/2. 24 | reduc sdec(senc(x,y),y) -> x. 25 | 26 | // Alice: 27 | let A(ca,a,b,kas) = 28 | new na; 29 | out(ca,(a,na)); 30 | in(ca,x0); 31 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 32 | 0. 33 | 34 | // Bob : 35 | let B(cb,b,a,kbs) = 36 | in(cb,y0); 37 | let (=a,yna) = y0 in 38 | new nb; 39 | out(cb,senc((a,yna,nb),kbs)); 40 | in(cb,y1); 41 | let (=a,ykab) = sdec(y1,kbs) in 42 | 0. 43 | 44 | // Server (+ property): 45 | let S1(cs,a,b,kas,kbs) = 46 | in(cs,z0); 47 | let (=a,zna,znb) = sdec(z0,kbs) in 48 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 49 | 50 | let S2(cs,a,b,kas,kbs) = 51 | in(cs,z0); 52 | let (=a,zna,znb) = sdec(z0,kbs) in 53 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 54 | 55 | //Server: 56 | let S(cs,a,b,kas,kbs) = 57 | in(cs,z0); 58 | new kab; 59 | let (=a,zna,znb) = sdec(z0,kbs) in 60 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs)) ). 61 | 62 | 63 | // Protocols : 64 | let P = 65 | new kas; new kbs; 66 | ( 67 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 68 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 69 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs) 70 | ). 71 | 72 | 73 | let Q = 74 | new kas; new kbs; 75 | ( 76 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 77 | A(ca2,a,b,kas) | S(cs2,a,b,kas,kbs) | B(cb2,b,a,kbs) | 78 | A(ca3,a,b,kas) | S(cs3,a,b,kas,kbs) | B(cb3,b,a,kbs) 79 | ). 80 | 81 | 82 | query trace_equiv(P,Q). 83 | -------------------------------------------------------------------------------- /Examples/trace_equivalence/Yahalom-Lowe/YahalomLowe-4sessions-2dishonest.dps: -------------------------------------------------------------------------------- 1 | (* 2 | Yahalom - Lowe protocol (without the last message) 3 | A, B, S : principal 4 | Na, Nb : fresh numbers 5 | Kas, Kbs, Kab : key 6 | 7 | 1. A -> B : A, Na 8 | 2. B -> S : {A, Na, Nb}Kbs 9 | 3. S -> A : {B, Kab, Na, Nb}Kas 10 | 4. S -> B : {A, Kab}Kbs 11 | *) 12 | 13 | //Channels : 14 | 15 | free ca1,cb1,cs1. 16 | free ca2,cs2,cb2. 17 | free ca3,cs3,cb3. 18 | free ca4,cs4,cb4. 19 | 20 | //Public data : 21 | free a,b,c,s. 22 | free s1,s2,kcs. 23 | 24 | fun senc/2. 25 | reduc sdec(senc(x,y),y) -> x. 26 | 27 | // Alice: 28 | let A(ca,a,b,kas) = 29 | new na; 30 | out(ca,(a,na)); 31 | in(ca,x0); 32 | let (=b,xkab,=na,xnb) = sdec(x0,kas) in 33 | 0. 34 | 35 | // Bob : 36 | let B(cb,b,a,kbs) = 37 | in(cb,y0); 38 | let (=a,yna) = y0 in 39 | new nb; 40 | out(cb,senc((a,yna,nb),kbs)); 41 | in(cb,y1); 42 | let (=a,ykab) = sdec(y1,kbs) in 43 | 0. 44 | 45 | // Server (+ property): 46 | let S1(cs,a,b,kas,kbs) = 47 | in(cs,z0); 48 | let (=a,zna,znb) = sdec(z0,kbs) in 49 | out(cs,(senc((b,s1,zna,znb),kas),senc((a,s1),kbs))). 50 | 51 | let S2(cs,a,b,kas,kbs) = 52 | in(cs,z0); 53 | let (=a,zna,znb) = sdec(z0,kbs) in 54 | out(cs,(senc((b,s2,zna,znb),kas),senc((a,s2),kbs))). 55 | 56 | //Server: 57 | let S(cs,a,b,kas,kbs) = 58 | in(cs,z0); 59 | new kab; 60 | let (=a,zna,znb) = sdec(z0,kbs) in 61 | out(cs,(senc((b,kab,zna,znb),kas),senc((a,kab),kbs)) ). 62 | 63 | 64 | // Protocols : 65 | let P = 66 | new kas; new kbs; 67 | ( 68 | A(ca1,a,b,kas) | S1(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 69 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 70 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 71 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) 72 | ). 73 | 74 | 75 | let Q = 76 | new kas; new kbs; 77 | ( 78 | A(ca1,a,b,kas) | S2(cs1,a,b,kas,kbs) | B(cb1,b,a,kbs) | 79 | A(ca2,a,c,kas) | S(cs2,a,c,kas,kcs) | 80 | S(cs3,c,b,kcs,kbs) | B(cb3,c,b,kbs) | 81 | A(ca4,b,a,kbs) | S(cs4,b,a,kbs,kas) | B(cb4,a,b,kas) 82 | ). 83 | 84 | 85 | query trace_equiv(P,Q). 86 | -------------------------------------------------------------------------------- /Examples/tutorial/pap-1-session-attack.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - by the agent with private key ska 20 | - with the agent with public key pkb 21 | */ 22 | 23 | let processA(ska,pkb) = 24 | new na; 25 | out(c,aenc((na,pk(ska)),pkb)); 26 | in(c,x). 27 | 28 | 29 | /* 30 | Description of role B played: 31 | - by the agent with private key skb 32 | - with the agent with public key pka 33 | */ 34 | 35 | let processB(skb,pka) = 36 | in(c,yb); 37 | new nb; 38 | let (yna,=pka) = adec(yb,skb) in 39 | out(c,aenc((yna,nb,pk(skb)),pka)) 40 | else 0. 41 | 42 | /* 43 | Main 44 | */ 45 | 46 | let ProcessAB = 47 | out(c,pk(ska)); 48 | out(c,pk(skb)); 49 | out(c,pk(skc)); 50 | ( 51 | processA(ska,pk(skb)) | processB(skb,pk(ska)) 52 | ). 53 | 54 | let ProcessCB = 55 | out(c,pk(ska)); 56 | out(c,pk(skb)); 57 | out(c,pk(skc)); 58 | ( 59 | processA(skc,pk(skb)) | processB(skb,pk(skc)) 60 | ). 61 | 62 | 63 | query trace_equiv(ProcessAB,ProcessCB). 64 | 65 | 66 | -------------------------------------------------------------------------------- /Examples/tutorial/pap-1-session.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - by the agent with private key ska 20 | - with the agent with public key pkb 21 | */ 22 | 23 | let processA(ska,pkb) = 24 | new na; 25 | out(c,aenc((na,pk(ska)),pkb)); 26 | in(c,x). 27 | 28 | 29 | /* 30 | Description of role B played: 31 | - by the agent with private key skb 32 | - with the agent with public key pka 33 | */ 34 | 35 | let processB(skb,pka) = 36 | in(c,yb); 37 | new nb; 38 | let (yna,=pka) = adec(yb,skb) in 39 | out(c,aenc((yna,nb,pk(skb)),pka)) 40 | else out(c,aenc(nb,pk(skb))). 41 | 42 | /* 43 | Main 44 | */ 45 | 46 | let ProcessAB = 47 | out(c,pk(ska)); 48 | out(c,pk(skb)); 49 | out(c,pk(skc)); 50 | ( 51 | processA(ska,pk(skb)) | processB(skb,pk(ska)) 52 | ). 53 | 54 | let ProcessCB = 55 | out(c,pk(ska)); 56 | out(c,pk(skb)); 57 | out(c,pk(skc)); 58 | ( 59 | processA(skc,pk(skb)) | processB(skb,pk(skc)) 60 | ). 61 | 62 | 63 | query trace_equiv(ProcessAB,ProcessCB). 64 | 65 | 66 | -------------------------------------------------------------------------------- /Examples/tutorial/pap-2-sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - by the agent with private key ska 20 | - with the agent with public key pkb 21 | */ 22 | 23 | let processA(ska,pkb) = 24 | new na; 25 | out(c,aenc((na,pk(ska)),pkb)); 26 | in(c,x). 27 | 28 | 29 | /* 30 | Description of role B played: 31 | - by the agent with private key skb 32 | - with the agent with public key pka 33 | */ 34 | 35 | let processB(skb,pka) = 36 | in(c,yb); 37 | new nb; 38 | let (yna,=pka) = adec(yb,skb) in 39 | out(c,aenc((yna,nb,pk(skb)),pka)) 40 | else out(c,aenc(nb,pk(skb))). 41 | 42 | /* 43 | Main 44 | */ 45 | 46 | let ProcessAB = 47 | out(c,pk(ska)); 48 | out(c,pk(skb)); 49 | out(c,pk(skc)); 50 | ( 51 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 52 | processA(ska,pk(skb)) | processB(skb,pk(ska)) // B expects to talk to A 53 | ). 54 | 55 | let ProcessCB = 56 | out(c,pk(ska)); 57 | out(c,pk(skb)); 58 | out(c,pk(skc)); 59 | ( 60 | processA(skc,pk(skb)) | processB(skb,pk(skc)) | // B expects to talk to C 61 | processA(ska,pk(skb)) | processB(skb,pk(ska)) // B expects to talk to A 62 | ). 63 | 64 | 65 | query trace_equiv(ProcessAB,ProcessCB). 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /Examples/tutorial/pap-3-sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ska, skb, skc [private]. 11 | 12 | fun aenc/2. 13 | fun pk/1. 14 | 15 | reduc adec(aenc(x,pk(y)),y) -> x. 16 | 17 | /* 18 | Description of role A played: 19 | - by the agent with private key ska 20 | - with the agent with public key pkb 21 | */ 22 | 23 | let processA(ska,pkb) = 24 | new na; 25 | out(c,aenc((na,pk(ska)),pkb)); 26 | in(c,x). 27 | 28 | 29 | /* 30 | Description of role B played: 31 | - by the agent with private key skb 32 | - with the agent with public key pka 33 | */ 34 | 35 | let processB(skb,pka) = 36 | in(c,yb); 37 | new nb; 38 | let (yna,=pka) = adec(yb,skb) in 39 | out(c,aenc((yna,nb,pk(skb)),pka)) 40 | else out(c,aenc(nb,pk(skb))). 41 | 42 | /* 43 | Main 44 | */ 45 | 46 | let ProcessAB = 47 | out(c,pk(ska)); 48 | out(c,pk(skb)); 49 | out(c,pk(skc)); 50 | ( 51 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 52 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 53 | processA(skc,pk(ska)) | processB(ska,pk(skc)) // A expects to talk to C 54 | ). 55 | 56 | let ProcessCB = 57 | out(c,pk(ska)); 58 | out(c,pk(skb)); 59 | out(c,pk(skc)); 60 | ( 61 | processA(skc,pk(skb)) | processB(skb,pk(skc)) | // B expects to talk to C 62 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 63 | processA(skc,pk(ska)) | processB(ska,pk(skc)) // A expects to talk to C 64 | ). 65 | 66 | 67 | query trace_equiv(ProcessAB,ProcessCB). 68 | 69 | 70 | -------------------------------------------------------------------------------- /Examples/tutorial/pap-session-equiv-5-sessions.dps: -------------------------------------------------------------------------------- 1 | (* Private Authentication Protocol 2 | 3 | 1. A -> B: {Na, pub(A)}pub(B) 4 | 2. B -> A: {Na, Nb,pub(B)}pub(A) if B wants to communicate with A 5 | {Nb}pub(B) otherwise 6 | *) 7 | 8 | free c. 9 | 10 | free ski. 11 | free ska, skb, skc [private]. 12 | 13 | fun aenc/2. 14 | fun pk/1. 15 | 16 | reduc adec(aenc(x,pk(y)),y) -> x. 17 | 18 | /* 19 | Description of role A played: 20 | - on channel ca 21 | - by the agent with private key ska 22 | - with the agent with public key pkb 23 | */ 24 | 25 | let processA(ska,pkb) = 26 | new na; 27 | out(c,aenc((na,pk(ska)),pkb)); 28 | in(c,x). 29 | 30 | 31 | /* 32 | Description of role B played: 33 | - on channel cb 34 | - by the agent with private key skb 35 | - with the agent with public key pka 36 | */ 37 | 38 | let processB(skb,pka) = 39 | in(c,yb); 40 | new nb; 41 | let (yna,=pka) = adec(yb,skb) in 42 | out(c,aenc((yna,nb,pk(skb)),pka)) 43 | else out(c,aenc(nb,pk(skb))). 44 | 45 | /* 46 | Main 47 | */ 48 | 49 | let ProcessAB = 50 | out(c,pk(ska)); 51 | out(c,pk(skb)); 52 | out(c,pk(skc)); 53 | ( 54 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 55 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 56 | processA(skc,pk(ska)) | processB(ska,pk(skc)) | // A expects to talk to C 57 | processA(ska,pk(ski)) | // I (intruder) expects to talk to A 58 | processB(skb,pk(ski)) // B expects to talk to I 59 | ). 60 | 61 | let ProcessCB = 62 | out(c,pk(ska)); 63 | out(c,pk(skb)); 64 | out(c,pk(skc)); 65 | ( 66 | processA(skc,pk(skb)) | processB(skb,pk(skc)) | // B expects to talk to C 67 | processA(ska,pk(skb)) | processB(skb,pk(ska)) | // B expects to talk to A 68 | processA(skc,pk(ska)) | processB(ska,pk(skc)) | // A expects to talk to C 69 | processA(ska,pk(ski)) | // I (intruder) expects to talk to A 70 | processB(skb,pk(ski)) // B expects to talk to I 71 | ). 72 | 73 | 74 | query session_equiv(ProcessAB,ProcessCB). 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /Examples/tutorial/trace-vs-session.dps: -------------------------------------------------------------------------------- 1 | free c. 2 | 3 | const a. 4 | 5 | let P = out(c,a) ; out(c,a). 6 | let Q = out(c,a) | out(c,a). 7 | 8 | query trace_equiv(P,Q). 9 | query session_equiv(P,Q). 10 | 11 | 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DeepSec: Deciding Equivalence Properties in Security Protocols 2 | 3 | Automated verification has become an essential part in the security evaluation of cryptographic protocols. Recently, there has been a considerable effort to lift the theory and tool support that existed for reachability properties to the more complex case of equivalence properties. **DeepSec** allows you to decide trace equivalence and session equivalence for a large variety of cryptographic primitives---those that can be represented by a subterm convergent destructor rewrite system. 4 | 5 | ## Website 6 | 7 | More information on **DeepSec** is available on its website: https://deepsec-prover.github.io/ 8 | 9 | ## Mailing list 10 | 11 | A mailing list is available for general discussions on DeepSec and announcements of new releases. 12 | - To subscribe, send an email to sympa@inria.fr with subject "subscribe deepsec " (remove the quotes). 13 | - To post on the mailing list once subscribed, send an email to deepsec@inria.fr 14 | 15 | ## User manual 16 | 17 | The user manual (html and pdf) is available at: https://deepsec-prover.github.io/manual/ 18 | -------------------------------------------------------------------------------- /Source/core_library/process.mli: -------------------------------------------------------------------------------- 1 | (**************************************************************************) 2 | (* *) 3 | (* DeepSec *) 4 | (* *) 5 | (* Vincent Cheval, project PESTO, INRIA Nancy *) 6 | (* Steve Kremer, project PESTO, INRIA Nancy *) 7 | (* Itsaka Rakotonirina, project PESTO, INRIA Nancy *) 8 | (* *) 9 | (* Copyright (C) INRIA 2017-2020 *) 10 | (* *) 11 | (* All rights reserved. This file is distributed under the terms of *) 12 | (* the GNU General Public License version 3.0 as described in the *) 13 | (* file LICENSE *) 14 | (* *) 15 | (**************************************************************************) 16 | 17 | open Types 18 | 19 | val display_transition : transition -> string 20 | 21 | val display_position : position -> string 22 | 23 | val display : int -> process -> string 24 | 25 | (*** Checking for session equivalence ***) 26 | 27 | exception Session_error of string 28 | 29 | val check_process_for_session : process -> unit 30 | 31 | (*** Transformation and simplifications ***) 32 | 33 | val simplify_for_determinate : process -> process * (transition list -> transition list) 34 | 35 | val simplify_for_generic : process -> process * (transition list -> transition list) 36 | 37 | val simplify_for_session : process -> process * (transition list -> transition list) 38 | -------------------------------------------------------------------------------- /Source/interface/execution_manager.mli: -------------------------------------------------------------------------------- 1 | (**************************************************************************) 2 | (* *) 3 | (* DeepSec *) 4 | (* *) 5 | (* Vincent Cheval, project PESTO, INRIA Nancy *) 6 | (* Steve Kremer, project PESTO, INRIA Nancy *) 7 | (* Itsaka Rakotonirina, project PESTO, INRIA Nancy *) 8 | (* *) 9 | (* Copyright (C) INRIA 2017-2020 *) 10 | (* *) 11 | (* All rights reserved. This file is distributed under the terms of *) 12 | (* the GNU General Public License version 3.0 as described in the *) 13 | (* file LICENSE *) 14 | (* *) 15 | (**************************************************************************) 16 | 17 | (*** Catching exception ***) 18 | 19 | val catch_batch_internal_error : (unit -> unit) -> unit 20 | 21 | val catch_init_internal_error : (unit -> unit) -> unit 22 | 23 | (*** Main UI ***) 24 | 25 | val cancel_batch : unit -> unit 26 | 27 | val set_up_batch_options : Types_ui.batch_options list -> unit 28 | 29 | val start_batch : string list -> Types_ui.batch_options list -> unit 30 | 31 | val execute_batch : unit -> unit 32 | -------------------------------------------------------------------------------- /Source/interface/parsing_functions_ui.mli: -------------------------------------------------------------------------------- 1 | (**************************************************************************) 2 | (* *) 3 | (* DeepSec *) 4 | (* *) 5 | (* Vincent Cheval, project PESTO, INRIA Nancy *) 6 | (* Steve Kremer, project PESTO, INRIA Nancy *) 7 | (* Itsaka Rakotonirina, project PESTO, INRIA Nancy *) 8 | (* *) 9 | (* Copyright (C) INRIA 2017-2020 *) 10 | (* *) 11 | (* All rights reserved. This file is distributed under the terms of *) 12 | (* the GNU General Public License version 3.0 as described in the *) 13 | (* file LICENSE *) 14 | (* *) 15 | (**************************************************************************) 16 | 17 | open Types_ui 18 | 19 | (*** Parsing to Json ***) 20 | 21 | val parse_json_from_file : string -> json 22 | 23 | val parse_json_from_string : string -> json 24 | 25 | val parse_selected_transition : int -> json_selected_transition -> json_transition 26 | 27 | (*** Parsing json to data structure ***) 28 | 29 | val query_result_of : string -> json -> query_result * json_atomic array 30 | 31 | (*** Commands ***) 32 | 33 | val input_command_of : ?assoc: json_atomic array option -> json -> input_command 34 | -------------------------------------------------------------------------------- /Source/interface/simulator.mli: -------------------------------------------------------------------------------- 1 | (**************************************************************************) 2 | (* *) 3 | (* DeepSec *) 4 | (* *) 5 | (* Vincent Cheval, project PESTO, INRIA Nancy *) 6 | (* Steve Kremer, project PESTO, INRIA Nancy *) 7 | (* Itsaka Rakotonirina, project PESTO, INRIA Nancy *) 8 | (* *) 9 | (* Copyright (C) INRIA 2017-2020 *) 10 | (* *) 11 | (* All rights reserved. This file is distributed under the terms of *) 12 | (* the GNU General Public License version 3.0 as described in the *) 13 | (* file LICENSE *) 14 | (* *) 15 | (**************************************************************************) 16 | 17 | val display_trace : string -> int -> unit 18 | 19 | val attack_simulator : string -> unit 20 | 21 | val equivalence_simulator : string -> int -> unit 22 | -------------------------------------------------------------------------------- /Source/query_solving/determinate_equivalence.mli: -------------------------------------------------------------------------------- 1 | (**************************************************************************) 2 | (* *) 3 | (* DeepSec *) 4 | (* *) 5 | (* Vincent Cheval, project PESTO, INRIA Nancy *) 6 | (* Steve Kremer, project PESTO, INRIA Nancy *) 7 | (* Itsaka Rakotonirina, project PESTO, INRIA Nancy *) 8 | (* *) 9 | (* Copyright (C) INRIA 2017-2020 *) 10 | (* *) 11 | (* All rights reserved. This file is distributed under the terms of *) 12 | (* the GNU General Public License version 3.0 as described in the *) 13 | (* file LICENSE *) 14 | (* *) 15 | (**************************************************************************) 16 | 17 | (** Deciding equivalence *) 18 | 19 | open Types 20 | open Determinate_process 21 | 22 | type origin_process = 23 | | Left 24 | | Right 25 | 26 | type symbolic_process = 27 | { 28 | configuration : configuration; 29 | origin_process : origin_process 30 | } 31 | 32 | type equivalence_problem 33 | 34 | val export_equivalence_problem : equivalence_problem -> equivalence_problem * (recipe_variable * recipe) list 35 | 36 | val import_equivalence_problem : (unit -> 'a) -> equivalence_problem -> (recipe_variable * recipe) list -> 'a 37 | 38 | exception Not_Trace_Equivalent of (bool * transition list) 39 | 40 | val apply_one_transition_and_rules : 41 | equivalence_problem -> 42 | (equivalence_problem -> (unit -> unit) -> unit) -> 43 | (unit -> unit) -> 44 | unit 45 | 46 | val initialise_equivalence_problem : (process * process) -> bool -> symbolic_process Constraint_system.set -> equivalence_problem 47 | -------------------------------------------------------------------------------- /_tags: -------------------------------------------------------------------------------- 1 | true: bin_annot, warn(+a-44-e), color(always), thread 2 | : include 3 | : include 4 | : include 5 | : include 6 | : include 7 | : include 8 | -------------------------------------------------------------------------------- /deepsec.opam: -------------------------------------------------------------------------------- 1 | opam-version: "2.0" 2 | name: "deepsec" 3 | version: "2.0.2" 4 | synopsis: "DeepSec: DEciding Equivalence Properties in SECurity Protocols" 5 | description: """ 6 | Automated verification has become an essential part in the security evaluation of cryptographic protocols. Recently, there has been a considerable effort to lift the theory and tool support that existed for reachability properties to the more complex case of equivalence properties. 7 | 8 | DeepSec is a verification tool which allows verification of trace equivalence and equivalence by session for a large variety of user defined cryptographic primitives—those that can be represented by a subterm convergent destructor rewrite system. 9 | 10 | The user manual is available at 11 | 12 | https://deepsec-prover.github.io/manual/ 13 | """ 14 | maintainer: 15 | "Vincent Cheval " 16 | authors: 17 | "Vincent Cheval , Steve Kremer , Itsaka Rakotonirina ," 18 | homepage: "https://deepsec-prover.github.io/" 19 | bug-reports: "Bug reports should be filed as issues on the github repository: https://github.com/DeepSec-prover/deepsec/issues" 20 | license: "GNU General Public License v3.0" 21 | 22 | depends: ["ocaml" { >= "4.05" } 23 | "ocamlfind" 24 | "ocamlbuild" 25 | ] 26 | build: [make] 27 | 28 | install: [make "install" "BINDIR=%{bin}%"] 29 | -------------------------------------------------------------------------------- /script/check: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # checks requirements for DeepSec installation 4 | 5 | function prog_exists() { 6 | if command -v $1 &> /dev/null; then 7 | return 0; # exists 8 | else return 1; # does not exist 9 | fi 10 | } 11 | 12 | function checks() { 13 | # printf "Checking installation requirements...\n" 14 | if prog_exists ocamlopt; then 15 | printf " \e[32m\e[1m\xE2\x9C\x94\e[0m ocamlopt found\n"; 16 | if $(command -v ocamlopt | grep opam); then 17 | printf " \e[32m\e[1m\xE2\x9C\x94\e[0m ocaml has been installed with opam\n"; 18 | REQUIREDOCAML=4.05.0 19 | CURRENTOCAML=$(ocamlopt --version) 20 | if [ "$(printf '%s\n' "$REQUIREDOCAML" "$CURRENTOCAML" | sort -V | head -n1)" = "$CURRENTOCAML" ]; then 21 | printf " - ocaml version should be >$REQUIREDOCAML (installed version: $CURRENTOCAML). Install a more recent version by using 'opam switch'\n"; 22 | return 1; 23 | else 24 | printf " \e[32m\e[1m\xE2\x9C\x94\e[0m ocaml version ($CURRENTOCAML) is recent enough (>$REQUIREDOCAML)\n"; 25 | return 0; 26 | fi 27 | else 28 | printf " - ocaml does not seem to be install using opam! Please visit https://deepsec-prover.github.io for help.\n"; 29 | return 1; 30 | fi 31 | else printf " - ocamlopt not found! Please visit https://deepsec-prover.github.io for help.\n"; return 1; 32 | fi 33 | } 34 | 35 | if checks; then 36 | printf "\e[1mAll installation requirements are satisfied\e[0m\n"; 37 | else 38 | printf "\e[31m\e[1mSome installation requirements are not met. It is advised to patch them before running 'make'.\e[0m\n"; 39 | fi 40 | -------------------------------------------------------------------------------- /script/cpu_linux_osx: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # macOS: Use `sysctl -n hw.*cpu_max`, which returns the values of 4 | # interest directly. 5 | # CAVEAT: Using the "_max" key suffixes means that the *maximum* 6 | # available number of CPUs is reported, whereas the 7 | # current power-management mode could make *fewer* CPUs 8 | # available; dropping the "_max" suffix would report the 9 | # number of *currently* available ones; see [1] below. 10 | # 11 | # Linux: Parse output from `lscpu -p`, where each output line represents 12 | # a distinct (logical) CPU. 13 | # Note: Newer versions of `lscpu` support more flexible output 14 | # formats, but we stick with the parseable legacy format 15 | # generated by `-p` to support older distros, too. 16 | # `-p` reports *online* CPUs only - i.e., on hot-pluggable 17 | # systems, currently disabled (offline) CPUs are NOT 18 | # reported. 19 | 20 | # Number of LOGICAL CPUs (includes those reported by hyper-threading cores) 21 | # Linux: Simply count the number of (non-comment) output lines from `lscpu -p`, 22 | # which tells us the number of *logical* CPUs. 23 | logicalCpuCount=$([ $(uname) = 'Darwin' ] && 24 | sysctl -n hw.logicalcpu_max || 25 | lscpu -p | egrep -v '^#' | wc -l) 26 | 27 | # Number of PHYSICAL CPUs (cores). 28 | # Linux: The 2nd column contains the core ID, with each core ID having 1 or 29 | # - in the case of hyperthreading - more logical CPUs. 30 | # Counting the *unique* cores across lines tells us the 31 | # number of *physical* CPUs (cores). 32 | physicalCpuCount=$([ $(uname) = 'Darwin' ] && 33 | sysctl -n hw.physicalcpu_max || 34 | lscpu -p | egrep -v '^#' | sort -u -t, -k 2,4 | wc -l) 35 | 36 | # Print the values. 37 | echo $physicalCpuCount 38 | --------------------------------------------------------------------------------