abstract ok : message
abstract ko : message

name skP : message
name skS : message

channel cP
channel cS

name a : index -> message
name b : index -> message
name k : index -> index -> message

ddh g, (^) where group:message exponents:message.

SIGNED DDH

The signed DDH protocol as described in [G] features two roles, P and S. Each role is associated to a secret key (skP and skS).

P -> S : <pk(skP), g^a>
S -> P : <pk(skS),g^b>,sign(<<ga,g^b>,pk(skP)>,skS)
P -> S : sign(<<g^b,ga>,pk(skS)>,skP)

We consider multiple sessions but two agents only (one agent for the role P and one agent for the role S) and show the strong secrecy of the shared key.

In this file signed-ddh-S.sp, we show that the key g^ab as computed by S is indistinguishable from g^k with k fresh (system secretS).
In another file signed-ddh-P.sp, we show that the key g^ab as computed by P is indistinguishable from g^k with k fresh (system secretP).

[G] ISO/IEC 9798-3:2019, IT Security techniques – Entity authentication – Part 3: Mechanisms using digital signature techniques.

Declarations are identical to the ones in signed-ddh-P.sp.

signature sign,checksign,pk

process P(i:index) =
out(cP, <pk(skP),g^a(i)>);
in(cP, x2);
let gs = snd(fst(x2)) in
let pks = fst(fst(x2)) in
if checksign(snd(x2),pks) = <<g^a(i),gs>,pk(skP)> && pks = pk(skS) then
out(cP,sign(<<gs,g^a(i)>,pks>,skP))

process Schall(j:index) =
in(cS, x1);
let gp = snd(x1) in
let pkp = fst(x1) in
if pkp = pk(skP) then
out(cS, < <pk(skS),g^b(j)>, sign(<<gp,g^b(j)>,pkp>,skS)>);
in(cS, x3);
if checksign(x3,pkp) = <<g^b(j),gp>,pk(skS)> then
out(cS,ok);
in(cS, challenge);
try find i such that gp = g^a(i) in
out(cS, diff(g^a(i)^b(j),g^k(i,j)))
else
out(cS, diff(ok,ko))

system (!_i P(i) | !_j Schall(j)). System before processing:

(!_i P i) | (!_j Schall j)

System after processing:

(!_i
P:
out(cP,pair(pk(skP),(g ^ a(i))));
in(cP,x2);
let gs = snd(fst(x2)) in
let pks = fst(fst(x2)) in
if ((checksign(snd(x2),pks(i)) = pair(pair((g ^ a(i)),gs(i)),pk(skP)))
&& (pks(i) = pk(skS))) then
P1: out(cP,sign(pair(pair(gs(i),(g ^ a(i))),pks(i)),skP)); null else
P2: null) |
(!_j
in(cS,x1);
let gp = snd(x1) in
let pkp = fst(x1) in
if (pkp(j) = pk(skP)) then
Schall:
out(cS,
pair(pair(pk(skS),(g ^ b(j))),
sign(pair(pair(gp(j),(g ^ b(j))),pkp(j)),skS)));
in(cS,x3);
if (checksign(x3,pkp(j)) = pair(pair((g ^ b(j)),gp(j)),pk(skS))) then
Schall1:
out(cS,ok);
in(cS,challenge);
find (i) such that (gp(j) = (g ^ a(i))) in
Schall2: out(cS,diff(((g ^ a(i)) ^ b(j)),(g ^ k(i,j)))); null else
Schall3: out(cS,diff(ok,ko)); null else Schall4: null else
Schall5: null)

System default registered with actions (init,P,P1,P2,Schall,Schall1,Schall2,
Schall3,Schall4,Schall5).

The system secretS is the counterpart of the system secretP defined in the file signed-ddh-P.sp.

This time, we add an output at the end of the role of S.

include Basic. Goal eq_sym :
(x = y) = (y = x)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
(x = y) = (y = x)

[> Line 11: by (rewrite ...)
[goal> Goal eq_sym is proved
Exiting proof mode.

Goal neq_sym :
(x <> y) = (y <> x)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
(x <> y) = (y <> x)

[> Line 14: by (rewrite ...)
[goal> Goal neq_sym is proved
Exiting proof mode.

Goal eq_refl :
(x = x) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x:'a
----------------------------------------
(x = x) = true

[> Line 18: by (rewrite ...)
[goal> Goal eq_refl is proved
Exiting proof mode.

Goal false_true :
(false = true) = false
[goal> Focused goal (1/1):
System: any
----------------------------------------
(false = true) = false

[> Line 30: by (rewrite ...)
[goal> Goal false_true is proved
Exiting proof mode.

Goal eq_true :
(b = true) = b
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b = true) = b

[> Line 35: by (case b)
[goal> Goal eq_true is proved
Exiting proof mode.

Goal eq_true2 :
(true = b) = b
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(true = b) = b

[> Line 39: by (case b)
[goal> Goal eq_true2 is proved
Exiting proof mode.

Goal not_not :
not(not(b)) = b
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
not(not(b)) = b

[> Line 54: by (case b)
[goal> Goal not_not is proved
Exiting proof mode.

Goal not_eq :
not(x = y) = (x <> y)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
not(x = y) = (x <> y)

[> Line 60: by (rewrite ...)
[goal> Goal not_eq is proved
Exiting proof mode.

Goal not_neq :
not(x <> y) = (x = y)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
not(x <> y) = (x = y)

[> Line 66: by (rewrite ...)
[goal> Goal not_neq is proved
Exiting proof mode.

Goal not_eqfalse :
(b = false) = not(b)
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b = false) = not(b)

[> Line 72: by (case b)
[goal> Goal not_eqfalse is proved
Exiting proof mode.

Goal eq_false :
((x = y) = false) = (x <> y)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
((x = y) = false) = (x <> y)

[> Line 80: (rewrite ...)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
((x = y) = false) = not(x = y)

[> Line 80: ((case (x = y));(intro _))
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: x,y:'a
_: x = y
----------------------------------------
(true = false) = not(true)

[> Line 80: simpl
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: x,y:'a
_: x = y
----------------------------------------
true

[> Line 80: auto
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
_: not(x = y)
----------------------------------------
(false = false) = not(false)

[> Line 81: by (rewrite ...)
[goal> Goal eq_false is proved
Exiting proof mode.

Goal and_true_r :
(b && true) = b
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b && true) = b

[> Line 94: by (rewrite ... ...)
[goal> Goal and_true_r is proved
Exiting proof mode.

Goal and_false_r :
(b && false) = false
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b && false) = false

[> Line 101: by (rewrite ... ...)
[goal> Goal and_false_r is proved
Exiting proof mode.

Goal or_false_r :
(b || false) = b
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b || false) = b

[> Line 112: by (rewrite ... ...)
[goal> Goal or_false_r is proved
Exiting proof mode.

Goal or_true_r :
(b || true) = true
[goal> Focused goal (1/1):
System: any
Variables: b:bool
----------------------------------------
(b || true) = true

[> Line 119: by (rewrite ... ...)
[goal> Goal or_true_r is proved
Exiting proof mode.

Goal not_and :
not((a && b)) = (not(a) || not(b))
[goal> Focused goal (1/1):
System: any
Variables: a,b:bool
----------------------------------------
not((a && b)) = (not(a) || not(b))

[> Line 128: (rewrite ...)
[goal> Focused goal (1/1):
System: any
Variables: a,b:bool
----------------------------------------
not((a && b)) <=> not(a) || not(b)

[> Line 129: (((case a);(case b));(intro //=))
[goal> Goal not_and is proved
Exiting proof mode.

Goal not_or :
not((a || b)) = (not(a) && not(b))
[goal> Focused goal (1/1):
System: any
Variables: a,b:bool
----------------------------------------
not((a || b)) = (not(a) && not(b))

[> Line 134: (rewrite ...)
[goal> Focused goal (1/1):
System: any
Variables: a,b:bool
----------------------------------------
not((a || b)) <=> not(a) && not(b)

[> Line 135: (((case a);(case b));(intro //=))
[goal> Goal not_or is proved
Exiting proof mode.

Goal if_true :
b => if b then x else y = x
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
----------------------------------------
b => if b then x else y = x

[> Line 144: (intro *)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: b
----------------------------------------
if b then x else y = x

[> Line 145: (case if b then x else y)
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: b
----------------------------------------
b && if b then x else y = x => x = x

[> Line 146: auto
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: b
----------------------------------------
not(b) && if b then x else y = y => y = x

[> Line 147: (intro [HH _])
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: b
HH: not(b)
_: if b then x else y = y
----------------------------------------
y = x

[> Line 147: by (have ... as )
[goal> Goal if_true is proved
Exiting proof mode.

Goal if_true0 :
if true then x else y = x
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
if true then x else y = x

[> Line 153: by (rewrite ...)
[goal> Goal if_true0 is proved
Exiting proof mode.

Goal if_false :
not(b) => if b then x else y = y
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
----------------------------------------
not(b) => if b then x else y = y

[> Line 160: ((intro *);(case if b then x else y))
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: not(b)
----------------------------------------
b && if b then x else y = x => x = y

[> Line 161: (intro [HH _])
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: not(b)
HH: b
_: if b then x else y = x
----------------------------------------
x = y

[> Line 161: by (have ... as )
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x,y:'a
H: not(b)
----------------------------------------
not(b) && if b then x else y = y => y = y

[> Line 162: auto
[goal> Goal if_false is proved
Exiting proof mode.

Goal if_false0 :
if false then x else y = y
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: x,y:'a
----------------------------------------
if false then x else y = y

[> Line 168: by (rewrite ...)
[goal> Goal if_false0 is proved
Exiting proof mode.

Goal if_then_then :
if b then if b' then x else y else y = if (b && b') then x else y
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y:'a
----------------------------------------
if b then if b' then x else y else y = if (b && b') then x else y

[> Line 175: by ((case b);(case b'))
[goal> Goal if_then_then is proved
Exiting proof mode.

Goal if_then_implies :
if b then if b' then x else y else z =
if b then if (b => b') then x else y else z
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
----------------------------------------
if b then if b' then x else y else z =
if b then if (b => b') then x else y else z

[> Line 182: ((case b);
((intro H);((case b');((intro H');(simpl;(try auto))))))

[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
H: b
H': b'
----------------------------------------
x = if (true => true) then x else y

[> Line 183: by (rewrite ...)
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
H: b
H': not(b')
----------------------------------------
y = if (true => false) then x else y

[> Line 184: (rewrite ...)
[goal> Focused goal (1/2):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
H: b
H': not(b')
----------------------------------------
not((true => false))

[> Line 185: ((intro Habs);by (have ... as ))
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
H: b
H': not(b')
----------------------------------------
y = y

[> Line 186: auto
[goal> Goal if_then_implies is proved
Exiting proof mode.

Goal if_same :
if b then x else x = x
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b:bool,x:'a
----------------------------------------
if b then x else x = x

[> Line 192: by (case b)
[goal> Goal if_same is proved
Exiting proof mode.

Goal if_then :
b = b' => if b then if b' then x else y else z = if b then x else z
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
----------------------------------------
b = b' => if b then if b' then x else y else z = if b then x else z

[> Line 201: by ((intro ->);(case b'))
[goal> Goal if_then is proved
Exiting proof mode.

Goal if_else :
b = b' => if b then x else if b' then y else z = if b then x else z
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
----------------------------------------
b = b' => if b then x else if b' then y else z = if b then x else z

[> Line 210: by ((intro ->);(case b'))
[goal> Goal if_else is proved
Exiting proof mode.

Goal if_then_not :
b = not(b') => if b then if b' then x else y else z = if b then y else z
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
----------------------------------------
b = not(b') => if b then if b' then x else y else z = if b then y else z

[> Line 219: by ((intro ->);(case b'))
[goal> Goal if_then_not is proved
Exiting proof mode.

Goal if_else_not :
b = not(b') => if b then x else if b' then y else z = if b then x else y
[goal> Focused goal (1/1):
System: any
Type variables: 'a
Variables: b,b':bool,x,y,z:'a
----------------------------------------
b = not(b') => if b then x else if b' then y else z = if b then x else y

[> Line 228: by ((intro ->);(case b'))
[goal> Goal if_else_not is proved
Exiting proof mode.

Goal fst_pair :
fst(<x,y>) = x
[goal> Focused goal (1/1):
System: any
Variables: x,y:message
----------------------------------------
fst(<x,y>) = x

[> Line 236: auto
[goal> Goal fst_pair is proved
Exiting proof mode.

Goal snd_pair :
snd(<x,y>) = y
[goal> Focused goal (1/1):
System: any
Variables: x,y:message
----------------------------------------
snd(<x,y>) = y

[> Line 240: auto
[goal> Goal snd_pair is proved
Exiting proof mode.

Goal iff_refl :
(x <=> x) = true
[goal> Focused goal (1/1):
System: any
Variables: x:bool
----------------------------------------
(x <=> x) = true

[> Line 248: by (rewrite ...)
[goal> Goal iff_refl is proved
Exiting proof mode.

Goal iff_sym :
(x <=> y) = (y <=> x)
[goal> Focused goal (1/1):
System: any
Variables: x,y:bool
----------------------------------------
(x <=> y) = (y <=> x)

[> Line 254: by (rewrite ...)
[goal> Goal iff_sym is proved
Exiting proof mode.

Goal true_iff_false :
(true <=> false) = false
[goal> Focused goal (1/1):
System: any
----------------------------------------
(true <=> false) = false

[> Line 259: by (rewrite ...)
[goal> Goal true_iff_false is proved
Exiting proof mode.

Goal false_iff_true :
(false <=> true) = false
[goal> Focused goal (1/1):
System: any
----------------------------------------
(false <=> true) = false

[> Line 265: by (rewrite ...)
[goal> Goal false_iff_true is proved
Exiting proof mode.

Goal exists_false1 :
(exists (a:'a), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a
----------------------------------------
(exists (a:'a), false) = false

[> Line 277: by (rewrite ...)
[goal> Goal exists_false1 is proved
Exiting proof mode.

Goal exists_false2 :
(exists (a:'a,b:'b), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b
----------------------------------------
(exists (a:'a,b:'b), false) = false

[> Line 281: by (rewrite ...)
[goal> Goal exists_false2 is proved
Exiting proof mode.

Goal exists_false3 :
(exists (a:'a,b:'b,c:'c), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c
----------------------------------------
(exists (a:'a,b:'b,c:'c), false) = false

[> Line 285: by (rewrite ...)
[goal> Goal exists_false3 is proved
Exiting proof mode.

Goal exists_false4 :
(exists (a:'a,b:'b,c:'c,d:'d), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd
----------------------------------------
(exists (a:'a,b:'b,c:'c,d:'d), false) = false

[> Line 289: by (rewrite ...)
[goal> Goal exists_false4 is proved
Exiting proof mode.

Goal exists_false5 :
(exists (a:'a,b:'b,c:'c,d:'d,e:'e), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd, 'e
----------------------------------------
(exists (a:'a,b:'b,c:'c,d:'d,e:'e), false) = false

[> Line 293: by (rewrite ...)
[goal> Goal exists_false5 is proved
Exiting proof mode.

Goal exists_false6 :
(exists (a:'a,b:'b,c:'c,d:'d,e:'e,f:'f), false) = false
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd, 'e, 'f
----------------------------------------
(exists (a:'a,b:'b,c:'c,d:'d,e:'e,f:'f), false) = false

[> Line 297: by (rewrite ...)
[goal> Goal exists_false6 is proved
Exiting proof mode.

Goal forall_true1 :
(forall (a:'a), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a
----------------------------------------
(forall (a:'a), true) = true

[> Line 307: auto
[goal> Goal forall_true1 is proved
Exiting proof mode.

Goal forall_true2 :
(forall (a:'a,b:'b), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b
----------------------------------------
(forall (a:'a,b:'b), true) = true

[> Line 311: auto
[goal> Goal forall_true2 is proved
Exiting proof mode.

Goal forall_true3 :
(forall (a:'a,b:'b,c:'c), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c
----------------------------------------
(forall (a:'a,b:'b,c:'c), true) = true

[> Line 315: auto
[goal> Goal forall_true3 is proved
Exiting proof mode.

Goal forall_true4 :
(forall (a:'a,b:'b,c:'c,d:'d), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd
----------------------------------------
(forall (a:'a,b:'b,c:'c,d:'d), true) = true

[> Line 319: auto
[goal> Goal forall_true4 is proved
Exiting proof mode.

Goal forall_true5 :
(forall (a:'a,b:'b,c:'c,d:'d,e:'e), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd, 'e
----------------------------------------
(forall (a:'a,b:'b,c:'c,d:'d,e:'e), true) = true

[> Line 323: auto
[goal> Goal forall_true5 is proved
Exiting proof mode.

Goal forall_true6 :
(forall (a:'a,b:'b,c:'c,d:'d,e:'e,f:'f), true) = true
[goal> Focused goal (1/1):
System: any
Type variables: 'a, 'b, 'c, 'd, 'e, 'f
----------------------------------------
(forall (a:'a,b:'b,c:'c,d:'d,e:'e,f:'f), true) = true

[> Line 327: auto
[goal> Goal forall_true6 is proved
Exiting proof mode.

[warning> loaded: Basic.sp <]
goal S_charac (j:index):
happens(Schall1(j)) =>
exec@Schall1(j) =>
exists (i:index), snd(input@Schall(j)) = g^a(i). Goal S_charac :
happens(Schall1(j)) =>
exec@Schall1(j) => exists (i:index), snd(input@Schall(j)) = g ^ a(i)

In the proof of strong secrecy for the system secretS, we will use the following property, stating that whenever S accepts a message from P, this message is of the form <<_,x>,_> where x = g^a(i).

Proof. [goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
----------------------------------------
happens(Schall1(j)) =>
exec@Schall1(j) => exists (i:index), snd(input@Schall(j)) = g ^ a(i)

intro Hap Hexec. [> Line 87: (intro Hap Hexec)
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

executable pred(Schall1(j)) => //. [> Line 88: ((executable pred(Schall1(j)));(intro //))
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@Schall1(j)
----------------------------------------
(forall (t:timestamp), t < Schall1(j) => exec@t) =>
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

depends Schall(j), Schall1(j) => //. [> Line 89: ((depends Schall(j), Schall1(j));(intro //))
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@Schall1(j)
----------------------------------------
Schall(j) < Schall1(j) =>
(forall (t:timestamp), t < Schall1(j) => exec@t) =>
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

intro Ord Hexec'. [> Line 90: (intro Ord Hexec')
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@Schall1(j)
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

use Hexec' with Schall(j) as Hyp => //. [> Line 91: ((have ... as Hyp);(intro //))
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@Schall1(j)
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@Schall(j)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

expand exec, cond, pkp(j)@Schall1(j). [> Line 92: (expand exec, cond, pkp(j)@Schall1(j))
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@pred(Schall1(j)) &&
checksign(input@Schall1(j),fst(input@Schall(j))) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

assert fst(input@Schall(j)) = pk(skP) as Meq' => //. [> Line 93: ((have (fst(input@Schall(j)) = pk(skP)), Meq');(intro //))
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@pred(Schall1(j)) &&
checksign(input@Schall1(j),fst(input@Schall(j))) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Meq': fst(input@Schall(j)) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

rewrite Meq' in Hexec. [> Line 94: (rewrite ... in Hexec)
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hexec: exec@pred(Schall1(j)) &&
checksign(input@Schall1(j),pk(skP)) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Meq': fst(input@Schall(j)) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

destruct Hexec as [Hexec Hcheck]. [> Line 94: (destruct Hexec, [Hexec Hcheck])
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: j:index
Hap: happens(Schall1(j))
Hcheck: checksign(input@Schall1(j),pk(skP)) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec: exec@pred(Schall1(j))
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Meq': fst(input@Schall(j)) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

euf Hcheck. [> Line 95: (euf Hcheck)
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: i,j:index
Hap: happens(Schall1(j))
Hcheck: checksign(input@Schall1(j),pk(skP)) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec: exec@pred(Schall1(j))
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Meq': fst(input@Schall(j)) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
P1(i) <= Schall1(j) || P1(i) < Schall1(j) =>
<<gs(i)@P1(i),g ^ a(i)>,pks(i)@P1(i)> = <<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)> =>
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

intro *. [> Line 96: (intro *)
[goal> Focused goal (1/1):
System: left:default/left, right:default/right
Variables: i,j:index
H: P1(i) <= Schall1(j) || P1(i) < Schall1(j)
Hap: happens(Schall1(j))
Hcheck: checksign(input@Schall1(j),pk(skP)) =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Hexec: exec@pred(Schall1(j))
Hexec': forall (t:timestamp), t < Schall1(j) => exec@t
Hyp: exec@pred(Schall(j)) && pkp(j)@Schall(j) = pk(skP)
Meq: <<gs(i)@P1(i),g ^ a(i)>,pks(i)@P1(i)> =
<<g ^ b(j),gp(j)@Schall1(j)>,pk(skS)>
Meq': fst(input@Schall(j)) = pk(skP)
Ord: Schall(j) < Schall1(j)
----------------------------------------
exists (i:index), snd(input@Schall(j)) = g ^ a(i)

by exists i. [> Line 97: by (exists i)
[goal> Goal S_charac is proved

Qed. Exiting proof mode.

equiv strongSecS. Goal strongSecS :
forall t:timestamp, equiv(frame@t)

We show the counterpart of the property strongSecP, this time for the system secretS. The proof is carried out exactly in the same way.

Proof. [goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: t:timestamp
H: [happens(t)]
----------------------------------------
0: frame@t

enrich
skP, skS,
seq(i:index ->g^a(i)),
seq(j:index ->g^b(j)),
seq(i,j:index ->diff( g ^ a(i), g) ^ diff( b(j), k(i,j))). [> Line 110: (enrich skP, skS, seq(i:index->(g ^ a(i))),
seq(j:index->(g ^ b(j))),
seq(i,j:index->(diff((g ^ a(i)),g) ^ diff(b(j),k(i,j)))))

[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: t:timestamp
H: [happens(t)]
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: frame@t

induction t; try (by expandall; apply IH). [> Line 112: ((induction t);(try by (expandall;(apply ... ))))
[goal> Focused goal (1/2):
Systems: left:default/left, right:default/right (same for equivalences)
H: [happens(init)]
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: frame@init

+ (* init *)
expandall. [> Line 115: expandall
[goal> Focused goal (1/2):
Systems: left:default/left, right:default/right (same for equivalences)
H: [happens(init)]
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP

by ddh g,a,b,k. [> Line 116: by (ddh g, a, b, k)
[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: frame@Schall3(j)

+ (* Schall3 *)
expand frame, exec, output. [> Line 119: (expand frame, exec, output)
[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: <frame@pred(Schall3(j)),
<of_bool(exec@pred(Schall3(j)) && cond@Schall3(j)),
if (exec@pred(Schall3(j)) && cond@Schall3(j)) then diff(ok, ko)>>

have ->: (exec@pred(Schall3(j)) && cond@Schall3(j)) <=> False. [> Line 120: (have ((exec@pred(Schall3(j)) && cond@Schall3(j)) <=> False),
->)

[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
exec@pred(Schall3(j)) && cond@Schall3(j) <=> false

{split => //. [> Line 121: (split;(intro //))
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
exec@pred(Schall3(j)) && cond@Schall3(j) => false

intro [Hexec Hcond]. [> Line 122: (intro [Hexec Hcond])
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: cond@Schall3(j)
Hexec: exec@pred(Schall3(j))
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
false

expand cond. [> Line 123: (expand cond)
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
false

depends Schall1(j), Schall3(j) => //. [> Line 124: ((depends Schall1(j), Schall3(j));(intro //))
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
Schall1(j) < Schall3(j) => false

intro Ord. [> Line 125: (intro Ord)
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
false

executable pred(Schall3(j)) => //. [> Line 126: ((executable pred(Schall3(j)));(intro //))
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
(forall (t:timestamp), t < Schall3(j) => exec@t) => false

intro Hexec'. [> Line 127: (intro Hexec')
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
Hexec': forall (t:timestamp), t < Schall3(j) => exec@t
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
false

use Hexec' with Schall1(j) as Hexec1 => //. [> Line 128: ((have ... as Hexec1);(intro //))
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
Hexec': forall (t:timestamp), t < Schall3(j) => exec@t
Hexec1: exec@Schall1(j)
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
false

expand exec. [> Line 129: (expand exec)
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
Hexec': forall (t:timestamp), t < Schall3(j) => exec@t
Hexec1: exec@pred(Schall1(j)) && cond@Schall1(j)
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
false

use S_charac with j as [j0 Hyp] => //. [> Line 130: ((have ... as [j0 Hyp]);(intro //))
[goal> Focused goal (1/2):
System: left:default/left, right:default/right (same for equivalences)
Variables: j,j0:index
H: [happens(Schall3(j))]
Hcond: forall (i:index), not(gp(j)@Schall3(j) = g ^ a(i))
Hexec: exec@pred(Schall3(j))
Hexec': forall (t:timestamp), t < Schall3(j) => exec@t
Hexec1: exec@pred(Schall1(j)) && cond@Schall1(j)
Hyp: snd(input@Schall(j)) = g ^ a(j0)
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
Ord: Schall1(j) < Schall3(j)
----------------------------------------
false

by use Hcond with j0. [> Line 131: by (have ... as )
[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: <frame@pred(Schall3(j)),<of_bool(false),if false then diff(ok, ko)>>

}

fa 5. [> Line 133: (fa 5)
[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: frame@pred(Schall3(j))
6: <of_bool(false),if false then diff(ok, ko)>

fa 6. [> Line 133: (fa 6)
[goal> Focused goal (1/1):
Systems: left:default/left, right:default/right (same for equivalences)
Variables: j:index
H: [happens(Schall3(j))]
IH: equiv(seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j)))),
seq(j:index->(g ^ b(j))), seq(i:index->(g ^ a(i))), skS, skP,
frame@pred(Schall3(j)))
----------------------------------------
0: seq(i,j:index->(diff(g ^ a(i), g) ^ diff(b(j), k(i,j))))
1: seq(j:index->(g ^ b(j)))
2: seq(i:index->(g ^ a(i)))
3: skS
4: skP
5: frame@pred(Schall3(j))
6: if false then diff(ok, ko)

by rewrite if_false. [> Line 134: by (rewrite ...)
[goal> Goal strongSecS is proved

Qed. Exiting proof mode.

Press the left and right arrows to do and undo an instruction.

Alternatively, you can double-click on an instruction.

This zone shows a Squirrel file. You can double-click on a comment to collapse it for better readabilility.

This zone shows the output given by Squirrel.

This zone shows the output of the previous instruction, to help identifying the change caused by the instruction.

Previously:

SIGNED DDH

Squirrel Prover